Update: OnePlus has released an official statement completely refuting the claims made by Elliot Alderson. Here is their full statement
There’s been a false claim that the Clipboard app has been sending user data to a server. The code is entirely inactive in OxygenOS, our global operating system. No user data is being sent to any server without consent in OxygenOS.
In HydrogenOS, our operating system for the China market, the identified folder exists in order to filter out what data not to upload. Local data in this folder is skipped over and not sent to any server.
In short, the code is part of Hydrogen OS open beta (meant for China) which was recently merged with Oxygen OS (meant for global) and is completely inactive. That means no data was getting uploaded from the clipboard app. In fact, the badwords.txt file is meant to filter out the type of text NOT to upload, even for Chinese users.
Earlier: OnePlus has had a rather controversial past year. The China-based smartphone maker was involved in a multitude of privacy blunders, many of which compromised users’ personal data and, in the most recent case, their credit cards. However, it’s not done just yet. Security researcher Elliot Alderson has apparently discovered yet another security oversight, this time concerning OnePlus’ newly added Clipboard app.
The Clipboard app was introduced with one of the latest Beta builds for OnePlus’ flagship 5T smartphone. Anderson’s report claims that the app is designed to be on the lookout for specific keywords and transmit the copied data along with a few other details whenever it matches one.
The information is being relayed to a server in China owned by Teddy Mobile, a company that develops an app for identifying unknown caller identities with the help of Big Data algorithms (similar to Truecaller, but for China). In the past, Teddy Mobile partnered with a range of China-based smartphone OEMs, including Oppo, Vivo, Xiaomi, Lenovo, and more.
So here’s what is exactly happening — Whenever a user copies any text, the Clipboard app is invoked to process it. While the app does that, it scrutinizes the content for a pattern such as an address, email, bank account number, and such. Whenever it comes across a matching string, the Clipboard app fetches a few more device-specific data like its IMEI, device ID, phone number, network details, IP address, and more. Once done, the app packs the copied text along with this myriad of private data and sends it to Teddy Mobile’s servers in China.
Therefore, for instance, if you copy your bank account, the Clipboard app will be triggered and share it with Teddy Mobile. Whether it’s an oversight or intentional, we don’t know yet. Unfortunately, this isn’t the first time it’s happened. Only a few weeks before, Eliot had revealed that OnePlus was channeling whatever text user copies to an Alibaba-owned database. In its defense, OnePlus said the feature was meant only for Chinese users and was accidentally added to the global ROM. At the risk of taking a guess, I think the present case is similar as Teddy Mobile looks like a harmless startup dealing with caller identities, just like Truecaller. But its presence inside a clipboard app will raise some eyebrows.
Fortunately, the new Clipboard app hasn’t made its way to the public building yet. Henit’st’s safe to say that the majority of users have not been affected, and OnePlus should, in all probability, remove the controversial code from the public build.
We had reached out to OnePlus for a comment but haven’t heard back from them yet. Be sure that this article will get updated when we hear back from them.