Hacker News new | comments | ask | show | jobs | submit login

TL;DR: OxygenOS tracks your every activity in every app, and there's no settings to disable the tracking.

To get rid of it you have to uninstall the tracking app via adb: (no root access needed)

  $ adb start-server
  $ adb shell
  > pm uninstall -k --user 0 net.oneplus.odm
Note: This requires adb to be installed, your phone to be connected and USB debugging to be enabled.

I caught them doing this a while ago when I first got my OnePlus 3:


You _are_ featured in the article with that exact tweet, right? :)

Haha, yeah. Jumped the gun and pasted the tweet while making breakfast before reading it.

That was a bit surreal.

This is great, but what is to prevent them from re-installing in an update? Or throwing it in a service that can't be uninstalled?

In my mind, the only options are either dumping your OnePlus or flashing a third party ROM (I plan to flash Lineage tonight and probably start shopping for a replacement for my OP3 as well)

Flashing a third party ROM is probably your best bet.

I'm curious to what phones you're considering to replace your OP3 with, though.

For myself, I've been looking for something that has "much better than average" security and, unfortunately for any mobile platform, that looks like it's probably not going to happen.

The closest ROM I've found is CopperheadOS, but it is only supported on a few devices.

I'm probably just going to flash Lineage. I have plenty of past experience with CM so it should be fairly familiar and it apparently works extremely well on the OnePlus 3 (I've seen the OP3 labeled the perfect phone for Lineage in the past, so hopefully that is true)

In terms of phones, I don't know. The Pixel 2 XL, Galaxy S8, Note 8, and LG V30 are probably the best Android devices available right now. I haven't done much research so I don't have much of an opinion right now. I'm feeling fairly jaded right now and half-considering switching to an iPhone and away from a lot of Google services because Apple seems to at least half-care about privacy. I know in the end that is likely BS but what can you do at this point short of go back to a dumb phone (which you really can't do if you are an app dev trying to stay on top of current trends)?

> I'm feeling fairly jaded right now and half-considering switching to an iPhone and away from a lot of Google services because Apple seems to at least half-care about privacy.

Exactly my stance. I am sure Apple is shady as well but it's my opinion (partially supported by numerous stories here on HN) that Google collects and sells anything they can get their hands on.

I'm buying iPhone X for me and my girlfriend (when it finally comes out). We already have iPad Pros. We'll just go full Apple except the gaming PCs. We will change all passwords from inside one of the iDevices as an additional security measure. Most likely gonna use YubiKey 4 as well -- although I am still not informed enough to make the decision.

Already using DuckDuckGo 95% of the time -- sadly it is not as good as Google but really, most of the time it gives me what I need. Still not sure Firefox is up to the task to replace Chrome, but I'm keeping an eye out and using the beta (Quantum).

End-game is gonna be to replace Gmail with something else.

I feel I can't trust Google with telling me the time these days so I am migrating away from them.

I wonder if there's an opportunity to reduce the privacy problem by having the phones log data to an intermediate server. The intermediate server will be open-source and run by a trusted entity (EFF, Apache Foundation, whoever). OnePlus will be able to submit whatever code they want to this server after a public privacy-focused code review by the trusted entity.

The proxy server will aggregate and anonymise the data before uploading it to upstream OnePlus servers. For example, it can strip out IP addresses. Eliminate data points which are too few and can therefore dangerous. Maybe if too few people are using an app, records about the usage of that app aren't uploaded to upstream OnePlus servers. If OnePlus wants to know how many photos an average user is taking, the intermediate server could just that information, or percentiles, not data about each individual user. These are all not possible to do on-device.

With this, we don't have to worry about what code is running on the phone, or what OnePlus servers are doing, both of us are closed-source and unavailable to us to inspect. But the intermediate server will be open-source.

Who will pay for that and how are you going to force manufacturers to participate in such scheme? Most people "have nothing to hide" and don't care about privacy, so they won't be happy as manufacturers pass cost of this to them. More realistic way (though not easy too) is to install a firewall on a proxy all traffic is run through and filter suspicious/unknown connections.

Manufacturers or software developers who're especially privacy-conscious, or collecting data that wouldn't be able to get with otherwise, might use this scheme. Maybe the folks who run the upstream server will also pay for the intermediate server. It shouldn't cost much for an entity that's already operating at scale, whether in users or revenue.

"Manufacturers or software developers who're especially privacy-conscious"

Those are few and far between. I still don't see how you are going to get major players into this. Niche -- maybe, but we already have few of these (other comments in this thread mention them). Also, such server would be a very sweet target for hackers and high security requirement raises upkeep by quite a bit.

No more a target for hackers than upstream log servers. In fact, it will be easier to audit, since it's open-source and does less (only aggregate and anonymise data and pass it on).

Yes, it will be niche to begin with, but everything starts that way. If minor players adopt this, over time, it can put pressure on the big players to do so as well. It's a long game.

For example, MS opened an Azure datacenter in Germany where MS doesn't have access to user data. So, people are starting to do things to restrict their own access.

According to @01abhishekjain on Twitter[0] you can also do it in a single command:

  adb uninstall -k --user 0 net.oneplus.odm
Can anybody confirm that? I've already run the three commands above on my phone.

[0]: https://twitter.com/01abhishekjain/status/917785829455446016

Can one use this method to uninstall other "uninstall able" apps from their phone? I fucking want to get rid of samsung pay.

+1 (but for other apps, like some google baked-in stuff)

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact