OxygenOS Telemetry Lets OnePlus Tie Phones To Individual Users (bleepingcomputer.com) 164
An anonymous reader quotes a report from Bleeping Computer: OxygenOS, a custom version of the Android operating system that comes installed on all OnePlus smartphones, is tracking users actions without anonymizing data, allowing OnePlus to connect each phone to its customer. A security researcher going by the pseudonym of Tux discovered the abusive tracking in July 2016, but his tweet went largely unnoticed in the daily sea of security tweets sent out each day. The data collection issue was brought up to everyone's attention again, today, after British security researcher Christopher Moore published the results of a recent study on his site.
Just like Tux, Moore discovered that OxygenOS was sending regular telemetry to OnePlus' servers. This is no issue of concern, as almost all applications these days collect telemetry data for market analytics and to identify and debug application flaws. The problem is that OnePlus is not anonymizing this information. The Shenzhen-based Chinese smartphone company is collecting a long list of details, such as: IMEI code, IMSI code, ESSID and BSSID wireless network identifiers, and more. The data collection process cannot be disabled from anywhere in the phone's settings. When Moore contacted OnePlus support, the company did not provide a suitable answer for his queries.
Just like Tux, Moore discovered that OxygenOS was sending regular telemetry to OnePlus' servers. This is no issue of concern, as almost all applications these days collect telemetry data for market analytics and to identify and debug application flaws. The problem is that OnePlus is not anonymizing this information. The Shenzhen-based Chinese smartphone company is collecting a long list of details, such as: IMEI code, IMSI code, ESSID and BSSID wireless network identifiers, and more. The data collection process cannot be disabled from anywhere in the phone's settings. When Moore contacted OnePlus support, the company did not provide a suitable answer for his queries.
Re: (Score:2)
Yeah, because that's something that I'm going to expect my mother to do. And fandroids can't figure out why millions of people line up to buy iPhones.
Re: (Score:1)
We already know that it's because of environmental lock-in and Keeping Up With the Jones'. People seem to forget that iOS still has plenty of security issues and that Apple collects nearly as much data as Google does.
Re: (Score:2)
Good job completely missing the point.
Re: (Score:2)
Oh, that's right, Android is Linux, and Linux can do no wrong. If this was was Windows or Mac OS, the outrage here would be massive.
Not only is privacy dead, but the demand for privacy is as well.
Social media addiction has created a world full of narcissists who will gladly share every detail of their lives, and not care at all about inherent risk or impact.
This has fuck-all to do with the OS.
Re: (Score:1)
Not only is privacy dead, but the demand for privacy is as well.
Social media addiction has created a world full of narcissists who will gladly share every detail of their lives, and not care at all about inherent risk or impact.
This has fuck-all to do with the OS.
It's a goal of the 1984 blueprint.
Re: (Score:3, Insightful)
Not only is privacy dead, but the demand for privacy is as well.
Social media addiction has created a world full of narcissists who will gladly share every detail of their lives, and not care at all about inherent risk or impact.
This has fuck-all to do with the OS.
Some people don't care, but a lot of people do. And while the internet is an inherently non-private place, even the over-sharers are not expecting their credit card information to be exposed for the world to see. Or that bulk pack of dildos they ordered.
Regardless, these over-sharers were not created by social media, it merely gave them a fine outlet, and hey, who wouldn't be interested in your relative's new clit ring or ostomy bag? I have one relative on FB who approaches that level of oversharing. But
Re: (Score:1)
Not only is privacy dead, but the demand for privacy is as well.
Social media addiction has created a world full of narcissists who will gladly share every detail of their lives, and not care at all about inherent risk or impact.
This has fuck-all to do with the OS.
Some people don't care, but a lot of people do.
I challenge you to find even 10 people you know who don't carry around a personal tracking device (smartphone), and refuse to use free (in exchange for privacy) apps. There are far less people than you assume who still care about privacy.
And while the internet is an inherently non-private place, even the over-sharers are not expecting their credit card information to be exposed for the world to see. Or that bulk pack of dildos they ordered.
The utter lack of action that victims take once their credit card or purchasing detail is exposed says a lot as to just how much the over-sharers don't give a shit about privacy. Victims hardly ever change their habits as a result of being a victim. They get pissed when
Re: (Score:2)
Can you? It's specifically talking about that OS and the phone hardware. Is the phone hardware rootable so that installing another OS image can be done? Is it a burdensome task to do, which a non-IT person could easily do?
"Just install another OS" is a great dismissal of a problem if it's actually something most normal people can figure out without bricking their phone or getting frustrated at having to type in multiple long commands. Most anyone around here already knows that you can root and install a
Re: (Score:1)
Can you? It's specifically talking about that OS and the phone hardware. Is the phone hardware rootable so that installing another OS image can be done?
Not that this takes away from the seriousness of the tracking issue, but on this one specific point not only can you root OnePlus phones, OnePlus provide information on how to do so [androidauthority.com].
Re: (Score:3, Informative)
The SoC has a Wifi MAC and maybe a PHY. However as the OP pointed out 'Generally, the wifi chips donâ(TM)t even have network stacks on them. They operate at layer 1/2, and just forward packets back and forth to the hostâ(TM)s network stack'. Spying needs to sit on top of the network stack.
So on an Android device you've got a Linux kernel with TCP/IP sending packets to a network device in the SoC. The spyware is probably running up in user mode where the GPL doesn't apply anymore. Google went to gr
Re: (Score:2)
Everyone's already jumped in, but I'll also add that collecting telemetry data can sometimes slow things down to a crawl. I'm personally more worried about unnecessary use of computing resources than collecting metadata - it directly impacts my bottom line in buying more powerful hardware to compensate.
Re: (Score:1)
And your proof is where exactly?
Re: The elephant in the room .... (Score:1)
The vigorous response you got from the 50 Cent Army suggests you may need right about the elephant in the room.
Re: The elephant in the room .... (Score:2)
I wrote some free software yesterday, as part of my paid job. Because it's easier, faster, and cheaper for us to use Free Software than to roll our own. And when we need to fix/improve something, we contribute it back. Not only because it's the morally right thing to do. But also because maintaining unsupported private forks is a security nightmare.
Re: (Score:1)
Open Source can be a security nightmare too. The simple fact is it is much easier to find and fix but also to exploit bugs when you have the source code. You simply cannot argue that it's better because it's easier to find and fix bugs while ignoring the fact that it is equally easy to find and exploit them. Yes in a perfect world where all hackers are white hat hackers, everybody is vetting everybody else's code and there's nobody malicious then open source would unquestionably be the right choice but the
Re: (Score:2)
Citation needed for the claim that security through obscurity works.
No citation needed, just common sense. It works, but only relatively better and not absolutely. If you can literally look at the code and find the bugs, it's easier to find an exploit bugs - without the code, you have to guess and check at where bugs might be.
Re: (Score:2)
I have never found a security bug in someone else's code by looking at code--everyone else is a better programmer than I.
A great many security researchers find their bugs by fuzzing. EternalBlue amazes some folks in the exploit development sphere but, even as a non-exploit-developer, it's pretty simple to me: the researchers looked at a thing they could make happen and, given other things that they could make happen, worked out what information they could derive from each part. Then they had tools whic
Root Phone (Score:4, Interesting)
It seems that regulations are required to ensure end users can readily gain root control of their phones to enable a full range of settings to be altered to ensure their digital right to privacy and control of their property. All phone manufacturers should be required to provide software to enable any customer to gain root control of their phone, else that phone can not be connected to networks in the country.
Re: Root Phone (Score:2)
Afaik it's illegal (under CALEA, maybe others) to sell a privacy-respecting cellphone in America.
Re: Root Phone (Score:2)
Oh my brother, I believe you need to read the CALEA implementing regulations.
Re: (Score:2)
Didn't they name the citation that you required? Go read it.
Re: (Score:2)
Actually, the Librarian has ordered all phones unlockable for free to install custom images. Just get a OnePlus 5 and install Resurrection Remix or LineageOS.
But it is open source (Score:2, Funny)
It has to be more secure than iOS since it is based on open source Android OS.
Re: (Score:2)
Windows 10 telemetry... anonymized... oh, the horrors!
Android (Linux) telemetry... not anonymized... it's okay, we'll look the other way
Not even close. I object to telemetry you can't disable equally on all platforms. Android or Linux doesn't get a pass on this.
don't opt in in (Score:2)
If you wan't privacy, don't opt in.
(At least google is giving an opt in)
Welcome to the Brave New World
A shame (Score:3)
OnePlus manufacture some dam nice phones, and OxygenOS was stock android with just the right amount of custom tweaks. I'm now happy i didn't pick up a OP5.
Re: (Score:2)
I have been thinking about getting the next model but this news certainly drives me back to Nexus/Pixel or better, the Purism phone.
Among others it promises pure open source Debian-derived Linux and hardware switches on the camera and microphone.
As a matter of fact, now I'll contribute to it's development: https://puri.sm/shop/librem-5/ [puri.sm]
Oh yes, about the 'Linux is to blame' troll(s), it's not the Linux part that's at fault here, it is One+ their Oxyg
Re: (Score:2)
I own a OP3 as well, and this is definitely the steel beam that broke the camel's back. It'll be the only one I buy.
At this rate, though, I'm thinking my next phone will be a cheap candybar if I can find one (didn't someone say they were bringing back the Nokias?). I got into One+ because of the promises of (almost) stock android and getting timely updates and now that I've had it for a while, I've come to the conclusion that I was honestly happier with my previous HTC Evo that never got an upgrade past a
Re: (Score:2)
I'm still rocking a OP1 and still running Cyanogen. It sucks that development is sort of dead for it, but I still have control over pretty much everything. I like being able to block individual apps from sharing data and boy once you disable it, you'd be surprised how many apps complain or refuse to work over data they don't need.
Uber especially is one I have to block location access and then re-enable it when I want to use the app. It will try to track you all the time whether you are actively using the ap
Everyone else does it (Score:5, Insightful)
This is no issue of concern, as almost all applications these days collect telemetry data for market analytics and to identify and debug application flaws
The reason this is not a concern is because everyone else does it. Absolutely priceless reasoning.
If I had a penny for every instance of this nonsense uttered in my lifetime I would be a trillionaire.
Re: (Score:2)
I can accept a certain form of Opt-In telemetry but there is no need to include ESSID's and WIFI identifiers.
Weird (Score:2)
Have they never heard the saying "if everyone else jumps off a bridge are you going to do it too?"
I always wonder that when this type of reasoning is used. At one point a lot of people were smoking cigarettes, but that didn't make the health risk any lower. Plenty litter or make a lot of waste, that doesn't help us in the effort to sustain ourselves. The number of people doing something has no bearing on whether that is beneficial or not.
Re: (Score:2)
Flash Phone. Lineage OS. (Score:5, Insightful)
Flash the Phone with Lineage OS. Thats what I do with my Phones.
Re: (Score:2, Informative)
You're welcome [xda-developers.com]
i'm concerned (Score:3, Insightful)
> This is no issue of concern, as almost all applications these days collect telemetry data for market analytics and to identify and debug application flaws.
Umm... yes it is?
Guess I'm not going to buy a one plus phone (Score:3)
Didn't happen, long story; but sadly typical This is, to my mind, stupid. But the current generation doesn't seem to mind.
Need hearts and minds to effect change
Re: (Score:2)
But the current generation doesn't seem to mind.
Doesn't mind, doesn't know, or just doesn't think they can do anything about it so tolerate it despite minding because they need a phone to live a normal life these days?
Those are three quite different scenarios, and in two of the three it appears there is a market failure where purchasers of these (or other) smartphones don't get a choice they could reasonably be offered and so can't express their preference with their wallets.
That sort of market failure is what regulation is for. Europe is going to have a
Re: (Score:2)
Doesn't mind, doesn't know, or just doesn't think they can do anything about it so tolerate it
With my kids, it's that latter thing.
None of them are OK with it, but equally as much, none of them think there's anything they can do about it.
uhoh (Score:2)
I know someone with a one plus 3t and it seemed like the perfect device. I am not sure what effect disabling those applications might have, so ill wait a few days before advising her to do that. Hopefully this is big news, but sadly everyone is doing it.
If you are a smartphone user and you think google and apple don't have the complete picture of you as an individual you are dreaming! This is just the chinese not giving even the slightest fuck, while american companies still have to pretend to care about pr
Re: (Score:2)
who pays the shills? (Score:3, Interesting)
Only 30 comments so far, and over half of them are from painfully obvious anti-Linux shills. Which leaves me wondering - who exactly bankrolls this particular battalion of the 50 Cent Army?
Microsoft? No, can't be. I think they've given up on phones.
Apple? Now this one is fairly believable. Deep pockets, Silicon Valley ethics (read: no ethics at all), and mindless brainwashed cult followers... okay, sounds plausible. But it's so crass & crude & obvious. Doesn't really feel like an Apple-backed operation.
Russian/Chinese/Nork/USSA state-affiliated organizations? Well sure, they infest Slashdot like the regular vermin they are. But why would they give a fuck about an obscure cellphone?
Global dystopian-progressive NGOs backed by financial oligarchs? Well, they do hate freedom, so it stands to reason they would also hate Linux. The smarmy tone of the shill comments does match their supporters. Not sure why they'd care about a cellphone. But maybe their shills are on salary. They've already finished polluting the political articles, so they're just chilling out here. Shitting all over the place while trying to figure out how they can blame this on Trump colluding with the rooskies. I rate this possibility as plausible but lacking in evidence.
RMS? The shills both draw attention to the evil practice of commercial surveillance, as well as making anti-freedom proponents look like toxic fucktards. Subtle & brilliant. Alas, I don't think RMS has the funds to hire a troll army, so this one's not too plausible.
Re: who pays the shills? (Score:1)
Anyone who doesn't agree with you must be a paid shill? There are two words to describe you: paranoid delusional. In your mind, anyone who criticizes Linux must be a paid shill, yet you made no attempt to refute them. If you could have addressed the concerns raised about Linux, you undoubtedly would have done so. That indicates you are unable to do so. By your logic, you're likely a paid pro-Linux shill, perhaps funded by someone with deep pockets such as Red Hat or IBM. Linux also includes SELinux code con
Re: who pays the shills? (Score:2, Insightful)
Criticism of Linux? Oh, no, must be shills! Mod to -1 troll!
Criticism of Microsoft and Apple? Yay, +5 insightful!
Got it.
Re: (Score:1)
"Slashdot accepts smart and valid criticism"
Yes, the WEBSITE does. The readers, well, your mileage WILL vary. I see Apple Fanboys, Microsoft Fanboys and Linux Fanboys who refuse to accept smart and valid criticism. Often it's treated like a personal attack. And it is responded to as such, using far less smart and valid criticism.
I just thought I should point that out.
Re: (Score:1)
You have mental problems. Seriously, your recent post history also has you posting 20 times in anotehr thread accusing people of being Chinese shills (and Hillary Clinton shills) and now this long rambling post about people being paid to talk bad about Linux on an obscure website frequented by old IT professionals...
Get off the site (which is feeding your paranoia) and get help.
Re: (Score:2)
you are a false prophet and not the true anon, for in only mentioning the goat hole you have not mentioned the complete holy trinity which also includes tub girl and two girls & 1 cup,
Re: (Score:2)
Goddamit, I already told you - I'm a NORKBOT. Great Leader Kim Il-sung personally programmed me, shortly after he invented the Internet. Yes, Pyongyang is in fact lovely this time of year. Not that it matters to me, since I'm a bot, but hey just sayin'...
Anyways, I blame the Rooskies AND the Chicoms. And just for good measure, I blame Canada too. Fuck those polite, hockey-loving, maple-syrup-swilling anti-American Nazis. They're literally Hitler, all of them.
Remember boys & girls: Whenever someon
Re: (Score:1)
Its very simple. Android is a corporate set of applications running on top of Linux. Linux, the kernel, has no telemetry whatsoever and is simply a foundation. A very effective and powerful foundation, hence the credit given to it, irrespective of what someone else put on top of it.
Think a building where the foundations and the first few floors were constructed by volunteers and have free hospice in them but the the top few were added on by an evil corporation which runs unethical scientific experiments on
Re: (Score:2)
Re: (Score:2)
The Moral Of The Story (Score:1)
This is SlashDot. While that means that the most worthless crap can be posted, it also strangely means that intelligent people will read and comment about it. Of course it's a concern if your friends are jumping off of a cliff, not a reason to follow them. It's only an issue of no concern if the product isn't being marketed as needing to be as secure as possible.
So why is anyone surprised? (Score:1)
I don't care what OS is on the phone. It is both designed and manufactured in China by a Chinese company. The government has total control on what it does. They've obviously taken the opportunity to clandestinely track the location and usage data from everyone worldwide with a OnePlus phone. It is most certainly feeding into a government intelligence database for permanent storage.
This is no different than Kaspersky. As far back as 2000 a company I worked for considered Kaspersky and quickly rejected it due
Market opportunity? (Score:1)
Stories like this and fscking Samsung ruining Galaxies by removing removable batteries, switching from Qualcomm to Exynos etc makes me wonder if there's a gap in the market for a new phone. It would be like this
1) Qualcomm reference design
2) Removable battery
3) SD card slot
4) Enough onboard flash and SDRAM that people won't complain
5) Headphone jack
6) IP67 or better
Incidentally all this was possible when Samsung build the Galaxy S5. And in fact the Galaxy's 1080p display is fine for most people. Though I su
Re: (Score:2)
I'd pass on the SD Card if they would just settle for a decent amount of flash instead of charging a premium.
64GB, $300; 128GB, $350. A 64GB MicroSD costs $15 and a SanDisk MicroSDXC 64GB Ultra costs $23, with all the circuitry in there for the flash controller (SD cards include a microcontroller--a small computer that handles IO operations and even runs its own OS). It's $8-$10 of flash chips. Your phone has a flash controller chip already; adding $10 more NAND does not cost $50 and you are not takin
Re: (Score:2)
I don't care about water resistance, but I'd buy the phone you describe in a heartbeat.
I wouldn't care if it didn't have the best display, and I wouldn't even care whether or not it had a camera.
It often seems like every new model of phone I see entering the market is less desirable than the one before it.
wait for it... (Score:2)
It's not an Android problem (not really) (Score:1)
If I make the battery non-removable, I can keep the radio on without you knowing it, so I can send packets of who-knows-what whenever I like.
If I lock it down, you won't be able to detect it, or shut it off.
Don't be distracted by the bloatware and ad notifications -- those are the result of corporate flacks that can't help themselves. Your privacy is really being eroded in the background.
Think about another phone you might have, with a non-removable battery, and a very walled garden.
--#
Re: (Score:2)
If I make the battery non-removable, I can keep the radio on without you knowing it, so I can send packets of who-knows-what whenever I like.
Here are some easy solutions to that problem: https://www.amazon.com/faraday... [amazon.com]
Re: (Score:1)
Sure, we all know about faraday cages and tinfoil hats here, but think about the trick they pulled on *everyone else*: non-removable batteries and radios you cannot really turn off. Think outside your demographic.
--#
As the article shows (Score:4, Informative)
No Concern?? (Score:2)
From TFS:
Moore discovered that OxygenOS was sending regular telemetry to OnePlus' servers. This is no issue of concern, as almost all applications these days collect telemetry data for market analytics and to identify and debug application flaws.
I beg to differ. Collecting telemetry without notifying users or allowing a way to disable it is a matter of large concern to a lot of people.
That it's quite common means absolutely nothing.
Very sad... (Score:2)
I just sent a complaint towards OnePlus, will not be recommending it anymore for anyone, and the OnePlus 3 will be my last OnePlus device.
It's not like I didn't think this could happen, I was hoping that it wouldn't because quite frankly, any business these days should be monitored for stuff like that.
But now, my relationship with this company is done. Very sad because the OnePlus 3 is a great device overall for the price. Up until now I was recommending it for people looking for high end capabilities with