Analytics data is important for any software project. The data can help developers figure out what features people use, what bugs need to be fixed, and what/where the target market is. OnePlus, in its never-ending mission to make itself the worst Android phone manufacturer on the planet, has been discovered collecting massive amounts of analytics data from phone owners. The collected data includes IMEI numbers, MAC addresses, mobile network names and IMSI prefixes, serial numbers, and more.
Christopher Moore, a software engineer, made a post on his personal blog showing his discoveries. During a Hack Challenge, Moore began proxying the internet traffic from his OnePlus 2 using OWASP ZAP. If you're not familiar with this process, this essentially allowed him to view all incoming and outgoing internet traffic from his phone. Among the usual network activity, he noticed a large amount of requests to open.oneplus.net.
Through deeper inspection, he found the domain name to be an Amazon AWS instance owned by OnePlus. I'll save you the technical jargon, but essentially, he could see his phone sending data frequently to the open.oneplus.net server over HTTPS. He was able to decrypt the data (using the authentication key on the phone) which revealed that his OP2 was sending time-stamped information about locks, unlocks, and unexpected reboots.
Logging unexpected reboots would make sense (it could help developers fix OS bugs), but as Moore noted in his blog, recording every time the phone is unlocked or locked seemed excessive. He left the proxy running for an extended period of time, and things went downhill quickly.
Moore discovered that some of the data being sent to OnePlus' servers included the phone's IMEI number, the phone number, MAC addresses, mobile network names and IMSI prefixes, Wi-Fi connection info, and the phone's serial number. And if you thought that was bad, he later found that the data included every time an app was opened.
There's a chance this could break other functionality of the system, since Device Manager could be responsible for other tasks, so do this at your own risk.