According to a new report by Piunikaweb, some OnePlus smartphones are downloading GPS data over insecure HTTP servers.
It is suggested that OnePlus engineers were able to override the standard AOSP (Android Open Source Project) policies and install the debug build of gps.conf into OnePlus’s OxygenOS operating system.
This led to the forceful enablement of insecure XTRA data servers by a Chinese OnePlus engineer.
The XTRA data servers helped download GPS, GLO, and BDS data and allow any malicious attacker to change the position data of any user’s GPS which can be used to deviate users to a different and wrong path.
The report further suggests that LineageOS contributor Louis Popi helped verify the issue of data being downloaded via insecure servers.
Following this, Piunikaweb filed a bug report at the OnePlus forum and a OnePlus moderator, Funk Wizard, reverted saying that the issue will be fixed soon.
He stated, “For the downloading under XTRA, the device is reading the address in Modem NV config, which is going through HTTPS instead of HTTP, and GPS.conf has already been ignored so that the XTRA config won’t be working. Thanks for the feedback anyways, and we will synchronize the GPS.conf to HTTPS in the upcoming updates to fix the issue.“
However, it is suggested that the issue is still taking place and there is no word on whether or not OnePlus installed the debug on purpose.
We will keep you updated once something is official from OnePlus.