Christopher Moore, a software developer has revealed his findings related to data collection practices conducted by OnePlus. In Hack Challenge, Moore uses OWASP ZAP to view internet traffic from his OnePlus 2 phone. From this data, he is aware of traffic to open.oneplus.net in large numbers.
When he investigates further, he discovers that the domain name goes to the Amazon AWS server under OnePlus. He also later learned that his cell phone continuously sends data to the open.oneplus.net server via HTTPS.
He successfully decrypted the data using an authentication key on his phone and found that his OnePlus 2 sent information, such as when the phone rebooted unexpectedly, also when the phone locked and unlocked.
Collecting reboot-related data does make sense it will help developers to fix bugs. However, as mentioned by Moore in the blog, recording how many times the user locks the phone and unlocks the phone is overkill.
Not only that he found that his cell phone also send information such as IMEI number, mobile number, MAC address, mobile network name, WiFi information and phone serial number. All this data is sent each user opens an app.
When asked for comments related to this, OnePlus said, "We send analytical data, divided into 2 types, securely via HTTPS to Amazon servers.The first type is the usage analytics, which we collect to fix our software according to user habits.
"Transmission of this usage activity can be turned off through Settings -> Advanced -> Join user experience program." While the second type is device information, we gather to provide better after-sales support. "
