UPDATE: OnePlus response to this controversy:
There’s been a false claim that the Clipboard app has been sending user data to a server. The code is entirely inactive in the open beta for OxygenOS, our global operating system. No user data is being sent to any server without consent in OxygenOS. In the open beta for HydrogenOS, our operating system for the China market, the identified folder exists in order to filter out what data to not upload. Local data in this folder is skipped over and not sent to any server.
OnePlus has reportedly been acquiring sensitive user information and transferring it to a Chinese company’s hosting server without user consent. Last year a software engineer, as well as security researcher named Christopher Moore, stated in his blog post that OnePlus has accumulated details such as phone numbers, device’s serial number, mobile network names, wireless network’s ESSID, BSSID and device’s IMEI number. One plus confessed to this allegation of accumulating data and stated the firm does in an effort to improve their software depending on user behavior and present best after-sales support. Now a French security researcher, Elliot Alderson (Founder/CEO of fsociety) shared on his twitter post regarding a suspicious text file contained in Oneplus clipboard application which is named as badword.txt.
Image courtesy: twitter/fs0c131y – Elliot Alderson
On his twitter post, he stated that this badword text file includes seven files namely badword.txt, brackets.txt, end.txt, follow.txt, key.txt and start.txt which are copied in a zip file named pattern. The above-mentioned files are being used in an obscure package which appears to be an Android library from Teddymobile. TeddyMobile is a Chinese firm, who has a tie-up with several Chinese handset makers such as Oppo, Vivo, Gionee, Xiaomi, Meizu, and Lenovo. Based on the findings of Elliot Alderson, Teddymobile is creating number verification in form of SMS. OnePlus is transmitting users IMEI along with the handset provider to a Chinese server run by Teddymobile. In the TeddyMobile’s package termed as com.ted, include a class named SysInfoUtil. This class contains various methods to gather user details like getAndroidID, getCPUSerial, getDeviceId, getPhoneNumbe, getScreenPixels, getHardwareSerialNumber etc…
Out of these methods, getIPAddress and getScreenPixels are currently not being used. Additionally, they also forward JSON messages to their hosting servers with a “telephone” as well as “messageText” fields. He also highly recommends users not to copy paste their bank account number since TeddyMobile additionally got a separate method to identify bank accounts. However, this is not the first-time that OnePlus mixed up in a serious controversy. In past, the firm was also suspected for pumping up OnePlus 5’s benchmark ranks on applications such as Geekbench 4 but OP declined the charge and explained that they were not running the cores at higher speed.