OnePlus phones come with a backdoor that could give root access
One of the system apps on OnePlus phones can act as a backdoor to the device. OnePlus says it’s “looking in the matter.”
Chinese handset maker OnePlus has once again come under scanner over the issue of users' privacy. A developer who goes by the name of Elliot Alderson on Twitter has spotted a backdoor in OnePlus phones that could allow someone to obtain root access.
The process of accessing the backdoor, however, isn't really simple, but is not impossible. According to the developer, one of the native system apps called 'EngineerMode' gives access to critical device information such as GPS diagnose and even root status.
"You can access the "main" activity by sending this command: adb shell am start http://com.android.engineeringmode/.EngineeringMode. You will have access to everything, not just the manual test," he disclosed in a series of tweets that listed out how he did it.
Root refers to the highest-degree of access to an Android phone's operating system, usually closed to protect the system and user privacy. A phone with unrestricted root access can potentially be turned into a device to spy on its user without them finding out.
While the developer said that all OnePlus devices had this backdoor, AndroidPolice reports the access was available in the OnePlus 3, 3T, and 5 smartphones. The backdoor is included on OxygenOS for the OnePlus One, but not the original CyanogenOS ROM, added the website.
"This loophole is a backdoor. So it's not dangerous, it just mean anybody with the password can plug your phone to a computer and take all your data," Elliot told Hindustan Times. The developer plans to release a standalone application on the Play Store to help users root OnePlus devices.
Elliot's tweetstorm though has caught the attention of OnePlus which said it was looking into the matter.
Thanks for the heads up, we're looking into it.— Carl Pei (@getpeid) November 13, 2017
The discovery comes weeks after OnePlus was caught collecting users' data without consent. Critical data such as timestamps of when the device was active and on standby, MAC address, phone number, wireless network, mobile network, and International Mobile Equipment Identity (IMEI) numbers were being transmitted, found UK-based security researcher Chris Moore.
The company later announced changing its policies for collecting data. "By the end of October, all OnePlus phones running OxygenOS will have a prompt in the setup wizard that asks users if they want to join our user experience program. The setup wizard will clearly indicate that the program collects usage analytics. In addition, we will include a terms of service agreement that further explains our analytics collection." OnePlus co-founder Carl Pei had said.