Some digging into the deep system apps on OnePlus phones has resulted in the exposure of the vulnerability that OnePlus devices possess. A developer has found an application that can be manipulated into to granting a backdoor root access. In a Twitter thread, the developer explained how he was able to gain root access and surprisingly, the app has been pre-installed on all current OnePlus phones, and on OxygenOS for OnePlus One.
<Thread> Hey @OnePlus! I don't think this EngineerMode APK must be in an user build…🤦♂️
This app is a system app made by @Qualcomm and customised by @OnePlus. It's used by the operator in the factory to test the devices. pic.twitter.com/lCV5euYiO6
— Elliot Alderson (@fs0c131y) November 13, 2017
The application is called ‘EngineerMode’ and was developed by Qualcomm for factory testing. It was unveiled that the app potentially renders all OnePlus devices open to backdoor root access. XDADevelopers claim that the application can be accessed through any activity launcher as the app’s activities are exported. OnePlus devices could be rooted on launching ‘DiagEnabled’ activity in the APK with a specified password that was found by decompiling ‘libdoor.so’ with the help of a few cyber-security experts.
OnePlus users can find the app pre-installed by going into Settings > Apps > Menu > Show System Apps and search for EngineerMode in the app list. The user can access manual tests like root status test, GPS test or the main activity by sending a command. Doing this will grant you access to everything including erasing all data. It is alarming how easily someone can get access to your smartphones in this day and age.
OnePlus co-founder Car Lei responded to the tweets:
Thanks for the heads up, we're looking into it.
— Carl Pei (@getpeid) November 13, 2017
These findings do not come at an ideal time for OnePlus. The Chinese smartphone maker is gearing up to launch the OnePlus 5T on the 16th of November. The device will be OnePlus’ sixth device in its short lifespan and take a design detour from previous OnePlus phones with thin bezels and tall display.
OnePlus was just recently accused of collecting sensitive data of users and the company has barely come out of the aftermath following such serious allegations. It won’t be surprising if OnePlus left the application inside the phones on purpose since it admitted to collecting data from its phones to improve the user experience.