Earlier this week, a Twitter user discovered an app called EngineerMode with a flaw in OnePlus phones. The issue with the app as discovered by developers is that it can give anyone a backdoor access to root the device.
OnePlus has left the EngineerMode apk made by Qualcomm in all its latest flagships including OnePlus 5. The company has now issued a statement explaining the app and its purpose, and that it would also fix the root access issue in a software update.
Yesterday, an OxygenOS Team staff member posted a statement on the OnePlus forum.
“EngineerMode is a diagnostic tool mainly used for factory production line functionality testing and after-sales support,” he writes explaining the app’s purpose. The staff member further assured users that this app doesn’t offer access to full root privileges to third-party apps. Moreover, it also requires USB debugging should be on which is off by default.
OnePlus, hence feels that this app is not a “major security issue”. However, the company further accepts that this could trouble a lot of users, so the company will issue an OTA update to remove adb root function from the app.
“While we don’t see this as a major security issue, we understand that users may still have concerns and therefore we will remove the adb root function from EngineerMode in an upcoming OTA,” writes staff member in the end.
OnePlus EngineerMode – what is it?
The EngineerMode app is a system app on OnePlus devices which is developed by Qualcomm. It was customized by OnePlus to test the hardware components of their devices. The application is found installed on OnePlus 3, OnePlus 3T, and OnePlus 5 and is easily accessible with any activity launcher.
<Thread> Hey @OnePlus! I don't think this EngineerMode APK must be in an user build…🤦♂️
This app is a system app made by @Qualcomm and customised by @OnePlus. It's used by the operator in the factory to test the devices. pic.twitter.com/lCV5euYiO6
— Baptiste Robert (@fs0c131y) November 13, 2017
The Twitter user explained that the device could be rooted, on launching ‘DiagEnabled’ activity in the app with a specified password. It was found by decompiling ‘libdoor.so’ with the help of some cyber-security experts. That said, the root-level access can only be performed if someone has access to your device – still, it is a matter of concern.
The news of EngineerMode app’s flaw allowing backdoor entry to root access the OnePlus devices surfaced comes when the company has been planning to launch its latest premium flagship OnePlus 5T on November 16.