OnePlus phones include an easily exploitable backdoor

Share

The app, called EngineerMode, is not normally seen unless you ask to see the device's system apps.

OnePlus has still to fully recover from the data collection allegations it faced last month, and now fresh allegations have surfaced over user privacy.

A developer managed to use this very app to root the device by figuring out the password used to gain root access.

The application is called "EngineerMode" and was developed by Qualcomm for factory testing. It's used by the operator in the factory to test the devices. They are able to gain root if they have a password to bypass privilege escalation checks.

More news: AT&T vs. Justice: Behind the dispute over Time Warner deal

We've seen several statements by community developers that are anxious because this apk grants root privileges. According to Alderson, the app is installed on some of the OnePlus devices. It is alarming how easily someone can get access to your smartphones in this day and age. The app has the ability to diagnose Global Positioning System, check root status and perform a series of tests. Speaking to Hindustan Times, Alderson said, "This loophole is a backdoor".

While it appears OnePlus is responsible for leaving Engineer Mode on its devices, it is not directly responsible for the application itself or the backdoor it creates. The application is present in all OnePlus devices including 3, 3T and 5. Meanwhile, OnePlus co-founder Carl Pei has already announced that OnePlus is investigating the issue.

"Thanks for the heads up, we're looking into it", Pei tweeted. OnePlus devices could be rooted on launching "DiagEnabled" activity in the APK with a specified password that was found by decompiling "libdoor.so" with the help of a few cyber-security experts. He discovered that his OnePlus 2 device was sending data to an HTTPS domain, which was transmitted to Amazon Web Services and belongs to OnePlus (open.oneplus.net domain).

Share