OnePlus is reportedly pulling a substantial amount of user data from its devices, based on information provided by Christopher Moore, who posted the details to his security blog after discovering the issue with a OnePlus 2 smartphone. The sum of the posting is that OnePlus is said to be collecting core personal device information, such as IMEI numbers, MAC addresses, mobile network names, IMSI prefixes, ESSID, BSSID, device serial numbers, and phone numbers. It also seems that this is not a new thing as Moore originally posted the details on this back in June of 2017. Although it seems to have only recently come to wider attention following an update by Moore to the original post this week.
If all that was not enough, Moore notes OnePlus devices also seem to be sending back user experience data as well. Moore sums this up best by explaining devices are relaying app user information back to OnePlus including which apps the user is opening, how long they spend in the apps, as well as information relating to some of the user actions made within the apps. Which is all in addition to other user-based info such as when a device is locked, unlocked, and so on. Now, it should be expected that some information for troubleshooting (and avoidance of issues) will be in effect, as it is for all device manufacturers and software developers, and the device tested here does also seem to be relaying much of that normal user information. However, the point Moore makes is that not only is OnePlus seemingly pulling much more information than would be expected, but some of this information can be directly tied back to the user. Thereby, this is assumed to be information that is not necessarily being pulled anonymously.
Of course, there is nothing to say that OnePlus is using any of this information for any untoward reasons, or even storing it in any shape or form. However, the fact that the information is seemingly being pulled, could be enough of a concern for those worried about privacy and the security of their information in general. Moore has reached out previously (as far back as January of this year) to OnePlus via social media to try and find out if there is a way the feature can be disabled so that it is not sharing as much info as it currently is, although it seems OnePlus has yet to fully provide an answer to that question. However, it is worth noting that @JaCzekanski on Twitter more recently explained that the app pulling the data (OnePlus Device Manager) can be disabled via ADB (regardless of root) with a simple command. For details on the process, as well as the full description on what Moore has found, head through the link.
Chris's Security and Tech Blog