In a sensational series of tweets, a user recently pointed out at a major security issue with the OnePlus smartphones. According to this user, the OnePlus smartphones including OnePlus 3, 3T and 5 can be rooted without unlocking the bootloader via EngineerMode APK app. The Twitter user who goes by the name Elliot Alderson pointed out that the OnePlus devices come with EngineerMode APK app pre-loaded on them, which acts as a backdoor, giving third-party apps potential root access without the need for unlocking the phone.
“Hey @OnePlus! I don’t think this EngineerMode APK must be in an user build…????♂️ This app is a system app made by @Qualcomm and customised by @OnePlus. It’s used by the operator in the factory to test the devices,” reads one of Alderson’s tweet. The app, developed by Qualcomm, has been essentially designed for OEMs to test hardware components or diagnostic tests on the device. However, it can be exploited to enable backdoor rooting.
In another tweet, Alderson explained how to check if the app is pre-installed on your phone. “If you have an OnePlus device, I’m pretty sure you have this app pre-installed. To check open Settings -> Apps -> Menu -> Show system apps and search EngineerMode in the app list to check,” he tweeted.
Reacting to this, OnePlus co-founder Carl Pei has acknowledged the issue and insisted that the company is looking into it. “Thanks for the heads up, we’re looking into it,” Pei said on Twitter. OnePlus also wrote a blogspot about the issue, indicating that it isn’t a major security issue.
“EngineerMode is a diagnostic tool mainly used for factory production line functionality testing and after sales support. We’ve seen several statements by community developers that are worried because this apk grants root privileges. While, it can enable adb root which provides privileges for adb commands, it will not let 3rd-party apps access full root privileges,” read the OnePlus post.