Chinese smartphone manufacturer OnePlus
and some of its latest devices are again making news
for the wrong reasons. After allegations of leaking users' key device information without their permission, the concern this time is around a flaw in the operating system used in flagships OnePlus
3T and OnePlus
5. According to reports, this flaw gives backdoor
root access to third-party apps. Mainly on account of EngineerMode
APK, which comes pre-installed in these devices, the devices coould potentially give root access to third-party apps without unlocking the phone bootloader.
APK flaw came to light after a Twitter user Elliot Alderson flagged the concern that the app acted as a backdoor, giving third-party apps a potential root access without unlocking the bootloader. According to Alderson’s tweet, the EngineerMode
app is developed by Qualcomm for original equipment makers (OEMs) to test hardware components or diagnostic tests on devices. However, it has the potential of enabling backdoor
rooting which can be exploited.
Anderson also explained how one could check the device to know if one's smartphone had the EngineerMode
app pre-installed. Here are the steps:
Soon after, OnePlus
co-founder Carl Pei
acknowledged the issue and tweeted that the company was looking into the matter. Later, the company confirmed the existence of such an app but denied the role of the app as a potential threat that could provide root access to third-party apps.
According to the company's blogpost, the app cannot grant root access to any app unless the USB debugging
mode is turned on. It claims the mode is turned off by default, so the apps cannot gain complete root access without unlocking bootloader.
app is a diagnostic tool mainly used for the factory production line functionality testing and after-sales support. We’ve seen several statements by community developers that are worried because this apk grants root privileges. While, it can enable adb root, which provides privileges for adb commands, it will not let 3rd-party apps access full root privileges,” read the blogpost.
The company confirms that the “adb root function from EngineerMode
will be removed in an upcoming OTA,” as users still have concerns.
was accused of compromising users’ confidential device data by collecting personal information of users without their permission. The company had later issued a blogpost confirming that OnePlus
would scale back on data collection on its devices.