In the midst of fighting tooth and nail to take on the competition, OnePlus has been facing a serious allegation over allegedly sending users’ clipboard data to China. A Twitter post on Thursday claimed that the company is identifying and uploading clipboard data such as bank account numbers and emails to a Chinese server. However, the Shenzhen-based company has now refuted the claim and plainly stated that the code in question was inactive for its global users running OxygenOS. The new issue comes days after the company itself confirmed a credit card breach through its online store that impacted “up to 40,000 users” around the globe.
A French security researcher going by the name Elliot Alderson on Thursday alleged that a file in the OxygenOS beta called badword.txt helped OnePlus identify certain data from the default Clipboard app and upload the same to a Chinese server. The suspicious file contains keywords such as Chairman, Vice President, Deputy Director, Associate Professor, Deputy Heads, General, and Private Message among others, and its duplicate copy is found to be created in a zip file called pattern that further includes text files, including badword.txt, bracket.txt, end.txt, follow.txt, key.txt, and start.txt. All these files are claimed to be used in an “obfuscated package” that appears as an Android library from Chinese research company TeddyMobile. “According to the code, @OnePlus is sending your IMEI and the phone manufacturer to a Chinese server owned by teddymobile [sic],” the researcher tweeted.
OnePlus, on its side, responded to the allegation with a simple statement that confirms the existence of the file in the recent beta versions of OxygenOS but as a blacklist file. “There’s been a false claim that the Clipboard app has been sending user data to a server. The code is entirely inactive in the open beta for OxygenOS, our global operating system. No user data is being sent to any server without consent in OxygenOS,” the company said in a press statement, a copy of which is available on Reddit.
Additionally, OnePlus states that the open beta for HydrogenOS, which is a Chinese version of the company’s OxygenOS custom ROM, contains the identified folder in order to filter out data and block competitor links in Chinese messaging services such as WeChat. This indeed means that there is no use of the filter process anywhere outside China.