A few months ago, OnePlus’s extensive data collection practices came into the limelight, but the Chinese phone maker explained that it was using that data to improve its product and services. At the time, OnePlus promised an update that would allow users to opt-out of this unwanted user experience program, and the clamor eventually died down.
Well, a new report now says that there’s still a OnePlus app that can grab data from the phone and send it to servers in China without a user’s knowledge or express consent.
The French security researcher hiding behind the name Elliot Alderson on Twitter detailed OnePlus’s data collection practices back in October, and he has now discovered a strange file in the OnePlus clipboard app.
A Badword.txt file contains various keywords, including “Chairman, Vice President, Deputy Director, Associate Professor, Deputy Heads, General, Private Message, shipping, Address, email,” and others. The file is then duplicated in a zip file called pattern alongside six other .txt files. All these files are apparently used in “in an obfuscated package which seems to be an #Android library from teddymobile.”
Now, TeddyMobile is a Chinese company that works with plenty of smartphone makers from China. The company seems to be able to recognize words and numbers in text messages.
And OnePlus is apparently sending your phone’s IMEI number to a TeddyMobile server, too.
It looks like the TeddyMobile package might be able to grab all sorts of data from a phone.
Even bank numbers are apparently recognized.
Does that mean that a third party can get access to everything you copy and paste on OnePlus devices? We have no idea, and we won’t know for sure until OnePlus sheds some light on the situation. It’s also unclear why OnePlus clipboard data would be shared with any company to begin with, let alone a third party.
UPDATE: OnePlus reached out to BGR to say that the claim that the Clipboard app is sending user data to a server is false, and that the code is “entirely inactive” in the open beta for Oxygen OS. The company says that no user data is sent to any server without consent.
In the open beta for HydrogenOS, which is the OS for China, the folder exists “to filter out what data to not upload,” OnePlus added. Local data in the folder is skipped and not sent to any server.