OTA and IMEI over HTTP

  1. jpswer
    Jelly Bean Jul 6, 2016

    jpswer , Jul 6, 2016 :
    Hmm seems strange that the IMEI would be used for this - surely another device identifier could be used or some kind of encrypted version of the IMEI if it's going to be sent in plain-text. This isn't ideal at all - wouldn't say that this is a massive security issue although in the UK if someone got hold of it they could add you to the blacklist and marked as stolen :(

    @Adam Krisko has anyone been made aware of this and any plans to change this?

  2. Deactivated User
    Jul 6, 2016

  3. taosu
    Froyo Jul 6, 2016

    taosu , Jul 6, 2016 :
    This is not true. There are plenty of Chinese website with https that can be accessed from overseas. In fact, most if not all websites requiring logging in are https, like banks, online purchase, cell providers etc.

    The most likely reason here is OnePlus/OPPO did not think IMEI is sensitive information so they did not purchase an SSL license for this domain.

    In most countries, you can't actually do anything with IMEI, you would have to proof you are the owner of the IMEI to block a phone. You can't just show up at a carrier and say you want to block this IMEI. Your packaging box of all cellphones also have IMEI on it, should you be more worried that someone picking the garbage will go and block your phone?

    This is exactly the same as VIN on your cars. And VIN displays openly on the windshield. This issue is way overblown.

    ananda, shamil, janguv and 1 other person like this.
  4. nate0
    Froyo Jul 6, 2016

    nate0 , Jul 6, 2016 :
    Ya, as I mentioned in my reply the SIM card would be more valuable to a hacker than the imei. Really depends on who gets a hold of the information and how they use it.

  5. MarkusRanz
    Ice Cream Sandwich Jul 6, 2016

  6. AntiquadoS
    Gingerbread Jul 7, 2016

    AntiquadoS , Jul 7, 2016 :
    It may be overblown, but it is also very sloppy in my opinion. Identifying info should always be sent securely. IMEI coupled with some skillful social engineering could cause quite a bit of harm.

  7. notcyf
    Honeycomb Jul 7, 2016

    notcyf , Jul 7, 2016 :
    the IMEI cannot compromise the security of your phone. The IMEI is just an identifier for mobile networks and governments which contains information of where it is bought, what phone it is etc.

    All that could happen is that your IMEI gets blacklisted because it was falsely used by someone. This means you cannot use the phone on any mobile network anymore.

    Fun thing though: This means OnePlus has to take back your device(this is their fault, thus falls under warranty), get it re-certified and then sent back to you again, don't think they would do this on purpose(very costly and also bad rep).

    But yeah the chance that this ever happens is very low, because most people are on WPA2-PSK AES encrypted WiFi, or over their own mobile network. This does mean however that anything between your ISP/Carrier and that website the request is sent, can see this header.

    If China doesn't like HTTPS, this could easily be resolvable by OnePlus. (by using public/private key encryption).

    TL;DR don't check for updates using unprotected WiFi, and the chance that your IMEI ever gets into dirty hands is close-to zero.
    Last edited: Jul 7, 2016

    Pahapoika91 and Tokolozi like this.
  8. Tokolozi
    Most Original Avatar Jul 7, 2016

    Tokolozi , Jul 7, 2016 :
    The pinhead is right, for now check updates on your own WiFi network, although this issue should be fixed, there has been way worse security flaws out there.

  9. taosu
    Froyo Jul 7, 2016

    taosu , Jul 7, 2016 :
    Like I posted before, China does use HTTPS everywhere, kind of a must if you operate any kind of online shopping or online banking.

    Even with IMEI, you cannot block a phone, you have to prove you are the owner of the phone. No country would blacklist an IMEI solely because you provide the government/carrier with the number. Also, Very few country have an IMEI blacklist to begin with. China doesn't have one, which is probably why the devs didn't think it's a big issue to reveal IMEI.

    If you worry your IMEI being leaked through the OTA update, you should also worry your IMEI leaking through packaging of the phone, which you throw away in the garbage and contains both IMEIs. Also, all the mails, packaging you put in the garbage, they all have your name, address and sometimes cellphone on it, unless you shred them. These are all much more useful than IMEI....

    ananda likes this.
  10. arjanvlek
    Honeycomb Jul 9, 2016

    arjanvlek , Jul 9, 2016 :
    Can you please show me the response? I might want to use this to build an OxygenOS Update Tracker app (just like Cyanogen Update Tracker, but then for OP2, OPX and OP3 and of course without sending real IMEIs over HTTP)!

    And yes, i'm aware that this will get patched soon, but then it will be very likely the same url, just with https instead of http...

  11. Vilfy
    Froyo Jul 10, 2016

    Vilfy , Jul 10, 2016 :

  12. runboy93
    Jelly Bean Jul 10, 2016

    runboy93 , Jul 10, 2016 :
    Are OP aware of this security problem, and is there going to be internal update to this problem?

  13. Loveit
    KitKat Jul 10, 2016

    Loveit , Jul 10, 2016 :
    I think that just now my imei was stolen. How can i track the thieves and get it back? Google?

  14. b1nny
    Eclair Jul 10, 2016

    b1nny , Jul 10, 2016 :
    Hi there

    Currently I haven't had an OTA yet, so I can't actually check the response JSON I got. I did decompile the apk (using apktool) and had a look at what kind of JSON the OTA application expects, I could send you those if you want to?

    On another note, I did manage to get a single reply from OnePlus Support on Twitter (yay?) after 7 tweets at them, asking for comments on the matter. Here's the link to the conversation in question:

  15. b1nny
    Eclair Jul 11, 2016

    b1nny , Jul 11, 2016 :
    Adam just confirmed that they're looking into this issue. (he confirmed it in the OnePlus Telegram group)

    runboy93 likes this.
  16. Cybbis
    Eclair Jul 11, 2016

    Cybbis , Jul 11, 2016 :
    They really need to. What a basic blunder... Not good.

  17. b1nny
    Eclair Jul 12, 2016

    b1nny , Jul 12, 2016 :

    I got the OTA a few days ago but only managed to look into it a while ago. I have the JSON for you that is returned by the OP/OPPO servers

    Sent data:

    User-agent:       UA/ONEPLUS A3003/REDACTED/OnePlus3Oxygen_16.A.07_GLO_007_1606062247/V1.0.0_20150407                                              
    Content-Type:     text/plain; charset=UTF-8                                                                                                               
    Host:             i.ota.coloros.com                                                                                                                       
    Connection:       Keep-Alive                                                                                                                              
    Accept-Encoding:  gzip                                                                                                                                    
    Content-Length:   188


    Returned data:

    Server:          nginx                                                                                                                                    
    Date:            Tue, 12 Jul 2016 12:04:53 GMT                                                                                                            
    Content-Type:    application/json;charset=UTF-8                                                                                                           
    Content-Length:  1313                                                                                                                                     
    Connection:      keep-alive                                                                                                                               
    X-Server-ID:     hz0231

        "active_url": "http://otafs1.coloros.com/patch/amazone2/GLO/OnePlus3Oxygen/OnePlus3Oxygen_16.A.11_GLO_011_1607052050/OnePlus3Oxygen_16_OTA_007-011_patch_1
        "description": "http://otafs.coloros.com/html/GLO/OnePlus3Oxygen/OnePlus3Oxygen_16.A.11_GLO_011_1607052050_version_EN_1467889735936.html",
        "down_url": "http://otafs.coloros.com/patch/amazone2/GLO/OnePlus3Oxygen/OnePlus3Oxygen_16.A.11_GLO_011_1607052050/OnePlus3Oxygen_16_OTA_007-011_patch_1607
        "extract": "OS version: OxygenOS 3.2.1\n\nWhat's new in this update:\n\n\u2022 Fixed some notification issues\n\u2022 Addressed SIM recognition
    issue\n\u2022 Enabled sRGB mode in developer \n  options\n\u2022 Improved RAM management\n\u2022 Improved GPS performance\n\u2022 Enhanced audio playback
    quality\n\u2022 Updated custom icon packs\n\u2022 Improved camera quality/functionality\n\u2022 Fixed some issues in Gallery\n\u2022 Latest Google security
    patches\n\u2022 Fixed bugs in Clock/Music apps",
        "new_version": "OnePlus3Oxygen_16.A.11_GLO_011_1607052050",
        "patch_md5": "f6eb2ccbc7e2ebcbf601ab0b5ea09bfc",
        "patch_name": "OnePlus3Oxygen_16_OTA_007-011_patch_1607052050_0e5983ace5314161.zip",
        "patch_size": "415590132",
        "recommend": "100",
        "share": "\u8bf7\u7528\u82f1\u8bed\u8bbe\u7f6e\u5206\u4eab\u5185\u5bb9",
        "type": "0",
        "version_name": "OnePlus3Oxygen_16_1607052050",
        "wipe": "0"
    For those interested, the "share" key in the returned JSON data is utf-16 encoded. When you decode it, it becomes:


    Which translates to:

    Share Content Settings English


  18. arjanvlek
    Honeycomb Jul 12, 2016

    arjanvlek , Jul 12, 2016 :
    Wow, thanks for posting this. So this server really uses the IMEI sent in plain HTTP for querying update information...
    This because I don't get any kind of response whatsoever if a valid IMEI isn't inserted (I don't have one to test with).
    Even the download links give a "404 not found" message if being clicked with a regular browser!

  19. b1nny
    Eclair Jul 12, 2016

    b1nny , Jul 12, 2016 :
    It's funny that you mention that..! ;)

    So, I played around with it myself and actually figured out most of the data that's being sent seems to do jacksh*t. :)

    For my testing I used PostMan (chrome app :/) to replicate the requests. So when you have PostMan, paste "http://i.ota.coloros.com/post/Query_Update" in the bar at the top and set the request type to "POST". Now we can actually leave the headers tab alone (yes, really). Go to the body tab and click the bulletpoint thingy next to "raw" and paste the following:
    {"version":"1","mobile":"ONEPLUS A3003","ota_version":"OnePlus3Oxygen_16.A.07_GLO_007_1606062247","imei":"blah","mode":"0","type":"0","language":"en","beta":"0","isOnePlus":"1"}
    Then press send and whooptiedoo, there is your data. :)

    So, that means OP is sending the IMEI of users in both the useragent and the data, over HTTP. AND they're not actually using it for normal OTA traffic. Which means that our IMEI's are being send unencrypted for no reason, whatsoever.

    Anyway, since PostMan makes it so easy to play around with the data I found out a couple of things:
    - The imei key has to be there, but its value doesn't matter. Another thing that I think I've noticed is that the length of your imei can influence how long your request takes. Now I'd recommend you to proceed this with caution, as I don't know what kind of issues this could cause on OP/OPPO's backend.
    - The ota_version key's value is only parsed up to "OnePlus3Oxygen_16.A.07_GLO_007_somethinghere". Replace the somethinghere with whatever you want, there has to be something after the _, but it doesn't matter what.
    - Just like the imei key, you can change the mobile key to whatever you want.
    - The mode and type keys seem to be booleans (true/false). If you change either/both of them to 1, it still works fine. Change them to something higher than 1 or lower than 0 and it stops working. So I presume this sets some sort of boolean somewhere.
    - And last but not least, the isOnePlus key can be removed completely without it affecting the returned data, which is interesting. Perhaps OPPO uses this key to determine how many OP devices are using their OTA infrastructure?

    Those are my findings thusfar. Again, and I can't stress this enough, be careful with what you sent in OP/OPPO's direction. If they don't sanitize their input properly that's their fault, but they will probably blame you for breaking their sh*t, if you happen to.

    Regarding the imei not being used, this seems to confirm what people on XDA (and on the OP forums too I believe) have figured out. That by using a German VPN they were able to get the OTA earlier. This would mean that the staged roll-outs are performed based on client IP rather than imei. Maybe they do use imei to identify phones that can receive beta updates though.

    Loveit likes this.
  20. arjanvlek
    Honeycomb Jul 13, 2016

    arjanvlek , Jul 13, 2016 :
    Okay, I used the standard Unix cURL command, and that didn't do much good.
    Well, I must have entered something wrong while using the CURL tool. It is indeed working using the PostMan app, which -by itself- is very nice and handy :)
    I am going to look into this, maybe OnePlus 2, 3 and X users also get a nice update information app :)