Just over a month after OnePlus was caught running covert analytics on users through discreet analytics on OxygenOS, a new alarming system app has been discovered to be sending user information back to Singapore every 6 hours.
You'd think that after OnePlus was caught red-handed harvesting sensitive user data (battery life, Android version, mobile phone signal, IMEI, serial number, the numbers you call, WiFi information, detailed app activity, screen on/off) through a hidden, difficult-to-disable app in their OS, they'd take extra care to be open when it comes to user privacy.
As it happens, the sly data collection is still going on, and it's potentially even worse than before. This time it comes in the form of a system app called OPBugReportLite, the details of which were brought to light by the Twitter account of a certain Mr. Robot fan known as Elliot Alderson.
<Thread> Hi @OnePlus 👋! How are you today? Let's talk about the OPBugReportLite found in your phone.⁰This app is a pre-installed system app which sends silently, every 6 hours, the battery stats, kernel panics, watchdogs, ANRs and all crashes of your device to Singapore.— Elliot Alderson (@fs0c131y) November 21, 2017
You can read through Elliot's entire thread here, but we've condensed the most salient points about the process below:
This app is a pre-installed system app which sends silently, every 6 hours, the battery stats, kernel panics, watchdogs, ANRs and all crashes of your device to Singapore.
To check if you have this app, go to Settings -> Apps -> Show system apps -> Search BugReportLite in the list. This app has 13 permissions: INTERNET, READ_LOGS, READ_FRAME_BUFFER, WRITE_SECURE_SETTINGS, ACCESS_NETWORK_STATE, READ_EXTERNAL_STORAGE…
When you boot your device, the OPReportReceiver start the BugReportLiteService. By default, it log the system crashes, watchdogs and the power consumption of your device
Did I forget to mention that they can modify this configuration remotely. Yes, you heard me REMOTELY! It’s a global mechanism they implemented in the Android framework and they used it a lot.
They can access very detailed information with the command “dumpsys batterystats”: get the list of installed apps, which apps are most active,
Every 6 hours, these logs are zipped in /sdcard/oem_log/OPBRLite.zip and upload to a server located in Singapore.
What does this mean for users?
What this means for OnePlus phone users is that the system app OPBugReportLite on your OnePlus device right now is recording your system and battery statistics, GPS, camera, app activity, crash data etc. and sending data to a server in Singapore every 6 hours.
This information is not anonymous and is way, way more detail than can be justified by after-sales use. Even worse, this behind-the-scenes process can be configured remotely by OnePlus, which means that, should HQ decide to, it could capture and end other types of information, for example your media files, without you knowing anything had changed.
Readers might remember that after the recent OnePlus data harvesting controversy, they agreed to make a clear opt-in process to their user experience program and thus allow the customer to explicitly permit the data collection. But this isn't the case with OPBugReportLite.
We've checked out our own OnePlus 5T and been dismayed to find OPBugReportLite active on it. It's an very disappointing downside to find on an otherwise great device. The user isn't warned about this process and it's not possible to stop this data logging, though it is possible, although tricky, to stop the upload (by disabling the system app, with root access).
Of course, OnePlus is not the only corporation interested in harvesting our valuable personal data, but this pattern of repeated invasive practices in the software can only erode the trust that users have in the company.
We are waiting for a response OnePlus about the issue and will follow up as the story develops.
What do you think? Does this kind of sly data harvesting make your blood boil? Or is it no big deal?
Source: Elliot Alderson on Twitter