OTA and IMEI over HTTP

  1. b1nny
    Eclair Jul 4, 2016

    b1nny , Jul 4, 2016 :
    While checking what kind of network traffic is being sent when checking for updates I happened to notice that my IMEI is being sent over plain HTTP for some reason? I don't think this needs any explaining why this is a very bad idea, since it means anyone else on the same network as me could easily intercept my IMEI (think of untrusted wifi networks, for example).

    Why aren't you guys using HTTPS for this?

  2. 1n9i9c7om
    Honeycomb Jul 5, 2016

    emplify and r.aditya1987 like this.
  3. OPFanBoyTillEnd
    Honeycomb Jul 5, 2016

    OPFanBoyTillEnd , Jul 5, 2016 :
    Does this happen every time is checked for updates?

  4. b1nny
    Eclair Jul 5, 2016

    b1nny , Jul 5, 2016 :
    Yes. When you press the "check for updates" button a POST request is made to "http://i.ota.coloros.com/post/Query_Update" which contains the IMEI of the device in question both in the user agent and in a header called "imei".

    You can check it for yourself by using a tool such as mitmproxy and telling your device to proxy all its traffic through mitmproxy. Every time you press the button you'll see the post request appear and you can see what they're sending.

  5. OPFanBoyTillEnd
    Honeycomb Jul 5, 2016

    OPFanBoyTillEnd , Jul 5, 2016 :
    And I'm assuming it happens as well when updates are checked automatically.

    Huge LOL OnePlus.
    Let's just wait for someone to blacklist all your phones.

  6. runboy93
    Jelly Bean Jul 5, 2016

  7. Deactivated User
    Jul 5, 2016

  8. heywood10
    Cupcake Jul 5, 2016

    heywood10 , Jul 5, 2016 :
    you would not expect this from developers formerly working on Paranoid Android...
    This needs to be fixed asap!
    If you are not willing or capable at least release the Dash charging binaries and we all can head over to CM.

  9. Jrocci
    Honeycomb Jul 5, 2016

  10. freedompie
    Gingerbread Jul 5, 2016

    freedompie , Jul 5, 2016 :
    Dev's probably used to Chinese standard where security doesn't exist. If you use HTTPS, how would the Chinese government sniff your packets?

  11. obiwan+
    Honeycomb Jul 6, 2016

    obiwan+ , Jul 6, 2016 :
    What's the worst that can happen when others know your IMEI? Can they open a backdoor on your device? Can they steal any form of identity?

    christinawright, MarkusRanz and 0xTJ like this.
  12. xdotmatt
    Donut Jul 6, 2016

    xdotmatt , Jul 6, 2016 :
    Curious to see if OnePlus responds to this and why they chose an unsecured connection.

  13. b1nny
    Eclair Jul 6, 2016

    b1nny , Jul 6, 2016 :
    (image link, in case it gets messed up somewhere)

    If you have any further questions, feel free to ask!

    p51d007 likes this.
  14. nate0
    Froyo Jul 6, 2016

    nate0 , Jul 6, 2016 :
    The plain/clear text transmission there is not a good thing. Even if you are on a secure wifi, there is still a risk of a man in the middle attack. Is this standard to have the imei transmitted at all?

  15. Professorchaos1
    Honeycomb Jul 6, 2016

    Professorchaos1 , Jul 6, 2016 :
    Realistically, most people would upgrade the OS over their WPA2-secured WiFi home network, so the chances are very slim.In which case, someone would need to break the encrypted WiFi to access your IMEI information and if the hackers outside your apartment were so cynical, they could theoretically report your IMEI as stolen or lost and cause you a headache trying to have it de-blacklisted because you won't be able to use it or register it at all on any network once it's reported as stolen.

    But I definitely understand that OP/OPPO should be transmitting the data with HTTPS, as it's not even best practices for the industry but it should be an industry-standard in 2016.

    Tokolozi and obiwan+ like this.
  16. nate0
    Froyo Jul 6, 2016

    nate0 , Jul 6, 2016 :
    To the individual this is not good that the security of the phone could be compromised even to the slightest.

    However, from what I read the imei is more mapped to the phone and not to you, not as your sim car would be which has you phone number and any other data stored there. Still compromising the phone itself could spell hardship for OnePlus in a consumer/business point view.

    obiwan+ likes this.
  17. Professorchaos1
    Honeycomb Jul 6, 2016

    Professorchaos1 , Jul 6, 2016 :
    But I mean, it's not the end of the world...there are far worse things...I just realized the phone repair shop I went to have my old Moto X fixed copied down my IMEI on carbon paper on the sales invoice. So they have a copy of my IMEI floating around somewhere and I suppose any of your friends that has physical access to your phone can also "steal" your IMEI.

    Tokolozi likes this.
  18. Jotebe
    Eclair Jul 6, 2016

  19. witalit
    Froyo Jul 6, 2016

    witalit , Jul 6, 2016 :
    This is pretty shocking I hope someone from Oneplus responds to this as its very important to get this changed.

  20. clovertown
    Cupcake Jul 6, 2016

    clovertown , Jul 6, 2016 :
    Probably true, http://i.ota.coloros.com/ resolves to for me, which is hosted in Hangzhou, China. The Chinese firewall doesn't like HTTPS.