OnePlus denies claims of sending users’ Clipboard data to Chinese server

OnePlus has come under fire for sending clipboard data back to a Chinese server. However, OnePlus has released a statement denying all charges against it.

OnePlus Clipboard, OxygenOS clipboard issue, OnePlus sending data to china, OnePlus HydrogenOS, Elliot Aldreson, OnePlus, China, Chinese servers

OnePlus has denied claims of sending a user’s clipboard data to a Chinese server.

After credit card data breach, OnePlus has now come under the radar for allegedly sending clipboard data back to a Chinese server. Reacting to the allegations, OnePlus, however, said that no user data was being sent to any server without consent in OxygenOS.

A French security researcher with the name of Elliot Alderson alleged that the file in the OxygenOS beta called badwords.txt may have helped the company to identify some data and send it back to a Chinese server without a user’s consent.

A badwords.text file includes a list of words such as “Chairman”, “Vice President”, “Deputy Director”, “Associate Professor”, “Shipping”, “Address”, Email”, and others. The file has been found in compression archive file called “pattern” along with a number of other files. It has been revealed that “all these files are used in an obfuscated package which seems to be an #Android library from teddymobile”, Alderson tweeted.

For those who are not aware, TeddyMobile is a Chinese company that currently works with leading phone manufacturers, including OnePlus, Oppo, Vivo, Gionee, Xiaomi, and Lenovo, among others. It appears that the company has been able to recognise words and details in texts messages. OnePlus has been accused of sending users’ IEMI number (including bank account details) to a Chinese server owned by TeddyMobile.

The @OnePlus #clipboard app contains a strange file called badword.txt 🤔

In these words, we can find: Chairman, Vice President, Deputy Director, Associate Professor, Deputy Heads, General, Private Message, shipping, Address, email, …https://t.co/ePQvD1citn pic.twitter.com/3dCh0joVkH

— Elliot Alderson (@fs0c131y) January 25, 2018

Given the sensitivity of the issue, OnePlus responded with a statement (via Reddit) that reads:

“There’s been a false claim that the Clipboard app has been sending user data to a server. The code is entirely inactive in the open beta for OxygenOS, our global operating system. No user data is being sent to any server without consent in OxygenOS. In the open beta for HydrogenOS, our operating system for the China market, the identified folder exists in order to filter out what data to not upload. Local data in this folder is skipped over and not sent to any server”.

This badword.txt is duplicated in a zip file called pattern. This archive contains 7 files:
– badword.txt
– brackets.txt
– end.txt
– follow.txt
– key.txt
– start.txt pic.twitter.com/pqJgdGJyuj

— Elliot Alderson (@fs0c131y) January 25, 2018

TeddyMobile is a Chinese company, they worked with a lot of manufacturers including @oppo.https://t.co/ws3JIbM7Z0 pic.twitter.com/A4SOJeqBw2

— Elliot Alderson (@fs0c131y) January 25, 2018

As far as I understand, teddymobile is making number identification in SMS

The picture below can be translated like this:
– Total number of SMS 20M+
– SMS identification accuracy 100%
– Identification number recognition rate of 70%
– recognition accuracy of 95% pic.twitter.com/KdQV4Zj1Xc

— Elliot Alderson (@fs0c131y) January 25, 2018

Tags:
OnePlus