A number of users have found that several models of OnePlus smartphones, including this year’s OnePlus 5, feature a Qualcomm testing app called EngineerMode. This tool happens to allow anybody to gain root level access to a OnePlus device without needing to unlock that handset’s bootloader. While it is true that somebody with less than immaculate intentions would still need to have physical access to a OnePlus phone to really do some serious hacking, but the existence of EngineerMode now gives them a backdoor in which they can put some trackers and other means to get around the phone’s security.
Freelance security researcher Robert Baptiste had stumbled upon EngineerMode on a OnePlus device, and then proceeded to post his discovery on Twitter. A research team from security service provider SecureNow then lent their hand in unlocking the testing app’s password. The fact that SecureNow’s researchers were able to do it means that hackers will be able to do the same thing too, which is a scary thought. The EngineerMode tool is reportedly found on the OnePlus 3, the OnePlus 3T, the aforementioned OnePlus 5, and even the upcoming OnePlus 5T.
Thankfully, OnePlus has responded to the issue. According to a statement it released through its official Community web page, the Chinese phone maker is claiming that the EngineerMode app is being used for diagnostic purposes, especially during factory production line functionality quality control and to help support after sales.
The company then went on to explain that root level access can only be accessed if USB debugging is activated (it is deactivated by default), and if the intruder has actual physical access to the OnePlus handset. Despite saying that it does not consider EngineerMode as a major security issue, the phone maker has decided nonetheless to take out the Android Debug Bridge (ADB) root function from testing app via an over the air (OTA) software update coming soon.
Security concerns have bugged OnePlus lately -- nearly a month ago, the company had to promise to stop collecting data without the express permission of its users. Last October, it was reported that the China based mobile manufacturer was collecting considerable amounts of data from handsets that run on its OxygenOS. The data collection was discovered by a software engineer named Chris Moore, and the information gathered reportedly included the phone’s International Mobile Equipment Identity (IMEI), contact number, serial number, the Wi-Fi networks last connected, and media access control (MAC) address, just to name a few.
