OnePlus inadvertently left a backdoor on its phones
Nov 14 2017 by Joanne Wise
While the company eventually reversed course on the data collection, another discovery has been made in the software of OnePlus phones. Intended for internal use only by the company's engineering team to test if devices are working properly, the application has managed to remain on OnePlus devices that have been shipped to consumers-and may present a threat to their security. The application is a diagnostics tool called "EngineerMode" that Qualcomm developed and distributes to OEMs like OnePlus so they can test the hardware components of a device.
While the vulnerability allows attackers to use the EngineerMode app to fully compromise devices, a mitigating factor is that local access to devices is needed - no remote exploit is available. Having root access essentially means the user has complete control over the device, including privileged control over features that would otherwise be locked up. However, it can be exploited to enable backdoor rooting.
OnePlus' co-founder clarified that the company was collecting data to "better understand general phone behavior and optimize OxygenOS for a better overall user experience". Of course, expecting the developers to unlock the bootloader for each device during its testing phases would be ridiculous, but its inclusion does pose security risks for everyday users. But it also serves as a warning to OnePlus to be particularly careful with the software it leaves on its future phones after they roll off the production line. The app is normally hidden until you tell Android to show system apps, so you might not notice it unless you went looking for it. Hopefully OnePlus will remove the application from its devices with an update, all the way back to the OnePlus One.