UPDATE: This story was updated on Oct. 16, following an announcement from OnePlus to redesign its data collection to an opt-in format.
OnePlus devices are, by and large, things of beauty. The Shenzen-based company produces smartphones that hew extremely closely to a stock Android build, but without the exorbitant price tags of their Google Nexus or Pixel counterparts.
There’s only one problem: OnePlus phones may be invading your privacy by sending revealing data back to Chinese servers, and while there's a fix, it may be daunting for users who aren't technically skilled.
This information comes from Chris Moore, an engineer for Redgate, a Cambridge, England-based software developer. Moore was testing his OnePlus 2 phone for unrelated security research when he found something interesting: His phone was directing traffic back to a domain called “open.oneplus.net.”
A little bit of additional digging revealed that the server was one of OnePlus’s own. (While Moore tested this on a OnePlus 2 phone, other users have replicated it on a OnePlus 3; it likely affects a variety of phones from the manufacturer running the company's OxygenOS fork of Android.)
How to Stop OnePlus Data Collection
If you want a surefire way of preventing your OnePlus phone from sharing plain-text data with its parent company, you’ll have to do a bit of Android programming legwork — but you won’t have to root your phone, as Moore initially thought you might.
The forum Hacker News explains how to do it in detail. First, you need to enable USB debugging in your phone’s settings (it’s under Developer Options). Then, connect your phone to your computer via USB and install the Android Debug Bridge software.
If this is your first time using ADB, there will be some trial-and-error as you ensure everything is configured correctly, but if you follow the instructions on the ADB website, you should be good to go. Then, simply copy, paste and execute the following commands from the Hacker News forum, which will uninstall the OnePlus trackers manually:
$ adb start-server
$ adb shell
> pm uninstall -k --user 0 net.oneplus.odm
Oodles of Information
Moore found that the OnePlus server would periodically collect data about his phone, including the IMEI and IMSI (the handset and SIM card unique identifiers, respectively), the phone number, MAC addresses (unique identifiers for network ports), mobile network names and wireless network names. These are all potential security and privacy risks, but they're also the kind of thing that phone makers regularly collect in case they need to remotely troubleshoot problems with a handset.
However, it gets even more unnerving. The remote OnePlus server also collected information on when Moore opened and closed Android apps, locked or unlocked his phone and even turned the screen on or off.
To be fair, as long as this data stays with OnePlus, there’s no risk to the end user. What’s unsettling, however, is that Moore discovered that the data was not anonymized at all. A malicious actor who got his or her hand on the data could easily see everything about a user's smartphone usage (assuming that OnePlus does not implement additional security protocols after it collects the data, that is).
Moore couldn’t find a way to stop the phone from collecting information, but a Polish programmer named Jakub Czekański got in touch with him on Twitter and suggested the above workaround.
OnePlus Offers Another Workaround
We contacted OnePlus to see if the company was aware of the problem. A representative assured us that the data transmitted was actually secure, moving in two streams to an HTTPS-enabled Amazon server.
The first stream, the representative said, contained analytics — perhaps the app-usage information Moore pointed out. OnePlus recommended disabling this stream, if desired, by going to Settings --> Advanced and toggling off the "Join user experience program" option.
The second stream, the OnePlus rep added, was just device information, which was not shared with outside parties.
I was unable to verify for myself whether the OnePlus recommendation actually stopped the transmission of user data, but there’s no indication that what OnePlus said is untrue. Still, uninstalling the telemetry through ADB seems like the more absolute option.
Bubbling Under for a Year
Interestingly, Moore is not the first person who found this OnePlus transmission. Back in July 2016, a software developer called Tux pointed out the same thing on Twitter, and even posted a complete record of his findings to Pastebin. The following month, another developer who contributed to the Android developers' blog XDA-Developers chronicled the same issue.
Why the story never took off until now is anyone’s guess, but if this is as much of a privacy and security risk as it seems, OnePlus has let it go unaddressed for a long time.
More information will probably come out over the next few days, as security researchers attempt OnePlus’s fix for themselves and see how it affects data transmission. In the meantime, you might want to run the ADB script. OnePlus is almost certainly not going to do anything nefarious with your data, but as we’ve seen before, no manufacturer’s security is ironclad.
UPDATE: OnePlus Promises a Solution
In a post to the OnePlus forums on Friday, Oct. 13, company co-founder Carl Pei promised changes to how its devices collect data, and offered a solution. After stating that OxygenOS devices collect two kinds of data (usage analytics and device information), Pei re-iterated the advice that a OnePlus rep originally told us: that users can stop sending usage data by opening the Settings app, tapping Advanced, tapping Join user experience program and changing the setting there.
Pei promised that the company has never shared user data with "outside parties" and that it only uses this data to improve the customer experience. He also stated that "by the end of October, all OnePlus phones running OxygenOS will have a prompt in the setup wizard that asks users if they want to join our user experience program," suggesting that users will need to opt into the program.
Lastly, he noted that the OxygenOS devices will "no longer be collecting telephone numbers, MAC Addresses and WiFi information." The co-founder followed that statement by declaring that OnePlus takes privacy seriously, although promising to delete the already-collected personal information would have helped some believe that the company truly values privacy.