back to article OnePlus Android mobes' clipboard app caught phoning home to China

OnePlus has admitted that the clipboard app in a beta build of its Android OS was beaming back mystery data to a cloud service in China. Someone running the latest test version of OnePlus's Oreo-based operating system revealed in its support forums that unusual activity from the builtin clipboard manager had been detected by a …

Silver badge

I'm not even mad

That's impressive.

3
0
Silver badge
Joke

Re: I'm not even mad

You see how I'm not beating their face to a pulp with a mechanical keyboard? I really think I'm making progress.

1
0
Silver badge

Android privacy? Is that new?

...leading some to fear their copy-paste actions were being snooped on and question the privacy protections on their OnePlus handsets.

Meanwhile, the phone is sending Google their GPS coordinates (or cell tower triangulations if location is off), all of their passwords, the contents of their email, all of their contacts, etc etc etc.

14
1
Anonymous Coward

Re: Android privacy? Is that new?

Tin foil hat?

Both Apple and Google sent GPS and cell tower locations back to base

Password manager is opt in on android

Email is not scraped, Gmail is obviously (as is all hosted mail, including Microsoft and Apple)

Contact are not shared unless you opt in to use Google services and shared contacts.

Where do you get this idea that Google are doing something different to what apple, FS ebook, Microsoft, Yahoo and pretty much everyone else is doing? Google are better at it, that is the ONLY difference.

7
12
Bronze badge

Re: Android privacy? Is that new?

"Tin foil hat?"

No, it's just real time phoning home. Get a network monitor app (net monitor [privacy friendly], etc.) and you'll see a long list of connections going out.

Anyone who cares for a little privacy with their android-based phone would have a firewall (NetGuard, NoRoot Firewall, etc) just to give themselves some control over their device.

4
1
Silver badge

Re: Android privacy? Is that new?

Apple didn't send location information back to base, they were just collecting it in log files on the phone.

3
1
Silver badge

Re: Android privacy? Is that new?

Both Apple and Google sent GPS and cell tower locations back to base

Yes, but Google ignored your opt-out if you chose to opt out.

Password manager is opt in on android.

After a Play Services update, that new option was enabled on my phone.

Contact are not shared unless you opt in to use Google services and shared contacts.

So they're shared unless you specifically store them under the local contact type (which doesn't even exist on many phones).

Where do you get this idea that Google are doing something different to what apple, FS ebook, Microsoft, Yahoo and pretty much everyone else is doing? Google are better at it, that is the ONLY difference.

And constantly pull the rug out from under you with silent updates that you usually have to disable yourself, by which time it's too late.

8
0
Anonymous Coward

Re: Android privacy? Is that new?

I wiresharked an android handset opted out of Google services, and nothing was being sent.

So you just made that up.

0
2
Silver badge

Re: Android privacy? Is that new?

Absolutely nothing was sent to Google after turning off location services? Please do elaborate.

Then there's this.

Please stop shilling, AC.

2
0
Silver badge

Re: Android privacy? Is that new?

Where do you get this idea that Google are doing something different to what apple, FS ebook, Microsoft, Yahoo and pretty much everyone else is doing?

Um, that's all you, my anonymous friend. My post didn't say that at all...

1
0

And Huawei rants?

And Huawei wonders why there's no carrier love for their "safe" phones in the USA? I wonder just how much "ownage" there is in the world because of Chinese goods? I don't think we'll ever know.

Bigger problem is knowing what was an accident and what was really intentional. China doesn't have a very good reputation for playing nice or fair.

10
1

Re: And Huawei rants?

"Bigger problem is knowing what was an accident and what was really intentional. China doesn't have a very good reputation for playing nice or fair."

China product security 100% safe. You can trust the Chinese with all your personal data and Intellectual Property.

Quick! Look over there! Google leaks data!

16
1
Bronze badge

Do it to Julia! Do it to Julia!

"... this was a feature destined for handsets in China, and will be removed from, presumably, mobes outside the Middle Kingdom."

That's all right, then.

7
0
Anonymous Coward

Re: Do it to Julia! Do it to Julia!

"... this was a feature destined for handsets in China, and will be removed from, presumably, mobes outside the Middle Kingdom."

... given several other Chinese phone manufacturers have had the same problem before over "software modes for use in China inadvertently added to phones sold elsewhere" you would have thought that checking for this would have become a tick-box on the sign-off check-list

2
1
Anonymous Coward

Who do they think they are ?

Microsoft ?

12
0
Anonymous Coward

Re: Who do they think they are ?

Apple got caught doing this in the past too....

5
1
Silver badge

Re: Who do they think they are ?

No, they stored a history on the phone and the problem was it may have been found in a non-encrypted backup on the computer.

1
1
Anonymous Coward

Re: Who do they think they are ?

Nope, they were scraping clipboard, and also iOS had no control on access to clipboard, so rogue apps could monitor and upload.

In addition contacts were also not protected by permissions on iOS, and many big companies were caught uploading entire unencrypted address books on iOS....

So sorry to tell you, your walled garden is full of shite and falling apart security wise...

0
0
Anonymous Coward

Alibaba's involvement

…is limited to offering a chinese AWS of sorts (Alibaba Cloud). In this case they're doing nothing wrong.

Also why would you be surprised that your chinese phone is calling home to China of all places?

3
3
Anonymous Coward

Technical details

No clipboard data involved: https://www.reddit.com/r/oneplus/comments/7prvrj/

4
0
Anonymous Coward

Re: Technical details

Interesting thread. If true it seems that it is used to spot alibaba codes and convert them back to normal links due to a fight between two big Chinese mega tech corps and lots of phone providers create this automatic conversion facility.

Hard to summarise, read the second post on reddit for info.

Edit: just seen someone has posted the explanation below this post.

0
0
Silver badge

Re: Technical details

Early bandit capitalism at its best. Reminds me of the invention of the first phone switch: https://en.wikipedia.org/wiki/Strowger_switch

0
0
Anonymous Coward

Re: Technical details

Awwww, don't spoil the clickbait party. There were some apple fanboys that were getting off on this.

0
1
Silver badge

Chinese version?

But why would the version intended for China be sending copies of the clipboard home?

0
2

Re: Chinese version?

There's actually an explanation of sorts in the Reddit link AC posted above... Remembering firstly that Alibaba in China runa cloud service much like Amazon'a AWS in the Western world, one would assume these requests are being sent over https to an Alibaba instance owned by Oneplus.

From what I can see it's a cloud-based API which monitors the phone clipboard and obfuscates Taobao links by recognising and replacing them via a URL shortening service, bypassing the censorship used in the popular Wechat app.

Original explanation:

lambdaq 238 points 2 hours ago*

Chinese here.

Maybe I can provide some insight and background story

Here are the API request OP captured

http://bigdata.taobao.com/docs/api.htm?apiId=31578

https://open.alitrip.com/docs/api.htm?apiId=26657

So there are two Internet giants in China, Alibaba and Tencent

Tencent has this crap mega app pretending to be IM chat app, Wechat.

People share ebay links, oops, I am sorry, taobao links in Wechat

Wechat got jealous, the blocked all *.taobao.com *tmall.com links to "protect the customer from fraud"

But of course people love taobao & tmall because it's full of cheap shit and ppl think they can out smart scammers.

But anyway, two Internet giants, one blocking link to another.

The taobao guys invented some thing clever, they invented some kind of hash code, which is called 淘口令, which is some kind of token that uniquely link to a taobao/tmall SKU, so Wechat can not block arbitrary alphanumberic tokens, thus ppl can share the crap they bought on taobao, via Wechat

But after all, tere's the catch, how does Oneplus ROM has anything to do with this?

Well, the clever-ass part is they will match certain strings from your clipboard, send the token to taobao API, and restore the original SKU links.

That's it, that's why you will see strange URL requests going to Chinar IPs.

TL:DR Smart Clipboard trying to analyse your clipboard content by sending request to alibaba matching againt Taobao links.

7
0
Anonymous Coward

Taobao link translator

So all the righteous indignation was for naught? All those torches and pitchforks wasted for some stupid marketing gag?

Well, there is a lesson about overhasty conclusions to be learned here...

4
1
Anonymous Coward

Re: Taobao link translator

Just like an ounce of prevention is worth a pound of cure. But you go ahead and trust your privacy to a Chinese handset. We won't judge. We won't give you passwords to our Wi-Fi networks, either, but we won't judge.

1
2

George Orwell wrong

Not just the Government. Not Big Brother either. Worse, much, much worse.

0
1

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018