A report has just surfaced, highlighting the indiscretions of OnePlus software. A lot of information is apparently sent to the Chinese brand.
At the beginning of the year, a security specialist discovered that his OnePlus 2 was very indiscreet. Passed unnoticed when it was published in June, its analysis comes out a few months later and makes more noise in view of the revelations that emerge.
As part of another project, Christopher Moore closely examined the internet traffic coming out of his smartphone and was marked by packets sent to the open.oneplus.net address. He decided to take an interest in knowing what information was being transferred.
And first problem: it arrived there very easily since the information thus sent is only encrypted in Base64, that simple sites offer to decode in one click. Any hacker intercepting these packets (which can easily be done if you are on a public WiFi network for example) can therefore recover all the information easily.
A very indiscreet system
Looking more closely at the content of the packets sent, Chris Moore discovered some obvious debugging items, such as abnormal restart reports. However, they are accompanied by other stranger data, such as the exact time each time the screen is turned on and off.
But digging deeper, Chris realized that OxygenOS shares more than that. By examining the code of the files transferred to the OnePlus server, he saw his IMEI, his MAC address or his IMSI, unique identifiers of the phone, but also its phone number, the SSID of its WiFi network.
Going even further in the review, the security expert was dismayed to see that his phone also shared the exact time of opening and closing of its applications, and sometimes even a detailed report of activities within an application (launching a tab in Chrome, activating WiFi in settings, etc.).
A lot of data?
The analysis goes even further as Christopher Moore was able to locate the process behind sending these packages: OnePlus System Service. In his case, the process shared 16 MB of data in about 10 hours, which is huge. As the FrAndroid editorial team includes several users of OnePlus 5, we have personally verified how much data passes through the OnePlus Systeme Service application. If the result is slightly lower, it still remains close to 8 MB in 210 hours, which corresponds to a significant amount of information.
In order to know more, we have asked OnePlus for clarification on this point and we are waiting for an official response for the moment.
What to do ?
When in doubt, those who like to hack can always put their hands in the grease to preserve a little more their privacy. By rooting the phone, it is possible to disable a process while the installation of a custom ROM will also terminate these transfers.