A security researcher has been uncovering and disclosing various per-installed apps on OnePlus devices which allow for tracking, root access, and more, under the pseudonym of Elliot Alderson, after the protagonist in the Mr Robot TV show. The repos can be found here, and a feed of the discoveries with pictures and code snippets can be seen on Twitter.
…Weird. Any word on what OnePlus has had to say about it?
Yet another reason to never use the pre-installed OS. Problem is, you still don’t know if you can trust a piece of software, even if it’s open source… unless you compile it yourself. And you compiled the compiler yourself. [trust issues intensify]
I don’t believe there’s been any official response regarding any of these recent discoveries, though browsing the Twitter feed seems to suggest OnePlus has been in contact regarding the root access issue.
You’re certainly correct, but I think it’s about getting as close to sure as you can get without being severely inconvenienced or otherwise impacted. I’m not going to compile my own ROM, but using software that’s open source makes me much more comfortable than not, because at least we know there’s not a glaring security or privacy hole in the claimed implementation.
For example, I use ProtonMail, which is an encrypted email service located in Switzerland that doesn’t require any personal information, and claims not to log IPs. Now, they’re encryption algorithm is closed-source, with their apps being open. While it would be ideal to have the algorithm public, and even then you couldn’t be sure that their implementation in reality was the same, I still feel worlds better than using Gmail – whom we know tracks us and sells our information.
Now, of course in theory, the best option for email would be to host ones own encrypted email on their own server. However, in practice this would be a ton of work and most likely far less secure in reality, because you really need to be diligent with server monitoring and security updates. As such, I’d much rather take my slim chances that something nefarious is going on behind the scenes, and have my services like email hosted by a reputable source with teams dedicated to securing the implementation who have greater knowledge (and time) than I’d be able to dedicate.