Every Time You Check to See if Your OnePlus 3 Has an Update, You Expose Your IMEI


According to users on reddit and the OnePlus forums, every time an owner of a OnePlus 3 checks to see if they have an update via the Settings menu, their IMEI is sent to the OnePlus servers in plain HTTP and not HTTPS. Because of this, OnePlus 3 owners on an unsecured network (a coffee shop with public WiFi access point, for example), potentially expose their device’s specific IMEI number to would-be evil doers. 

With an IMEI in the hands of someone not so trustworthy, a device could be blacklisted (marked as stolen, lost, etc.) in a carrier’s database, making the possibility of activating it on a network extremely difficult. This action can be reversed by the true owner of a device, but you can imagine it’s not the easiest process to deal with when it involves US carriers.

To sum up what’s happening here, every time you select “check for updates,” a POST request is sent to a specific URL from the OnePlus 3. This request contains the IMEI of the device in the user agent, as well as in a header labeled “imei.”

For this to negatively affect a OnePlus 3 owner, he or she would need to be on an unsecured network, check for an update, and at the same exact time, an individual would need to be fishing for this information on that same network. In the real world, the chances of something like this happening to OnePlus 3 owners seems small, but still, this is plain sloppy work from the folks at OnePlus and should be fixed immediately.

At this time, OnePlus has not addressed this issue, and until a fix is provided (which would most likely require a security update), be sure to only check for software updates while on a secured network.

0 Comment

Leave a Reply

Captcha image


  • 5300c769af79e

    Walkthrough: Setting Up Google WiFi and First Impressions

    With this post, I’ll go over the basics of setting up Google WiFi, then provide my initial thoughts.To begin, you hook-up your first Google WiFi router (aka WiFi point) directly to your modem with a provided Cat 5 (Category 5) cable.
  • 5300c769af79e

    KeepSolid VPN Unlimited (for Android)

    The KeepSolid VPN Unlimited app secures your Android from prying eyes looking at your Internet traffic and offers several advanced tools to keep you safe.A feature of the KeepSolid's pricing that I really like is the week-long Vacation plan for $1.
  • 5300c769af79e

    Play Video in Background With Chrome Beta for Android

    The latest Chrome Beta for Android lets users play Web videos in the background.Simply open the mobile Chrome browser, start playing a Web video, and return to the phone's home screen or open another application without losing audio.
  • 5300c769af79e

    US Pushes Cybersecurity Acquisition Tools as Contracts Flow

    While those requirements remain in force, federal agencies, especially the General Services Administration, are trying to improve the processing of cyberprotection acquisitions through expansions or enhancements to various federal procurement vehicles.The administration last month revealed it had engaged Adobe for a "new, government-wide enterprise software acquisition agreement for best-in-class, data-centric security and electronic signature solutions.