Page 1 of 3
37
OTA and IMEI over HTTP Jul 4, 2016

  1. b1nny
    Eclair Jul 4, 2016

    b1nny , Jul 4, 2016 :
    While checking what kind of network traffic is being sent when checking for updates I happened to notice that my IMEI is being sent over plain HTTP for some reason? I don't think this needs any explaining why this is a very bad idea, since it means anyone else on the same network as me could easily intercept my IMEI (think of untrusted wifi networks, for example).

    Why aren't you guys using HTTPS for this?
     
    #1
    jakkipoika, Milan34119, cssoz and 34 others like this.

  2. 1n9i9c7om
    Honeycomb Jul 5, 2016

    #2
    emplify and r.aditya1987 like this.

  3. OPFanBoyTillEnd
    Honeycomb Jul 5, 2016

    OPFanBoyTillEnd , Jul 5, 2016 :
    Does this happen every time is checked for updates?
     
    #3

  4. b1nny
    Eclair Jul 5, 2016

    b1nny , Jul 5, 2016 :
    Yes. When you press the "check for updates" button a POST request is made to "http://i.ota.coloros.com/post/Query_Update" which contains the IMEI of the device in question both in the user agent and in a header called "imei".

    You can check it for yourself by using a tool such as mitmproxy and telling your device to proxy all its traffic through mitmproxy. Every time you press the button you'll see the post request appear and you can see what they're sending.
     
    #4

  5. OPFanBoyTillEnd
    Honeycomb Jul 5, 2016

    OPFanBoyTillEnd , Jul 5, 2016 :
    Thanks.
    And I'm assuming it happens as well when updates are checked automatically.

    Huge LOL OnePlus.
    Let's just wait for someone to blacklist all your phones.
     
    #5

  6. runboy93
    Jelly Bean Jul 5, 2016

    #6

  7. olliware
    Cupcake Jul 5, 2016

    olliware , Jul 5, 2016 :
    People... by all means - don't get the overall brilliant impression of the OnePlus 3 vaporized by such a cheap and uncommon kind of checking for updates. I mean we're living in a world where nearly everything is transmitted with a decent encryption - why the hell does the device check for updates using plain http? I hope this is just a fake or a mean rumor, otherwise I fear I won't get what's inside your heads when building such a construct...
     
    #7

  8. heywood10
    Cupcake Jul 5, 2016

    heywood10 , Jul 5, 2016 :
    you would not expect this from developers formerly working on Paranoid Android...
    This needs to be fixed asap!
    If you are not willing or capable at least release the Dash charging binaries and we all can head over to CM.
     
    #8

  9. Jrocci
    Honeycomb Jul 5, 2016

    #9

  10. freedompie
    Gingerbread Jul 5, 2016

    freedompie , Jul 5, 2016 :
    Dev's probably used to Chinese standard where security doesn't exist. If you use HTTPS, how would the Chinese government sniff your packets?
     
    #10
    Ceasedd, Milan34119, Pahapoika91 and 4 others like this.

  11. obiwan+
    Honeycomb Jul 6, 2016

    obiwan+ , Jul 6, 2016 :
    What's the worst that can happen when others know your IMEI? Can they open a backdoor on your device? Can they steal any form of identity?
     
    #11
    christinawright, MarkusRanz and 0xTJ like this.

  12. xdotmatt
    Donut Jul 6, 2016

    xdotmatt , Jul 6, 2016 :
    Curious to see if OnePlus responds to this and why they chose an unsecured connection.
     
    #12

  13. b1nny
    Eclair Jul 6, 2016

    b1nny , Jul 6, 2016 :
    You can verify for yourself whether this is a rumor or not (hint: it's not). Let me quote what I've posted over on XDA:

    (image link, in case it gets messed up somewhere)
    (link)

    If you have any further questions, feel free to ask!
     
    #13
    p51d007 likes this.

  14. nate0
    Froyo Jul 6, 2016

    nate0 , Jul 6, 2016 :
    The plain/clear text transmission there is not a good thing. Even if you are on a secure wifi, there is still a risk of a man in the middle attack. Is this standard to have the imei transmitted at all?
     
    #14

  15. Professorchaos1
    Honeycomb Jul 6, 2016

    Professorchaos1 , Jul 6, 2016 :
    Realistically, most people would upgrade the OS over their WPA2-secured WiFi home network, so the chances are very slim.In which case, someone would need to break the encrypted WiFi to access your IMEI information and if the hackers outside your apartment were so cynical, they could theoretically report your IMEI as stolen or lost and cause you a headache trying to have it de-blacklisted because you won't be able to use it or register it at all on any network once it's reported as stolen.

    But I definitely understand that OP/OPPO should be transmitting the data with HTTPS, as it's not even best practices for the industry but it should be an industry-standard in 2016.
     
    #15
    Tokolozi and obiwan+ like this.

  16. nate0
    Froyo Jul 6, 2016

    nate0 , Jul 6, 2016 :
    To the individual this is not good that the security of the phone could be compromised even to the slightest.

    However, from what I read the imei is more mapped to the phone and not to you, not as your sim car would be which has you phone number and any other data stored there. Still compromising the phone itself could spell hardship for OnePlus in a consumer/business point view.
     
    #16
    obiwan+ likes this.

  17. Professorchaos1
    Honeycomb Jul 6, 2016

    Professorchaos1 , Jul 6, 2016 :
    But I mean, it's not the end of the world...there are far worse things...I just realized the phone repair shop I went to have my old Moto X fixed copied down my IMEI on carbon paper on the sales invoice. So they have a copy of my IMEI floating around somewhere and I suppose any of your friends that has physical access to your phone can also "steal" your IMEI.
     
    #17
    Tokolozi likes this.

  18. Jotebe
    Eclair Jul 6, 2016

    #18

  19. witalit
    Froyo Jul 6, 2016

    witalit , Jul 6, 2016 :
    This is pretty shocking I hope someone from Oneplus responds to this as its very important to get this changed.
     
    #19

  20. clovertown
    Cupcake Jul 6, 2016

    clovertown , Jul 6, 2016 :
    Probably true, http://i.ota.coloros.com/ resolves to 115.231.102.185 for me, which is hosted in Hangzhou, China. The Chinese firewall doesn't like HTTPS.
     
    #20

Stay up to date on the latest with our official Community app.

Let's Go
No, thanks.
Sign up now!

Thread Info

37 Likes
55 Replies
25,289 Views
Last replied by jakkipoika

Community Highlight

Recent Threads

To get it on top

0 1 7
In OnePlus 7T Series, Mar 29, 2020 at 7:51 PM

Wormhole

516 502,178 8,885,566
In Off Topic, Feb 17, 2015

Not able to set 1080p on youtube

0 1 2
In OnePlus 7T Pro General Support, Mar 29, 2020 at 7:58 PM

new fonts

0 1 2
In India, Mar 29, 2020 at 7:58 PM

[OFFTOPIC] Random Nonsense Club

556 227,558 4,818,204
In Off Topic, Mar 10, 2014

Forum Statistics

842,731 Discussions
20,014,451 Messages
2,840,116 Members
28,980 online