OnePlus has had a rather controversial past year. The China-based smartphone maker was involved in a multitude of privacy blunders, many of which compromised users’ personal data and in the most recent case, their credit cards. However, it’s done not just yet. Security researcher Elliot Alderson has discovered yet another security oversight, this time concerning OnePlus’ newly added Clipboard App.
The Clipboard app was introduced with one of the latest Beta builds for OnePlus’ flagship 5T smartphone. Anderson’s report claims that the app is designed to be on the lookout for specific keywords and transmit the copied data along with a few other details whenever it matches one.
The information is being relayed to a server in China owned by Teddy Mobile, a company that develops an app for identifying unknown caller identities with the help of Big Data algorithms (similar to Truecaller, but for China). Teddy Mobile has, in the past, partnered with a range of China-based smartphone OEMs including Oppo, Vivo, Xiaomi, Lenovo, and more.
So here’s what is exactly happening — Whenever a user copies any text, the Clipboard app is invoked for processing it. While the app does that, it scrutinizes the content for a pattern such as address, email, bank account number, and such. Whenever it comes across a matching string, the Clipboard app fetches a few more device specific data like its IMEI, device ID, your phone number, network details, IP address, and more. Once done, the app packs the copied text along with this myriad of private data and sends it to Teddy Mobile’s servers in China.
Therefore, for instance, if you copy your bank account, the Clipboard app will be triggered and share it with Teddy Mobile. Whether it’s an oversight or intentional, we don’t know yet. Unfortunately, this isn’t the first time it’s happening. Only a few weeks before, Eliot had revealed that OnePlus was channeling whatever text user copies to an Alibaba-owned database. In its defense, OnePlus said the feature was meant to be only for their Chinese users and was accidentally added in the global ROM. At the risk of taking a guess, I think the present case is similar as Teddy Mobile looks like a harmless startup dealing with caller identities, just like Truecaller. But its presence inside a clipboard app will raise some eyebrows.
Fortunately, the new Clipboard app hasn’t made its way to the public build yet, hence it’s safe to say that the majority of users have not been affected, and OnePlus should, in all probability, remove the controversial code from the public build.
We had reached out to OnePlus for a comment but haven’t heard back from them yet. Be sure that this article will get updated as and when we will hear back from them.
This post first appeared on Technology Personalized - Tech News, Reviews, Anal, please read the originial post: here