有意還是無意？一加手機正在收集用戶敏感數據

據外媒報道，由中國深圳生產的一加手機（運行的系統為OxygenOS系統）正在靜默的收集用戶數據，而且收集的數據範圍有點大……

其實，手機廠商收集用戶數據是很正常的一件事，他們需要識別用戶，分析用戶設備是否存在問題以及及時的推送修復方案等等，這些全是出於提升用戶體驗和產品質量而出發的。但是為什麼外媒會指責一加手機搜集用戶設備呢？

電話號碼也收集？！

據國外安全研究員ChristopherMoore 發布的博客稱，一加手機會持續不斷的收集用戶數據，並發送至一加的伺服器。通過劫持並分析這些網路流量，Moore 驚奇的發現了如下信息：

{ "ty": 3, "dl": [ { "id": "258cfeb1", "en": "screen_off", "ts": 1484177517017, "oed": [], "it": 0, "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635" }, { "id": "258cfeb1", "en": "screen_on", "ts": 1484177826984, "oed": [], "it": 0, "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635" }, { "id": "258cfeb1", "en": "unlock", "ts": 1484177827961, "oed": [], "it": 0, "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635" }, { "id": "258cfeb1", "en": "abnormal_reboot", "ts": 1484178427035, "oed": [], "it": 0, "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635" }, ... ]}

繼續分析，發現了更可怕的信息，IMEI，手機序列號一覽無餘

{ "ty": 1, "dl": [ { "ac": "", "av": "6.0.1", "bl": 82, "br": "OnePlus", "bs": "CHARGING", "co": "GB", "ga": 11511, "gc": 234, "ge": 6759424, "gn": 30, "iac": 1, "id": "258cfeb1", "im": "123456789012345,987654321098765", "imei1": "123456789012345", "it": 0, "la": "en", "log": "", "ma": "aa:bb:cc:dd:ee:ff", "mdmv": "1.06.160427", "mn": "ONE A2003", "nci": "23430,", "ncn": ",", "noi": "23430,", "non": "EE,", "not": "LTE,", "npc": "gb,", "npn": "07123456789,07987654321", "nwa": "aa:bb:cc:dd:ee:ff", "nwb": "ff:ee:dd:cc:bb:aa", "nwh": false, "nwl": 0, "nws": ""CHRISDCMOORE"", "ov": "Oxygen ONE A2003_24_161227", "pcba": "", "rh": 1920, "ro": false, "romv": "3.5.6", "rw": 1080, "sov": "A.27", "ts": 1484487017633, "tz": "GMT+0000" } ]}

{ "ty": 2, "dl": [{ "id": "258cfeb1", "pi": 12795, "si": "127951484342058637", "ts": 1484342058637, "pn": "com.android.chrome", "pvn": "55.0.2883.91", "pvc": 288309101, "cn": "ChromeTabbedActivity", "en": "start", "aed": [], "sa": true, "it": 0, "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635" }, ... { "id": "258cfeb1", "pi": 4143, "si": "41431484342115589", "ts": 1484342115589, "pn": "com.android.systemui", "pvn": "1.1.0", "pvc": 0, "cn": "RecentsActivity", "en": "stop", "aed": [], "sa": true, "it": 0, "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635" }, { "id": "258cfeb1", "pi": 26449, "si": "264491484342115620", "ts": 1484342115620, "pn": "com.android.settings", "pvn": "6.0.1", "pvc": 23, "cn": "WifiSettingsActivity", "en": "start", "aed": [], "sa": true, "it": 0, "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635" }, ... { "id": "258cfeb1", "pi": 2608, "si": "26081484346421908", "ts": 1484346421908, "pn": "com.android.settings", "pvn": "6.0.1", "pvc": 23, "cn": "Settings", "en": "start", "aed": [], "sa": true, "it": 0, "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635" }, ... ]}

總結一下，一加收集的信息大致包含如下：

用戶電話號碼MAC地址IMEI和IMSI碼移動網路名稱無線網路ESSID和BSSID手機序列號解鎖手機和上鎖手機的時間戳打開和關閉應用的時間戳開屏和關屏的時間戳

可想而知，上面的這些信息已經非常詳細了，用於識別用戶、提升產品品質的話，已經綽綽有餘。而且，一加手機也沒有提供任何選項來禁用這些行為。

Moore已經將這一問題提交給了一加技術支持，但是目前為止還沒有收到回復。去年7月，安全工程師Tux也發現並公開了同樣的問題，但是被一加忽略了。

解決辦法

幸運的是，安卓開發者Jakub Czekański已經找出了一種禁止這一行為。把手機連接至電腦並設置成USB調試模式，然後打開adb shell並輸入pm uninstall -k –user 0 net.oneplus.odm，即可。

本文翻譯自：https://thehackernews.com/2017/10/oneplus-oxygenos-analytics-data.html，如若轉載，請註明原文地址： http://www.4hou.com/info/news/7906.html

推薦閱讀：