In the midst of fighting tooth and nail to take on the competition, OnePlus has been facing a serious allegation over allegedly sending users' clipboard data to China. A Twitter post on Thursday claimed that the company is identifying and uploading clipboard data such as bank account numbers and emails to a Chinese server. However, the Shenzhen-based company has now refuted the claim and plainly stated that the code in question was inactive for its global users running OxygenOS. The new issue comes days after the company itself confirmed a credit card breach through its online store that impacted "up to 40,000 users" around the globe.
A French security researcher going by the name Elliot Alderson on Thursday alleged that a file in the OxygenOS beta called badword.txt helped OnePlus identify certain data from the default Clipboard app and upload the same to a Chinese server. The suspicious file contains keywords such as Chairman, Vice President, Deputy Director, Associate Professor, Deputy Heads, General, and Private Message among others, and its duplicate copy is found to be created in a zip file called pattern that further includes text files, including badword.txt, bracket.txt, end.txt, follow.txt, key.txt, and start.txt. All these files are claimed to be used in an "obfuscated package" that appears as an Android library from Chinese research company TeddyMobile. "According to the code, @OnePlus is sending your IMEI and the phone manufacturer to a Chinese server owned by teddymobile [sic]," the researcher tweeted.
OnePlus, on its side, responded to the allegation with a simple statement that confirms the existence of the file in the recent beta versions of OxygenOS but as a blacklist file. "There's been a false claim that the Clipboard app has been sending user data to a server. The code is entirely inactive in the open beta for OxygenOS, our global operating system. No user data is being sent to any server without consent in OxygenOS," the company said in a press statement, a copy of which is available on Reddit.
Additionally, OnePlus states that the open beta for HydrogenOS, which is a Chinese version of the company's OxygenOS custom ROM, contains the identified folder in order to filter out data and block competitor links in Chinese messaging services such as WeChat. This indeed means that there is no use of the filter process anywhere outside China.
Having said that, it is still a valid question that why OnePlus provided any code in the recent beta OxygenOS build that is meant exclusively for its Chinese users. The company might answer this simply by removing the code from a future build. Meanwhile, it is quite clear and obvious that the Clipboard app is not sending your data to a third-party server.
This is not the first time when OnePlus has been caught in trouble for using a sceptical code in its OxygenOS ROM. In last November, a diagnostic app called EngineerMode was spotted on the OnePlus 3, OnePlus 3T, and OnePlus 5 that was apparently allowing root access without even unlocking the phone. The company had acknowledged that issue and confirmed its fix through an OTA update.
Similarly, an off late OxygenOS beta version was shipped with a Clipboard feature that was specifically designed for HydrogenOS. The company had confirmed that flaw and assured an update to remove the China-centred feature.