A few months ago, OnePlus’s extensive data collection practices came into the limelight, but the Chinese phone maker explained that it was using that data to improve its product and services. At the time, OnePlus promised an update that would allow users to opt-out of this unwanted user experience program, and the clamor eventually died down.
Well, a new report now says that there’s still a OnePlus app that can grab data from the phone and send it to servers in China without a user’s knowledge or express consent.
The French security researcher hiding behind the name Elliot Alderson on Twitter detailed OnePlus’s data collection practices back in October, and he has now discovered a strange file in the OnePlus clipboard app.
The @OnePlus #clipboard app contains a strange file called badword.txt 🤔
In these words, we can find: Chairman, Vice President, Deputy Director, Associate Professor, Deputy Heads, General, Private Message, shipping, Address, email, …https://t.co/ePQvD1citn pic.twitter.com/3dCh0joVkH
— Elliot Alderson (@fs0c131y) January 25, 2018
A Badword.txt file contains various keywords, including “Chairman, Vice President, Deputy Director, Associate Professor, Deputy Heads, General, Private Message, shipping, Address, email,” and others. The file is then duplicated in a zip file called pattern alongside six other .txt files. All these files are apparently used in “in an obfuscated package which seems to be an #Android library from teddymobile.”
All these files are used in a obfuscated package which seems to be an #Android library from teddymobile
— Elliot Alderson (@fs0c131y) January 25, 2018
Now, TeddyMobile is a Chinese company that works with plenty of smartphone makers from China. The company seems to be able to recognize words and numbers in text messages.
As far as I understand, teddymobile is making number identification in SMS
The picture below can be translated like this:
– Total number of SMS 20M+
– SMS identification accuracy 100%
– Identification number recognition rate of 70%
– recognition accuracy of 95% pic.twitter.com/KdQV4Zj1Xc— Elliot Alderson (@fs0c131y) January 25, 2018
And OnePlus is apparently sending your phone’s IMEI number to a TeddyMobile server, too.
According to the code @OnePlus is sending your IMEI and the phone manufacturer to a Chinese server owned by teddymobile 😡 pic.twitter.com/Au0u1sdpNi
— Elliot Alderson (@fs0c131y) January 25, 2018
It looks like the TeddyMobile package might be able to grab all sorts of data from a phone.
In the TeddyMobile's package com.ted, they have a class called SysInfoUtil. This class contains the following methods:
– getAndroidID
– getCPUSerial
– getDeviceId
– getHardwareSerialNumber
– getIMEI
– getIPAddress
– getMacAddress
– getPhoneNumbe
– getScreenPixels pic.twitter.com/9A8UhsOXae— Elliot Alderson (@fs0c131y) January 25, 2018
Except getIPAddress and getScreenPixels, all the other methods are used.
They also send JSON messages to their servers with a "telephone" and "messageText" fields…😡 pic.twitter.com/vuteISH0Tj— Elliot Alderson (@fs0c131y) January 25, 2018
Even bank numbers are apparently recognized.
This is a good reminder…Please don't copy paste your bank account number…TeddyMobile has a dedicated method to recognize a bank account…😡 pic.twitter.com/U21J2jrXcN
— Elliot Alderson (@fs0c131y) January 25, 2018
Does that mean that a third party can get access to everything you copy and paste on OnePlus devices? We have no idea, and we won’t know for sure until OnePlus sheds some light on the situation. It’s also unclear why OnePlus clipboard data would be shared with any company to begin with, let alone a third party.
UPDATE: OnePlus reached out to BGR to say that the claim that the Clipboard app is sending user data to a server is false, and that the code is “entirely inactive” in the open beta for Oxygen OS. The company says that no user data is sent to any server without consent.
In the open beta for HydrogenOS, which is the OS for China, the folder exists “to filter out what data to not upload,” OnePlus added. Local data in the folder is skipped and not sent to any server.
