Technology

An app installed on OnePlus devices left root access open, poses potential security threat

(Source: 9to5google.com)

One of the biggest concerns with buying from smaller brands that many often overlook is security. Earlier this year BLU was revealed to have some serious security concerns, and even OnePlus has had issues revealed. Now, another potential threat has arisen on OnePlus devices as an app on several of the company’s phones has been revealed to carry root access.

The best gifts for Android users

A developer recently discovered that an app installed on OnePlus devices (OnePlus 3, 3T, 5 according to Android Police) called “EngineerMode.” This app is used by OnePlus to ensure that a device is working properly before it leaves the factory. However, it also holds a backdoor which is capable of root access, even if the device has not been unlocked.

Root access was still hidden behind a password, but once that was cracked, that developer was able to obtain root access on the phone. That developer has plans to release an app which exploits this method as a way to give OnePlus users the easiest root method of all time, but don’t expect that to last long.

So yes, if you send the command: adb shell am start -n https://t.co/yYfeX14Ioj.engineeringmode/.qualcomm.DiagEnabled –es “code” “password” with the correct code you can become root!

— Elliot Alderson (@fs0c131y) November 13, 2017

Awesome! Thanks to @insitusec and the @NowSecureMobile team, we have the password! It’s now possible to root an @Oneplus device with a simple intent pic.twitter.com/gN0awYijBv

— Elliot Alderson (@fs0c131y) November 13, 2017

The best thing in this story is the password. It’s angela (see the reference?). This backdoor is here intentionally. When the fiction become a reality. Good luck @getpeid, you will need a very good explanation.
cc @whoismrrobot pic.twitter.com/IJgsu6hCEc

— Elliot Alderson (@fs0c131y) November 14, 2017

This exploit is just that, an exploit in the phone’s security. While the risk is low since enabling root requires ADB, it still poses a threat to users. OnePlus has been alerted to the exploit and CEO Carl Pei has confirmed that the company is looking into it. Hopefully, that ends with an update that removes the app.

Thanks for the heads up, we’re looking into it.

— Carl Pei (@getpeid) November 13, 2017

Check out 9to5Google on YouTube for more news:

More Info: 9to5google.com

Advertisements