Weve learned in the past few years how much of a double-edged sword the internet could be with how quickly stories can go viral or be blown out of proportion. Last time, a particular Twitter user thought he found information that proved OnePlus was sending usage stats to a server in China. While he did find the framework for a system app to send this information. It was actually disabled and inactive.
The same Twitter user uncovers similar information when (seemingly) messing with a decompiled version of the clipboard app. Unfortunately, the OP only provided the framework and code but was not able to make the code actually do what he claimed it was doing.
Basically, there was a file within the clipboard app that would identify what kind of data was copied to the clipboard including a list of phrases called badwords.txt and had a method of identifying bank account numbers.
Android Police reached out to OnePlus for further explanation, to which OnePlus provided to following statement:
“In the open beta for HydrogenOS, our operating system for the China market, the identified folder exists in order to filter out what data to not upload. Local data in this folder is skipped over and not sent to any server.”
Artem Russakovskii (@ArtemR) January 26, 2018
After OnePlus’ statement, the original poster tweeted the following:
The conditions to send your data to teddymobile server are:
– clip data is not numeric
– not an email
– Chinese @OnePlus phone
– clipboard data matched the express pattern.
It good to say that parserOnline method is used 3 times in the code, so this is only 1 of the 3 usecases pic.twitter.com/Rp9HvZTF48
Elliot Alderson (@fs0c131y) January 26, 2018
It turns out that the information uncovered by the Twitter user was all inactive, residual code from Hydrogen OS, the software found only on Chinese OnePlus devices. It also turns out that the badwords.txt file was actually a blacklist that were compared to the data in the clipboard, and if the clipboard contained any of these phrases, it would not be sent to this server in China. Of course, rules about electronic data privacy are quite different in China.
Its also worth noting that this code was found on the Oxygen OS open beta, which means it more than likely would not have made it to the final build of Oxygen OS. With this happening for a second time, it seems that OnePlus should perhaps make more of an effort to keep both global and Chinese firmware separate so that a misunderstanding like this one wouldnt happen again.
Its not to say that OnePlus is totally off the hook, or any other phone maker for that matter. We just have to be careful about these kinds of accusations that show us pieces of a puzzle that dont actually fit together to paint the assumed picture at least not without asking for a second opinion.