Twitter user and developer by the name ‘Elliot Alderson’ is back with a new report about OnePlus collecting more data. According to the latest series of tweets, he discovered that OxygenOS in OnePlus devices includes an app by the name of ‘OPBugReportLite’. This app comes pre-installed as a system app on OnePlus devices.
The main reason for concern is that this app collects data about battery statistics, kernel panics, watchdogs, Application Not Responding (ANR) dialogues boxes and all other crashes on OnePlus and sends them to Singapore every 6 hours.
The application has a total of 13 permissions ranging from INTERNET, READ_LOGS, READ_FRAME_BUFFER, WRITE_SECURE_SETTINGS, ACCESS_NETWORK_STATE, READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE, RECEIVE_BOOT_COMPLETED, BROADCAST_STICKY and others. Every time you boot your device, OPReportReceiver starts the ‘BugReportLiteService’. One thing to note here is that the service checks if the user is running Open Beta OxygenOS and sets the flag accordingly.
When you boot your device, the OPReportReceiver start the BugReportLiteService. In the BugReportLiteService OnCreate method, they check if you are a beta user and set flag accordingly.⁰By default, it log the system crashes, watchdogs and the power consumption of your device pic.twitter.com/hEArigtvJe
— Elliot Alderson (@fs0c131y) November 21, 2017
If the user is running Open Beta then OnePlus collects data on System crash, Watchdog, system app crashes, Application is not responding dialogue on system apps, and kernel panics by default. The interesting part here is that OnePlus can modify the ‘BugReportLiteService’ remotely via the internet. According to the tweets, this is a ‘global mechanism’ that OnePlus has implemented in the Android framework.
Despite the fact that OnePlus is collecting the details about the crashes, the company can access ‘very detailed information’ with the help of ‘dumpsys batterystats’ which includes the list of installed apps on the device and the most active apps. All these logs are zipped in /sdcard/oem_log/OPBRLite.zip and uploaded to a server that is located in Singapore.
The tweets also mention some unused methods including variables such as ‘getMediaFile’ which logs data on BT (Bluetooth), CAMERALOG (Camera), GPS, TCPDUMP, QSEE, QXDM, TOP, and WLAN (Wi-Fi). Elliot Alderson confirmed that these logs are sent irrespective of the fact that a user is enrolled in the ‘User experience program’ opt-in by OnePlus.
This comes days after he discovered that OnePlus is leaking a backdoor in all its devices that can allow anyone with physical access to the device to gain root access to the device. Carl Pei responded to the previous report stating that OnePlus will issue a software update in feature to address the problem.
Updated Date: Nov 22, 2017 15:29 PM