据外媒报道,由中国深圳生产的一加手机(运行的系统为OxygenOS系统)正在静默的收集用户数据,而且收集的数据范围有点大……
其实,手机厂商收集用户数据是很正常的一件事,他们需要识别用户,分析用户设备是否存在问题以及及时的推送修复方案等等,这些全是出于提升用户体验和产品质量而出发的。但是为什么外媒会指责一加手机搜集用户设备呢?
电话号码也收集?!
据国外安全研究员ChristopherMoore 发布的博客称,一加手机会持续不断的收集用户数据,并发送至一加的服务器。通过劫持并分析这些网络流量,Moore 惊奇的发现了如下信息:
{
"ty": 3,
"dl": [
{
"id": "258cfeb1",
"en": "screen_off",
"ts": 1484177517017,
"oed": [],
"it": 0,
"rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
}, {
"id": "258cfeb1",
"en": "screen_on",
"ts": 1484177826984,
"oed": [],
"it": 0,
"rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
}, {
"id": "258cfeb1",
"en": "unlock",
"ts": 1484177827961,
"oed": [],
"it": 0,
"rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
}, {
"id": "258cfeb1",
"en": "abnormal_reboot",
"ts": 1484178427035,
"oed": [],
"it": 0,
"rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
}, ...
]
}继续分析,发现了更可怕的信息,IMEI,手机序列号一览无余
{
"ty": 1,
"dl": [
{
"ac": "",
"av": "6.0.1",
"bl": 82,
"br": "OnePlus",
"bs": "CHARGING",
"co": "GB",
"ga": 11511,
"gc": 234,
"ge": 6759424,
"gn": 30,
"iac": 1,
"id": "258cfeb1",
"im": "123456789012345,987654321098765",
"imei1": "123456789012345",
"it": 0,
"la": "en",
"log": "",
"ma": "aa:bb:cc:dd:ee:ff",
"mdmv": "1.06.160427",
"mn": "ONE A2003",
"nci": "23430,",
"ncn": ",",
"noi": "23430,",
"non": "EE,",
"not": "LTE,",
"npc": "gb,",
"npn": "07123456789,07987654321",
"nwa": "aa:bb:cc:dd:ee:ff",
"nwb": "ff:ee:dd:cc:bb:aa",
"nwh": false,
"nwl": 0,
"nws": ""CHRISDCMOORE"",
"ov": "Oxygen ONE A2003_24_161227",
"pcba": "",
"rh": 1920,
"ro": false,
"romv": "3.5.6",
"rw": 1080,
"sov": "A.27",
"ts": 1484487017633,
"tz": "GMT+0000"
}
]
}{
"ty": 2,
"dl": [{
"id": "258cfeb1",
"pi": 12795,
"si": "127951484342058637",
"ts": 1484342058637,
"pn": "com.android.chrome",
"pvn": "55.0.2883.91",
"pvc": 288309101,
"cn": "ChromeTabbedActivity",
"en": "start",
"aed": [],
"sa": true,
"it": 0,
"rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
}, ... {
"id": "258cfeb1",
"pi": 4143,
"si": "41431484342115589",
"ts": 1484342115589,
"pn": "com.android.systemui",
"pvn": "1.1.0",
"pvc": 0,
"cn": "RecentsActivity",
"en": "stop",
"aed": [],
"sa": true,
"it": 0,
"rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
}, {
"id": "258cfeb1",
"pi": 26449,
"si": "264491484342115620",
"ts": 1484342115620,
"pn": "com.android.settings",
"pvn": "6.0.1",
"pvc": 23,
"cn": "WifiSettingsActivity",
"en": "start",
"aed": [],
"sa": true,
"it": 0,
"rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
}, ... {
"id": "258cfeb1",
"pi": 2608,
"si": "26081484346421908",
"ts": 1484346421908,
"pn": "com.android.settings",
"pvn": "6.0.1",
"pvc": 23,
"cn": "Settings",
"en": "start",
"aed": [],
"sa": true,
"it": 0,
"rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
}, ...
]
}总结一下,一加收集的信息大致包含如下:
用户电话号码
MAC地址
IMEI和IMSI码
移动网络名称
无线网络ESSID和BSSID
手机序列号
解锁手机和上锁手机的时间戳
打开和关闭应用的时间戳
开屏和关屏的时间戳可想而知,上面的这些信息已经非常详细了,用于识别用户、提升产品品质的话,已经绰绰有余。而且,一加手机也没有提供任何选项来禁用这些行为。
Moore已经将这一问题提交给了一加技术支持,但是目前为止还没有收到回复。去年7月,安全工程师Tux也发现并公开了同样的问题,但是被一加忽略了。
解决办法
幸运的是,安卓开发者Jakub Czekański已经找出了一种禁止这一行为。把手机连接至电脑并设置成USB调试模式,然后打开adb shell并输入pm uninstall -k –user 0 net.oneplus.odm,即可。
原文来自:嘶吼
声明:所有来源为“聚合数据”的内容信息,未经本网许可,不得转载!如对内容有异议或投诉,请与我们联系。邮箱:marketing@think-land.com
分享
支持全球约2.4万个城市地区天气查询,如:天气实况、逐日天气预报、24小时历史天气等
支持识别各类商场、超市及药店的购物小票,包括店名、单号、总金额、消费时间、明细商品名称、单价、数量、金额等信息,可用于商品售卖信息统计、购物中心用户积分兑换及企业内部报销等场景
涉农贷款地址识别,支持对私和对公两种方式。输入地址的行政区划越完整,识别准确度越高。
根据给定的手机号、姓名、身份证、人像图片核验是否一致
通过企业关键词查询企业涉讼详情,如裁判文书、开庭公告、执行公告、失信公告、案件流程等等。
苏公网安备 32059002001776号