37
OTA and IMEI over HTTP

  1. b1nny Eclair Jul 4, 2016

    b1nny, Jul 4, 2016 :
    While checking what kind of network traffic is being sent when checking for updates I happened to notice that my IMEI is being sent over plain HTTP for some reason? I don't think this needs any explaining why this is a very bad idea, since it means anyone else on the same network as me could easily intercept my IMEI (think of untrusted wifi networks, for example).

    Why aren't you guys using HTTPS for this?
     

    #1
  2. 1n9i9c7om Honeycomb Jul 5, 2016


    #2
    emplify and r.aditya1987 like this.
  3. OPFanBoyTillEnd Honeycomb Jul 5, 2016

    OPFanBoyTillEnd, Jul 5, 2016 :
    Does this happen every time is checked for updates?
     

    #3
  4. b1nny Eclair Jul 5, 2016

    b1nny, Jul 5, 2016 :
    Yes. When you press the "check for updates" button a POST request is made to "http://i.ota.coloros.com/post/Query_Update" which contains the IMEI of the device in question both in the user agent and in a header called "imei".

    You can check it for yourself by using a tool such as mitmproxy and telling your device to proxy all its traffic through mitmproxy. Every time you press the button you'll see the post request appear and you can see what they're sending.
     

    #4
  5. OPFanBoyTillEnd Honeycomb Jul 5, 2016

    OPFanBoyTillEnd, Jul 5, 2016 :
    Thanks.
    And I'm assuming it happens as well when updates are checked automatically.

    Huge LOL OnePlus.
    Let's just wait for someone to blacklist all your phones.
     

    #5
  6. runboy93 Jelly Bean Jul 5, 2016


    #6
  7. ollipedia Cupcake Jul 5, 2016

    ollipedia, Jul 5, 2016 :
    People... by all means - don't get the overall brilliant impression of the OnePlus 3 vaporized by such a cheap and uncommon kind of checking for updates. I mean we're living in a world where nearly everything is transmitted with a decent encryption - why the hell does the device check for updates using plain http? I hope this is just a fake or a mean rumor, otherwise I fear I won't get what's inside your heads when building such a construct...
     

    #7
  8. heywood10 Cupcake Jul 5, 2016

    heywood10, Jul 5, 2016 :
    you would not expect this from developers formerly working on Paranoid Android...
    This needs to be fixed asap!
    If you are not willing or capable at least release the Dash charging binaries and we all can head over to CM.
     

    #8
  9. Jrocci Honeycomb Jul 5, 2016


    #9
  10. freedompie Gingerbread Jul 5, 2016

    freedompie, Jul 5, 2016 :
    Dev's probably used to Chinese standard where security doesn't exist. If you use HTTPS, how would the Chinese government sniff your packets?
     

    #10
  11. obiwan+ Honeycomb Jul 6, 2016

    obiwan+, Jul 6, 2016 :
    What's the worst that can happen when others know your IMEI? Can they open a backdoor on your device? Can they steal any form of identity?
     

    #11
    christinawright, MarkusRanz and 0xTJ like this.
  12. xdotmatt Donut Jul 6, 2016

    xdotmatt, Jul 6, 2016 :
    Curious to see if OnePlus responds to this and why they chose an unsecured connection.
     

    #12
  13. b1nny Eclair Jul 6, 2016

    b1nny, Jul 6, 2016 :
    You can verify for yourself whether this is a rumor or not (hint: it's not). Let me quote what I've posted over on XDA:

    (image link, in case it gets messed up somewhere)
    (link)

    If you have any further questions, feel free to ask!
     

    #13
    p51d007 likes this.
  14. nate0 Froyo Jul 6, 2016

    nate0, Jul 6, 2016 :
    The plain/clear text transmission there is not a good thing. Even if you are on a secure wifi, there is still a risk of a man in the middle attack. Is this standard to have the imei transmitted at all?
     

    #14
  15. Professorchaos1 Honeycomb Jul 6, 2016

    Professorchaos1, Jul 6, 2016 :
    Realistically, most people would upgrade the OS over their WPA2-secured WiFi home network, so the chances are very slim.In which case, someone would need to break the encrypted WiFi to access your IMEI information and if the hackers outside your apartment were so cynical, they could theoretically report your IMEI as stolen or lost and cause you a headache trying to have it de-blacklisted because you won't be able to use it or register it at all on any network once it's reported as stolen.

    But I definitely understand that OP/OPPO should be transmitting the data with HTTPS, as it's not even best practices for the industry but it should be an industry-standard in 2016.
     

    #15
    Tokolozi and obiwan+ like this.
  16. nate0 Froyo Jul 6, 2016

    nate0, Jul 6, 2016 :
    To the individual this is not good that the security of the phone could be compromised even to the slightest.

    However, from what I read the imei is more mapped to the phone and not to you, not as your sim car would be which has you phone number and any other data stored there. Still compromising the phone itself could spell hardship for OnePlus in a consumer/business point view.
     

    #16
    obiwan+ likes this.
  17. Professorchaos1 Honeycomb Jul 6, 2016

    Professorchaos1, Jul 6, 2016 :
    But I mean, it's not the end of the world...there are far worse things...I just realized the phone repair shop I went to have my old Moto X fixed copied down my IMEI on carbon paper on the sales invoice. So they have a copy of my IMEI floating around somewhere and I suppose any of your friends that has physical access to your phone can also "steal" your IMEI.
     

    #17
    Tokolozi likes this.
  18. Jotebe Eclair Jul 6, 2016


    #18
  19. witalit Froyo Jul 6, 2016

    witalit, Jul 6, 2016 :
    This is pretty shocking I hope someone from Oneplus responds to this as its very important to get this changed.
     

    #19
  20. clovertown Cupcake Jul 6, 2016

    clovertown, Jul 6, 2016 :
    Probably true, http://i.ota.coloros.com/ resolves to 115.231.102.185 for me, which is hosted in Hangzhou, China. The Chinese firewall doesn't like HTTPS.
     

    #20