[Official Statement] OnePlus Denies Sending Clipboard Data To Chinese Servers
Earlier today OnePlus was once again accused of sending clipboard data to Chinese servers without permission from the user. Security analyst Elliot Alderson made a series of claims on Twitter which included that OnePlus was collecting identifiable information (like IMEI) and bank account numbers. According to Alderson, OnePlus' clipboard app checks the text copied to the clipboard and scans it for particular information like bank account numbers. If there is a match, the clipboard contents and identifiable information are sent to Chinese servers owned by TeddyMobile. TeddyMobile is the Chinese equivalent of caller identification service Truecaller.
It's worth noting here that Alderson was making the tweets while performing his investigation. Alderson shared his results as he discovered them. While Alderson was digging deeper into the issue, his initial claims were shared on Reddit. Unaware of the fact that Alderson wasn't yet done with his investigation, Redditors barraged OnePlus with hate comments. Alderson's incomplete investigation was further popularized by media portals who shared it as news without investigating it themselves. Fortunately though, OnePlus acted swiftly and saved themselves from scathing criticism. OnePlus issued the following statement:
There’s been a false claim that the Clipboard app has been sending user data to a server. The code is entirely inactive in the open beta for OxygenOS , our global operating system. No user data is being sent to any server without consent in OxygenOS. In the open beta for HydrogenOS, our operating system for the China market, the identified folder exists in order to filter out what data to not upload. Local data in this folder is skipped over and not sent to any server.
Soon after OnePlus' official statement, Alderson tweeted his final findings:
The conditions to send your data to teddymobile server are:— Elliot Alderson (@fs0c131y) January 26, 2018
- clip data is not numeric
- not an email
- Chinese @OnePlus phone
- clipboard data matched the express pattern.
It good to say that parserOnline method is used 3 times in the code, so this is only 1 of the 3 usecases pic.twitter.com/Rp9HvZTF48
In case you are wondering why OnePlus collects clipboard data in China, we recommend you to read our analysis on "what OnePlus' clipboard app sends and receives, and why."
The 'clipboard' app in question was found in the last OxygenOS Open Beta for the OnePlus 5 and 5T. A similar issue was raised two weeks ago wherein the clipboard app in an OxygenOS Open Beta for OnePlus 3/3T was suggested of sending clipboard data to Alibaba servers without the user's consent. The issue raised today is similar (or should I say "same") to what we saw two weeks ago. The analysis article linked above provides an explanation for the clipboard app found in OxygenOS Open Betas for OnePlus 3/3T and 5/5T.
Source: Reddit
[Official Statement] OnePlus Denies Sending Clipboard Data To Chinese Servers
Reviewed by Krittin Kalra
on
1/28/2018 01:35:00 PM
Subscribe To Us
Get All The Latest Updates Delivered Straight To Your Inbox For Free!