Is OnePlus Spying on You? Not Today.

Jan 26, 2018

OnePlus is probably the only phone maker that consistently makes it to the wrong side of news stories every once in a while. The Chinese Android phone maker is easily becoming the Microsoft of the phone world, attracting regular data collection and telemetry controversies. However, more often than not these stories turn out to be either incorrect interpretations or fear-based speculations.

It’s not to say if OnePlus doesn’t engage in data collection practices, at all. As seen before, the company used to send a lot of user data to its servers, not to forget the latest credit card disaster… However, it does respond to any and all such concerns and works to promptly address them, as well. A practice that many tech giants sorely lack…

OnePlus in yet another clipboard data controversy

A Twitter post created a storm earlier today, claiming that OnePlus is identifying and uploading clipboard data (including bank details) to Chinese servers. The story was based on the existence of a file called badwords.txt in the OxygenOS beta.

The @OnePlus #clipboard app contains a strange file called badword.txt ?

In these words, we can find: Chairman, Vice President, Deputy Director, Associate Professor, Deputy Heads, General, Private Message, shipping, Address, email, …https://t.co/ePQvD1citn pic.twitter.com/3dCh0joVkH

— Elliot Alderson (@fs0c131y) January 25, 2018

As is typical in the online world, the tweet resulted in a fury of comments and threads on Reddit with many blaming the company for being “typically Chinese” and sending consumer data to China. The company – which appears to have become used to all these nonstories – was quick to fight back, saying that the file actually stops the OS from monitoring certain types of data and isn’t even active in OxygenOS.

“There’s been a false claim that the Clipboard app has been sending user data to a server,” the company spokesperson said (emphasis is ours). “The code is entirely inactive in the open beta for OxygenOS, our global operating system.”

No user data is being sent to any server without consent in OxygenOS.

In the open beta for HydrogenOS, our operating system for the China market, the identified folder exists in order to filter out what data to not upload. Local data in this folder is skipped over and not sent to any server.

While the original tweet made it look like the file was sending sensitive data over to OnePlus servers, the file actually works like a blacklist, informing the system to not monitor certain data for its smart clipboard service – this service itself is only offered to customers in China using HydrogenOS.

The researcher who had first investigated this file also clarified and asked followers to verify work before trusting someone’s interpretation. The researcher appears to have been thrown off by the file and its presence in OxygenOS, where it shouldn’t even be regardless of it being inactive.

Let's be clear about the @Oneplus #clipboard app:
– only a small part of the teddymobile SDK is used
– they used it for Chinese users without their consent
– it's used to parse the clipboard data
– no @oneplus is not stealing your bank account -_-

— Elliot Alderson (@fs0c131y) January 26, 2018

Earlier in the month, a similar story had appeared suggesting that OnePlus was shipping data to itself through clipboard. At the time, the company had said that the “experimental HydrogenOS feature” appearing in OxygenOS beta will be removed and that it’s “designed specifically for the Chinese market, where a unique competitive situation between two major web service providers has led to some ecommerce weblinks being blocked.” The feature was a “workaround developed by one of the parties involved sending a token so that link sharing would function fully.”

– An earlier Reddit thread talks about this workaround.