据说OnePlus2后台搜集用户大量隐私信息

Posted by Cai Qiqi on 2017-10-15

参考:
https://www.chrisdcmoore.co.uk/post/oneplus-analytics/

据作者描述,一加2通过POST向
htts://open.oneplus.net/cloud/pushdata
上传手机数据。
已知的上传数据包括:

以手机序列号作为id,
上传系统异常重启操作、
手机屏幕开关状态、
是否解锁、
是否在充电、
IMEI信息、
移动网运营商信息、
手机号、
网卡mac地址、
所连WLAN的ESSID和BSSID、
一些(所有?)app打开和关闭时间!
甚至一些(所有?)app的Activity打开和关闭时间!

部分搜集到的信息

IMEI信息、移动网运营商信息、手机号码、网卡mac地址、所连WLAN的ESSID和BSSID等

{
"ty": 1,
"dl": [
{
"ac": "",
"av": "6.0.1",
"bl": 82,
"br": "OnePlus",
"bs": "CHARGING",
"co": "GB",
"ga": 11511,
"gc": 234,
"ge": 6759424,
"gn": 30,
"iac": 1,
"id": "258cfeb1",
"im": "123456789012345,987654321098765",
"imei1": "123456789012345",
"it": 0,
"la": "en",
"log": "",
"ma": "aa:bb:cc:dd:ee:ff",
"mdmv": "1.06.160427",
"mn": "ONE A2003",
"nci": "23430,",
"ncn": ",",
"noi": "23430,",
"non": "EE,",
"not": "LTE,",
"npc": "gb,",
"npn": "07123456789,07987654321",
"nwa": "aa:bb:cc:dd:ee:ff",
"nwb": "ff:ee:dd:cc:bb:aa",
"nwh": false,
"nwl": 0,
"nws": "\"CHRISDCMOORE\"",
"ov": "Oxygen ONE A2003_24_161227",
"pcba": "",
"rh": 1920,
"ro": false,
"romv": "3.5.6",
"rw": 1080,
"sov": "A.27",
"ts": 1484487017633,
"tz": "GMT+0000"
}
]
}

应用名、版本号、pid、Activity名、打开/关闭时间

{
"ty": 2,
"dl": [{
"id": "258cfeb1",
"pi": 12795,
"si": "127951484342058637",
"ts": 1484342058637,
"pn": "com.android.chrome",
"pvn": "55.0.2883.91",
"pvc": 288309101,
"cn": "ChromeTabbedActivity",
"en": "start",
"aed": [],
"sa": true,
"it": 0,
"rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
}, ... {
"id": "258cfeb1",
"pi": 4143,
"si": "41431484342115589",
"ts": 1484342115589,
"pn": "com.android.systemui",
"pvn": "1.1.0",
"pvc": 0,
"cn": "RecentsActivity",
"en": "stop",
"aed": [],
"sa": true,
"it": 0,
"rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
}, {
"id": "258cfeb1",
"pi": 26449,
"si": "264491484342115620",
"ts": 1484342115620,
"pn": "com.android.settings",
"pvn": "6.0.1",
"pvc": 23,
"cn": "WifiSettingsActivity",
"en": "start",
"aed": [],
"sa": true,
"it": 0,
"rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
}, ... {
"id": "258cfeb1",
"pi": 2608,
"si": "26081484346421908",
"ts": 1484346421908,
"pn": "com.android.settings",
"pvn": "6.0.1",
"pvc": 23,
"cn": "Settings",
"en": "start",
"aed": [],
"sa": true,
"it": 0,
"rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
}, ...
]
}

作者找到收集用户信息的app所在对应的apk为
/system/priv-app/OPDeviceManager/OPDeviceManager.apk
其中负责数据搜集的模块是OnePlus System Service进程的OneplusAnalyticsJobService服务。
oneplus-services-orig.png
作者说,在将近10小时的时间该模块上传了16MB数据(但是不知道这里作者会不会把该服务占用的内存值当作了该服务上传的流量大小)。

作者逆向出其smali代码,找到了一些搜集信息的API(光看方法名你就能明白):

.method public static encodeToBase64(Ljava/lang/String;)Ljava/lang/String;
.method public static getAndroidVersion()Ljava/lang/String;
.method public static getBSSID(Landroid/content/Context;)Ljava/lang/String;
.method public static getBatteryLevel(Landroid/content/Context;)F
.method public static getBatteryStatus(Landroid/content/Context;)Ljava/lang/String;
.method public static getBrandName()Ljava/lang/String;
.method public static getCellSignalLevel(Landroid/content/Context;)Ljava/lang/String;
.method public static getDeviceId()Ljava/lang/String;
.method public static getIMEI(Landroid/content/Context;)Ljava/lang/String;
.method public static getIMEI1(Landroid/content/Context;)Ljava/lang/String;
.method public static getIsHiddenSSID(Landroid/content/Context;)Z
.method public static getLocale(Landroid/content/Context;)Ljava/util/Locale;
.method public static getMacAddr(Landroid/content/Context;)Ljava/lang/String;
.method public static getModelName()Ljava/lang/String;
.method public static getOSVersion()Ljava/lang/String;
.method public static getPCBA()Ljava/lang/String;
.method public static getResolutionHeight(Landroid/content/Context;)I
.method public static getResolutionWidth(Landroid/content/Context;)I
.method public static getRomVersion()Ljava/lang/String;
.method public static getSimCountryCode(Landroid/content/Context;)Ljava/lang/String;
.method public static getSoftVersion()Ljava/lang/String;
.method public static getTimezone()Ljava/lang/String;
.method public static getWifiMacAddress(Landroid/content/Context;)Ljava/lang/String;
.method public static getWifiSSID(Landroid/content/Context;)Ljava/lang/String;
.method public static getWifiSignalLevel(Landroid/content/Context;)I
.method public static isH2()Z
.method public static isO2()Z
.method public static isRooted()Z

代码位于
net/oneplus/odm/common/Utils.smali中。
虽然据这位作者我们知道了一加2做了这么多事,然而由于这是一个系统应用,如果不root,没法卸载,无法禁止数据搜集操作。由于该应用是系统自启动的,你唯一能做的就是在系统启动之后手动关掉那个数据搜集的服务(如果它不会在手动禁用之后自动重启的话)或者用其他app达到相同的目的(手动禁用),或者通过某种方式禁止它与open.oneplus.net通信。