OnePlus has a glaring smartphone security problem the company says it plans to fix in an upcoming software update. Just this week, a bit of fan sleuthing surfaced a flaw ostensibly due to oversight that meant that, over the past couple of years, OnePlus phones (including the recently released OnePlus 5) have carried a Qualcomm testing app called EngineerMode.
The app provides users with root-level access to the phone without needing to unlock its bootloader, according to Engadget. In other words, a malicious user would need to physically grab your phone in order to take advantage of the bug. Yet once they gained that access, they could plant trackers or malware easily.
A staff member from the OnePlus team explained in a forum post that EngineerMode is a diagnostic tool used for factory production line functionality testing and also for IT support as OnePlus customers call in for help. The staff member reassured users by saying that third-party apps can’t gain full root privileges from EngineerMode. And since USB debugging, which is off by default, must be turned on for EngineerMode to work, that at least gives oblivious users a line of defense against would-be attackers.
“While we don't see this as a major security issue, we understand that users may still have concerns,” said the staff member, explaining that the root function would be removed in the next update. OnePlus previously stepped on users’ toes last month when it was found to be collecting a ton of data from its smartphones. Coupled with this EngineerMode security loophole, it doesn’t look great for OnePlus’ overall user security.
Qualcomm disavowed the EngineerMode app in statement on Wednesday, saying that it was modified from the Qualcomm original. “After an in-depth investigation, we have determined that the EngineerMode app in question was not authored by Qualcomm,” said a spokesperson, “Although remnants of some Qualcomm source code is evident, we believe that others built upon a past, similarly named Qualcomm testing app that was limited to displaying device information.”
Update November 15th, 2:00PM ET: This article was updated with a statement from Qualcomm.