Smartphone maker OnePlus has been accused of setting its devices up to send sensitive user data back to the company - without seeking their consent or being upfront about its data-slurping activities.
The accusations were detailed in a blog post by security researcher Christopher Moore. After setting up a security tool called OWASP ZAP on his OnePlus 2 handset, he noticed HTTPS requests being sent to a domain called open.oneplus.net, which further redirected the traffic to a US-based Amazon AWS server.
As well as hoovering up details such as users' phone and IMEI numbers, MAC addresses and mobile network names, Moore revealed that OnePlus was collecting timestamped details such as when the user locked the device and when apps were opened and closed.
"They're collecting time-stamped metrics on certain events, some of which I understand - from a development point of view, wanting to know about abnormal reboots seems legitimate - but the screen on/off and unlock activities feel excessive, he claimed in his blog.
"At least these are anonymised, right? Well, not really - taking a closer look at the ID field, it seems familiar; this is my phone's serial number."
Moore states that the code responsible for this data collection is part of the OnePlus Device Manager and OnePlus Device Manager Provider. Thankfully, Twitter user Jakub Czekanski, tweeted that the data transmission can be disabled permanently using ADB tool with USB debugging enabled on the device.
@chrisdcmoore I've read your article about OnePlus Analytics. Actually, you can disable it permanently: pm uninstall -k --user 0 pkg— Jakub Czekański (@JaCzekanski) October 10, 2017
However, there's a chance that doing this could break other functionality of the system, since Device Manager could be responsible for other tasks.
OnePlus doesn't seem to consider its unconsented data collection a big issue and shrugged off the accusations in a statement.
"We securely transmit analytics in two different streams over HTTPS to an Amazon server. The first stream is usage analytics, which we collect in order for us to more precisely fine-tune our software according to user behaviour," the firm said.
"This transmission of usage activity can be turned off by navigating to 'Settings' -> 'Advanced' -> 'Join user experience program'. The second stream is device information, which we collect to provide better after-sales support."
Kicking Palantir off of AWS is among their demands, too
Rafaela Vasquez was watching The Voice at the time of the crash, new evidence shows
PUBG price slashed on Steam after selling more than 50 million copies - as daily player numbers plunge
Use the same password for every website? It might be time to change them all