(UPDATE: No actual data is sent) OnePlus is apparently sending stuff back to servers owned by Alibaba

[D13H4RD]

Welp, this is like, I don't know. How many times does the word "OnePlus" and "privacy" get mixed up with "sending data back" in a bad way?

 

A user on the OnePlus forums reported that the VPN firewall app he was using on his OnePlus 3T had blocked traffic related to sending clipboard data back to servers which are owned by Alibaba.

 

Source: https://forums.oneplus.net/threads/is-clipboard-content-sold-to-alibaba.746610/

 

Quote

An intrepid user on the OnePlus forums, v1nc, noticed a suspicious new system app "com.oneplus.clipboard" attempting to access the network after upgrading to a beta release of Oreo with the December 1st security update. Suspiciously, the IP address led to a block owned by Chinese conglomerate Alibaba. Android Police reached out to OnePlus, which confirmed that this was present in the beta.

 

According to OnePlus:

Our OnePlus beta program is designed to test new features with a selection of our community. This particular feature was intended for HydrogenOS, our operating system for the China market. We will be updating our global OxygenOS beta to remove this feature.

 

Leaving aside the fact that harvesting clipboard information strains the definition of "feature," the representative stated that the transmitted data was not saved "on any server." The representative also claimed that "this feature is not uncommon for China users."

The APK in question is not present in the current stable OxygenOS for the OnePlus 3T. It's unclear if this was also in the OnePlus 3 beta build, though no reports of that have been found.

Source: http://www.androidpolice.com/2018/01/11/oneplus-3t-beta-sent-clipboard-data-to-alibaba-controlled-servers/

 

Given that this is yet another privacy blunder for OnePlus in just a few months, I'm starting to become weary of recommending them. But what's your take?

 

UPDATE: Apparently, no actual data is sent but the servers are apparently used to speed up clipboard actions. 

Quote

Android Police reader Nicholas Torkos installed the latest beta (OP_O2_Open_29) on his OnePlus 3, and used mitmproxy to inspect the data being sent. From his findings, the clipboard data itself is not being transmitted, but the app is making connections to a server whenever the contents of the clipboard is updated.

According to this reddit poster, a note in the HydrogenOS beta changelog indicates that the feature was intended for accelerating actions:

Smart clipboard recognition which provide appropriate buttons to help you accelerate your next action. This feature currently support recognition for url, address and TaoBao (e-commerce) content.

Accordingly, Alibaba operates an AWS-like cloud service, which apparently OnePlus used in development of this feature. While this function is not itself nefarious, the inability of OnePlus to clearly explain what was actually going on after multiple requests—let alone explain why this feature requires cloud processing to begin with—is distressing.

Source: 

http://www.androidpolice.com/2018/01/11/oneplus-3t-beta-sent-clipboard-data-to-alibaba-controlled-servers/

[ItsMitch]

2 minutes ago, D13H4RD2L1V3 said:

I'm starting to become weary of recommending them. But what's your take

I'll stick with my Pixel XL, at least Google are open about not caring about your privacy  

[Ryujin2003]

Not even surprised anymore. Maybe OnePlus, DJI, and Lenovo can go into business together.

[atrash]

that's the price you gotta pay for wanting a high end spec phone with 'affordable' price I guess :shrugs: ... I was never a fan of Oneplus or any Chinese brand phone for that matter anyway. 

[bcredeur97]

everyone file an alibaba abuse claim

[Maslofski]

time to copy paste hardcore porn on a one plus click farm lol

[DocSwag]

Definitely not regretting my decision to not get a 5T now  

[mr moose]

Chinese government and corporate data shit aside, I can see a useful side of this, Imagine being able to send something to cloud backup by copying it. 

[HarryNyquist]

17 minutes ago, mr moose said:

Chinese government and corporate data shit aside, I can see a useful side of this, Imagine being able to send something to cloud backup by copying it. 

Imagine how many passwords there'd be in the cloud because you're smart and use a password manager...

[mr moose]

1 minute ago, HarryNyquist said:

Imagine how many passwords there'd be in the cloud because you're smart and use a password manager...

Who copies passwords to their clipboard?

[ItsMitch]

8 minutes ago, mr moose said:

Who copies passwords to their clipboard?

Me? I use a password manager and it doesn't always support the website

[corsairian]

14 minutes ago, mr moose said:

Who copies passwords to their clipboard?

Lots of people do it. Especially with those generic password resets with 9 special characters in it. 

 

I assume everything in my clipboard is for my eyes only. So why not copy and paste a password? 

[mr moose]

14 minutes ago, SC2Mitch said:

Me? I use a password manager and it doesn't always support the website

7 minutes ago, corsairian said:

Lots of people do it. Especially with those generic password resets with 9 special characters in it. 

 

I assume everything in my clipboard is for my eyes only. So why not copy and paste a password? 

Then don't use this type of feature,  I was merely saying it would have it's advantages if corporate/government security wasn't an issue.

[ItsMitch]

1 minute ago, mr moose said:

Then don't use this type of feature,  I was merely saying it would have it's advantages if corporate/government security wasn't an issue.

I don't own a 1+? I already said I own a Pixel XL and I really don't care Google know my passwords to some........ sites. 

[mr moose]

17 minutes ago, SC2Mitch said:

I don't own a 1+? I already said I own a Pixel XL and I really don't care Google know my passwords to some........ sites. 

I'm not sure what we are discussing now.  I was merely pondering the benefit of being able to send stuff to a personal cloud account by simply copying it.

[NinJake]

"install date" 2008....? what?

 

I mean if this is the first time this has occurred is it not possible that this user has some shit on their phone? Or is this easily replicated throughout all OP devices?

[NinJake]

People need to do more research before  you post things claiming OnePlus is selling user data. For one, people have already tried to download the exact same .apk and replicate the issue to no avail. I have a OnePlus phone and the app has not sent or received any data. NUMEROUS users have not been able to replicate this.

 

If I were to visit "getfreestuff.zyx" and downloaded 8gb of additional ram, only to find out the website had injected malicious code into my pc which took a screenshot of my screen every 15 seconds, I'm not going to blame Microsoft and say they are taking pictures of my screen. (Even if I don't know where the source of the issue originates from)

 

It's also worth noting that yes, China does have shady practices. China claims "

Quote

Our OnePlus beta program is designed to test new features with a selection of our community. This particular feature was intended for HydrogenOS, our operating system for the China market. We will be updating our global OxygenOS beta to remove this feature.

" -official statement from OP

 

So you do have to take everything with a grain of salt, but it only targeted a handful of users that should have been aimed at the chinese market only it seems.

[Dani360c]

Oneplus can have all the data they want from me, so happy about my 5t!

[Guest]

OnePlus is still a hardware/software champion that is able to keep moderate prices in this "1000€+ ultra premium phone" age of ours. 

 

The experience is still great despite this privacy setback, nonetheless, so they're still a definitive recommend.

[Keg Ops]

Not surprising honestly, One Plus already has a track record of shady business. It would surprise me if they weren't already selling your personal data for money in other ways too. 

[RyomaSJibenG]

all the more reason i distant myself from OnePlus, its so alluring but i guess that's the price to pay for a cheap one

[D13H4RD]

4 hours ago, Goku-sama said:

OnePlus is still a hardware/software champion that is able to keep moderate prices in this "1000€+ ultra premium phone" age of ours. 

 

The experience is still great despite this privacy setback, nonetheless, so they're still a definitive recommend.

Except this is a significant blunder. 

 

This "feature" is supposed to be for HydrogenOS but how did it make its way into an OxygenOS build? 

[dizmo]

Yup. Never buying a OnePlus device.

[D13H4RD]

7 hours ago, NinJake said:

People need to do more research before  you post things claiming OnePlus is selling user data. For one, people have already tried to download the exact same .apk and replicate the issue to no avail. I have a OnePlus phone and the app has not sent or received any data. NUMEROUS users have not been able to replicate this.

 

If I were to visit "getfreestuff.zyx" and downloaded 8gb of additional ram, only to find out the website had injected malicious code into my pc which took a screenshot of my screen every 15 seconds, I'm not going to blame Microsoft and say they are taking pictures of my screen. (Even if I don't know where the source of the issue originates from)

 

It's also worth noting that yes, China does have shady practices. China claims "

" -official statement from OP

 

So you do have to take everything with a grain of salt, but it only targeted a handful of users that should have been aimed at the chinese market only it seems.

This isn't "downloadmoreram.kek" though. This was in a build of OxygenOS based on Android Oreo. 

 

It's supposed to be on HydrogenOS, but some guy screwed up and it found its way into this specific build of OxygenOS. 

 

Like this is not the first time OnePlus was caught sending data back to China or Chinese companies without your permission or knowledge. Like, if you want to send data back, fine, but let me know beforehand and give me the option to opt out. This one may be accidental, but OnePlus needs to be more diligent. 

[Drak3]

 

And it's nice that you're using the garbage tier Nep as a profile pic again.