回归最本质的信息安全

有意还是无意?一加手机正在收集用户敏感数据

2017年10月11日发布

47,538
1
19

导语:​据外媒报道,由中国深圳生产的一加手机(运行的系统为OxygenOS系统)正在静默的收集用户数据,而且收集的数据范围有点大……

1507688038403731.jpg

据外媒报道,由中国深圳生产的一加手机(运行的系统为OxygenOS系统)正在静默的收集用户数据,而且收集的数据范围有点大……

其实,手机厂商收集用户数据是很正常的一件事,他们需要识别用户,分析用户设备是否存在问题以及及时的推送修复方案等等,这些全是出于提升用户体验和产品质量而出发的。但是为什么外媒会指责一加手机搜集用户设备呢?

电话号码也收集?!

据国外安全研究员ChristopherMoore 发布的博客称,一加手机会持续不断的收集用户数据,并发送至一加的服务器。通过劫持并分析这些网络流量,Moore 惊奇的发现了如下信息:

{
    "ty": 3,
    "dl": [
        {
            "id": "258cfeb1",
            "en": "screen_off",
            "ts": 1484177517017,
            "oed": [],
            "it": 0,
            "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
        }, {
            "id": "258cfeb1",
            "en": "screen_on",
            "ts": 1484177826984,
            "oed": [],
            "it": 0,
            "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
        }, {
            "id": "258cfeb1",
            "en": "unlock",
            "ts": 1484177827961,
            "oed": [],
            "it": 0,
            "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
        }, {
            "id": "258cfeb1",
            "en": "abnormal_reboot",
            "ts": 1484178427035,
            "oed": [],
            "it": 0,
            "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
        }, ...
    ]
}

继续分析,发现了更可怕的信息,IMEI,手机序列号一览无余

{
    "ty": 1,
    "dl": [
        {
            "ac": "",
            "av": "6.0.1",
            "bl": 82,
            "br": "OnePlus",
            "bs": "CHARGING",
            "co": "GB",
            "ga": 11511,
            "gc": 234,
            "ge": 6759424,
            "gn": 30,
            "iac": 1,
            "id": "258cfeb1",
            "im": "123456789012345,987654321098765",
            "imei1": "123456789012345",
            "it": 0,
            "la": "en",
            "log": "",
            "ma": "aa:bb:cc:dd:ee:ff",
            "mdmv": "1.06.160427",
            "mn": "ONE A2003",
            "nci": "23430,",
            "ncn": ",",
            "noi": "23430,",
            "non": "EE,",
            "not": "LTE,",
            "npc": "gb,",
            "npn": "07123456789,07987654321",
            "nwa": "aa:bb:cc:dd:ee:ff",
            "nwb": "ff:ee:dd:cc:bb:aa",
            "nwh": false,
            "nwl": 0,
            "nws": ""CHRISDCMOORE"",
            "ov": "Oxygen ONE A2003_24_161227",
            "pcba": "",
            "rh": 1920,
            "ro": false,
            "romv": "3.5.6",
            "rw": 1080,
            "sov": "A.27",
            "ts": 1484487017633,
            "tz": "GMT+0000"
        }
    ]
}

{
    "ty": 2,
    "dl": [{
            "id": "258cfeb1",
            "pi": 12795,
            "si": "127951484342058637",
            "ts": 1484342058637,
            "pn": "com.android.chrome",
            "pvn": "55.0.2883.91",
            "pvc": 288309101,
            "cn": "ChromeTabbedActivity",
            "en": "start",
            "aed": [],
            "sa": true,
            "it": 0,
            "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
        }, ... {
            "id": "258cfeb1",
            "pi": 4143,
            "si": "41431484342115589",
            "ts": 1484342115589,
            "pn": "com.android.systemui",
            "pvn": "1.1.0",
            "pvc": 0,
            "cn": "RecentsActivity",
            "en": "stop",
            "aed": [],
            "sa": true,
            "it": 0,
            "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
        }, {
            "id": "258cfeb1",
            "pi": 26449,
            "si": "264491484342115620",
            "ts": 1484342115620,
            "pn": "com.android.settings",
            "pvn": "6.0.1",
            "pvc": 23,
            "cn": "WifiSettingsActivity",
            "en": "start",
            "aed": [],
            "sa": true,
            "it": 0,
            "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
        }, ... {
            "id": "258cfeb1",
            "pi": 2608,
            "si": "26081484346421908",
            "ts": 1484346421908,
            "pn": "com.android.settings",
            "pvn": "6.0.1",
            "pvc": 23,
            "cn": "Settings",
            "en": "start",
            "aed": [],
            "sa": true,
            "it": 0,
            "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
        }, ...
    ]
}

总结一下,一加收集的信息大致包含如下:

用户电话号码
MAC地址
IMEI和IMSI码
移动网络名称
无线网络ESSID和BSSID
手机序列号
解锁手机和上锁手机的时间戳
打开和关闭应用的时间戳
开屏和关屏的时间戳

1507687896873331.png

可想而知,上面的这些信息已经非常详细了,用于识别用户、提升产品品质的话,已经绰绰有余。而且,一加手机也没有提供任何选项来禁用这些行为。

Moore已经将这一问题提交给了一加技术支持,但是目前为止还没有收到回复。去年7月,安全工程师Tux也发现并公开了同样的问题,但是被一加忽略了。

解决办法

幸运的是,安卓开发者Jakub Czekański已经找出了一种禁止这一行为。把手机连接至电脑并设置成USB调试模式,然后打开adb shell并输入pm uninstall -k –user 0 net.oneplus.odm,即可。

本文翻译自:https://thehackernews.com/2017/10/oneplus-oxygenos-analytics-data.html,如若转载,请注明原文地址: http://www.4hou.com/info/news/7906.html

点赞 19
取消

感谢您的支持,我会继续努力的!

扫码支持

打开微信扫一扫后点击右上角即可分享哟

咿咿

咿咿

发私信

发表评论

    longye
    longye 2017-10-15 13:11

    一加的官方回复:By the end of October, all OnePlus phones running OxygenOS will have a prompt in the setup wizard that asks users if they want to join our user experience program. The setup wizard will clearly indicate that the program collects usage analytics. In addition, we will include a terms of service agreement that further explains our analytics collection. We would also like to share we will no longer be collecting telephone numbers, MAC Addresses and WiFi information.
    via https://forums.oneplus.net/threads/lets-talk-about-oxygenos-analytics.654820/