Explained: What OnePlus' Clipboard App Sends & Receives, And Why

Two days ago, we published a story on how OnePlus was apparently collecting clipboard data and sending it to servers controlled by Alibaba. The story was inspired by the findings of an intrepid OnePlus 3T user v1nc who came across a new OnePlus system app - com.oneplus.clipboard - in the last Open Beta released for the OnePlus 3T. v1nc found out that whenever the clipboard contents were updated, that is whenever a piece of text was cut or copied, the system app com.oneplus.clipboard would send some data to a server owned by Alibaba. Naturally enough, this finding caused an uproar within the privacy cautious Android community and led to the birth of the speculation that OnePlus was collecting the clipboard data of its users. To make matters worse for itself, OnePlus gave out a confusing statement to Android Police regarding the issue:

Our OnePlus beta program is designed to test new features with a selection of our community. This particular feature was intended for HydrogenOS, our operating system for the China market. We will be updating our global OxygenOS beta to remove this feature.

The statement given by OnePlus is clearly not acceptable enough for an explanation. We did a thorough analysis of OnePlus' statement in our previous story, so to save time and effort, I'm quoting it below:

The statement given by OnePlus is quite mysterious. Firstly, collecting clipboard data without consent from the user can't be termed as a 'feature'. I would instead call that as 'snooping'. Secondly, if this particular feature was intended for HydrogenOS, it means that OnePlus was planning to collect the clipboard data from its Chinese users. Seeing the implementation of this feature in OxygenOS, I can't help myself but think that OnePlus would have implemented this feature in a similar manner in HydrogenOS. Lastly, if this feature was planned for HydrogenOS, how did it end up in OxygenOS? It appears that OnePlus made a mistake of collecting clipboard data and then made another mistake of implementing it in OxygenOS instead of HydrogenOS. 

I will answer each of the three questions I raised above. Before I do that, let me brief you up on Tencent Holdings and Alibaba Group - the two Internet giants hailing from China. Both the companies were included in Fortune Global 500 List last year. At the time of writing this article, the market values of Tencent Holdings and Alibaba Group were US$542 billion and US$490 billion respectively. Both of these Chinese multinational corporations provide a range of internet-related services, but Tencent's strength lies in the social network arena and Alibaba has a strong hold over e-commerce. Tencent's social network platform of WeChat has nearly a billion users, while Alibaba's Taobao and TMall have a combined active consumer base of nearly 500 million. Since the Chinese government doesn't allow foreign participation in the internet sector, Tencent and Alibaba are the only two giants in the online sector.

Since Alibaba and Tencent are the only two major internet companies in China, the two of them try to win each-other's user base. In August 2013, Alibaba temporarily banned sellers on its website from using rival Tencent's WeChat platform. Later in the same month, Alibaba's Taobao blocked all visits made from WeChat. In return, Tencent blocked the sharing of Xiami Music, in which Alibaba has a stake. JD.com, another e-commerce portal in China and with which Tencent has signed a corporate deal, doesn't accept payments via Alibaba's popular payment platform Alipay. More recently, WeChat started blocking links to Taobao and TMall.

To get around the block imposed by WeChat, the developers at Taobao and TMall devised a hash code which encodes their URLs into arbitrary alphanumeric characters which WeChat cannot restrict. Chinese Reddit user /u/lambdaq explained this in great detail. He said encoded messages (like "80% discount for this awesome gadget! ￥E1M5RcQTf3￥") can be generated for every shopping item using Taobao's mobile app. Users can then share this encoded message on WeChat. To decode the Taobao link, the receiver has to long press and copy the message. Once the message has been copied, the receiver's device will automatically decode the link and then display a prompt up notification like, "Will ya open taobao page for this awesome gadget?" On clicking "Yes", the device will load up the shopping item's page in Taobao's mobile app. For the example encoded message, "￥E1M5RcQTf3￥" is the hash code which is decoded by the receiver's device. OnePlus's system app com.oneplus.clipboard does this decoding.

Whenever a text with either of these characters --    .*[￥￥《](.*?)[￥￥《].*    --  is copied to the clipboard, OnePlus' system app sends an API request to a Alibaba server (remember Alibaba operates Taobao) and fetches a piece of Regex code which is used to decode the Taobao link. So the data transmission request which v1nc came across was actually an API request sent to download the Regex code and to use it to decrypt the link.

I will now attempt to answer the three questions I raised earlier.

Q1. Is OnePlus 'snooping' since it didn't ask for the user's content before sending the clipboard data (whatever the clipboard data may be)?

Ans. Probably not. The clipboard app, which was first discovered in OxygenOS Open Beta, is also present in the latest HydrogenOS beta build (dated December 28, 2017) for the OnePlus 3 and 3T. Reddit user /u/TsFreedie translated a piece of changelog for the last HydrogenOS beta build.

Smart clipboard recognition which provide appropriate buttons to help you accelerate your next action. This feature currently support recognition for url, address and TaoBao(e-commerce) content.

To make things clearer, /u/TsFreedie also shared a video demonstrating the feature. Towards the end of the video, you will find that there is a switch for "Quick clipboard" in Settings > Advanced. Once the switch is disabled, all the "smart clipboard recognition" features are also disabled (Quick clipboard is enabled by default). It is also worth noting here that smart text selection is present natively in Oreo 8.0. However, Google's implementation of smart text selection doesn't require any data to be sent or fetched from the internet.

Q2. Is this feature present in HydrogenOS?

Ans. As you read above, it is present.

Q3. How come was this feature included in OxygenOS then?

Ans OnePlus has two Android skins of its own - HydrogenOS and OxygenOS. HydrogenOS is meant for Chinese consumers while OxygenOS is designed for the international market. I can't tell for sure how this feature was included in OxygenOS, but I think it was probably a mistake.

Conclusion

I think it wouldn't be wrong to conclude that this entire controversy was mostly a PR disaster. I also admit that there was lack of research on our end and only if we had known how things operate in China (which I hope we know better now), we could have avoided this mistake in the first place. Additionally, in the statement given to Android Police, the representative added on that "this feature isn't uncommon for China users". So I guess this isn't something that is uncommon in China. I initially believed that OnePlus might be one of the handful brands to be doing this kind of decoding, but I now believe that other companies might be doing something similar.


Huge thanks to /u/lambadiq, /u/TsFreedie

Krittin Kalra

Krittin Kalra is a 20 year old Android freak. Striving for passions, chasing down his dreams and living a life without regrets is his sole mantra. A bit moody, he also does custom ROM reviews for AndroGuider. Currently pursuing his B.Tech, he aspires to follow his heart.