An intrepid user on the OnePlus forums, v1nc, noticed a suspicious new system app “com.oneplus.clipboard” attempting to access the network after upgrading to a beta release of Oreo with the December 1st security update. Suspiciously, the IP address led to a block owned by Chinese conglomerate Alibaba. Android Police reached out to OnePlus, which confirmed that this was present in the beta.
According to OnePlus:
Our OnePlus beta program is designed to test new features with a selection of our community. This particular feature was intended for HydrogenOS, our operating system for the China market. We will be updating our global OxygenOS beta to remove this feature.
Leaving aside the fact that harvesting clipboard information strains the definition of “feature,” the representative stated that the transmitted data was not saved “on any server.” The representative also claimed that “this feature is not uncommon for China users.”
The APK in question is not present in the current stable OxygenOS for the OnePlus 3T.
It’s unclear if this was also in the OnePlus 3 beta build, though no reports of that have been found.
Android Police reader Nicholas Torkos installed the latest beta (OP_O2_Open_29) on his OnePlus 3, and used mitmproxy to inspect the data being sent. From his findings, the clipboard data itself is not being transmitted, but the app is making connections to a server whenever the contents of the clipboard is updated.
According to this reddit poster, a note in the HydrogenOS beta changelog indicates that the feature was intended for accelerating actions:
Smart clipboard recognition which provide appropriate buttons to help you accelerate your next action. This feature currently support recognition for url, address and TaoBao (e-commerce) content.
Accordingly, Alibaba operates an AWS-like cloud service, which apparently OnePlus used in development of this feature. While this function is not itself nefarious, the inability of OnePlus to clearly explain what was actually going on after multiple requests—let alone explain why this feature requires cloud processing to begin with—is distressing.
- Gregory Jimenez,
- Nicholas Torkos