An intrepid user on the OnePlus forums, v1nc, noticed a suspicious new system app "com.oneplus.clipboard" attempting to access the network after upgrading to a beta release of Oreo with the December 1st security update. Suspiciously, the IP address led to a block owned by Chinese conglomerate Alibaba. Android Police reached out to OnePlus, which confirmed that this was present in the beta.
According to OnePlus:
Our OnePlus beta program is designed to test new features with a selection of our community. This particular feature was intended for HydrogenOS, our operating system for the China market. We will be updating our global OxygenOS beta to remove this feature.
Leaving aside the fact that harvesting clipboard information strains the definition of "feature," the representative stated that the transmitted data was not saved "on any server." The representative also claimed that "this feature is not uncommon for China users."
The APK in question is not present in the current stable OxygenOS for the OnePlus 3T.
It's unclear if this was also in the OnePlus 3 beta build, though no reports of that have been found.
Android Police reader Nicholas Torkos installed the latest beta (OP_O2_Open_29) on his OnePlus 3, and used mitmproxy to inspect the data being sent. From his findings, the clipboard data itself is not being transmitted, but the app is making connections to a server whenever the content of the clipboard is updated.
According to this reddit poster, a note in the HydrogenOS beta changelog indicates that the feature was intended for accelerating actions:
Smart clipboard recognition which provide appropriate buttons to help you accelerate your next action. This feature currently support recognition for url, address and TaoBao (e-commerce) content.
Accordingly, Alibaba operates an AWS-like cloud service, which apparently OnePlus used in the development of this feature. While this function is not itself nefarious, the inability of OnePlus to clearly explain what was actually going on after multiple requests—let alone explain why this feature requires cloud processing to begin with—is distressing.
After apologizing for the confusion and lack of clarity in the initial statement given to Android Police, OnePlus sent us an updated statement:
We apologize to our beta test users, for the confusion over an experimental HydrogenOS feature appearing in the global OxygenOS beta, which is being updated to remove it. The experimental HydrogenOS feature is designed specifically for the Chinese market, where a unique competitive situation between two major web service providers has led to some ecommerce weblinks being blocked. A workaround developed by one of the parties involved sending a token so that link sharing would function fully. We were testing a similar feature in the HydrogenOS beta.
- Gregory Jimenez,
- Nicholas Torkos