Phone-maker OnePlus has had a tough time of things in the press recently with claims about users' clipboard data being mined, and the problems following a credit card breach. A second suggestion that the company was sending clipboard data back to China surfaced recently, but the company has been quick to deny any wrongdoing.
Suspicions were raised when a OnePlus user noticed a file called badwords.txt which includes a list of words such as "chairman," "private message" and "address."
The file was noticed by a French security researcher called Elliot Anderson. It was found in a compression archive called "pattern" along with a number of other files. Anderson explains that "all these files are used in an obfuscated package which seems to be an #Android library from Teddymobile," which is "a Chinese company" that works "with a lot of manufacturers including Oppo."
Anderson shared his findings on Twitter:
OnePlus wasted little time in putting out a statement which reads:
There's been a false claim that the Clipboard app has been sending user data to a server. The code is entirely inactive in the open beta for OxygenOS, our global operating system. No user data is being sent to any server without consent in OxygenOS.
In the open beta for HydrogenOS, our operating system for the China market, the identified folder exists in order to filter out what data to not upload. Local data in this folder is skipped over and not sent to any server.
As explained by Android Police, it seems that OnePlus accidentally included code from its Chinese HydrogenOS (albeit inactive code) in OxygenOS in the rest of the world. While seemingly innocent, users have been increasingly wary of OnePlus of late.