OnePlus To Address EngineerMode App’s Backdoor Root Access

November 15, 2017 - Written By Dominik Bosnjak

OnePlus on Tuesday vowed to address the recently discovered vulnerability of its devices that would theoretically allow for it to be rooted in a discreet manner, according to a statement provided by a company official on its official forums. The security flaw itself is tied to the EngineerMode Android app, a diagnostics mobile tool made by Qualcomm that OnePlus reportedly left on some of its devices by mistake. The Chinese original equipment manufacturer acknowledged concerns raised online in the last 24 hours, confirming that EngineerMode is truly capable of enabling ADB Root, i.e. root privileges for ADB commands. The sole existence of the app still isn’t considered to be a major security vulnerability by the company, largely due to the fact that full root privileges aren’t transferable by EngineerMode to a third-party app, making its potential as an attack vector for hackers somewhat limited.

As things stand right now, EngineerMode would allow an attacker to interact with your device with full root privileges if they had physical access to it and knew the app’s password, OnePlus said. The latter barrier is reportedly more surmountable than initially expected, with the diagnostics app itself supposedly not doing an efficient job of hiding its “Angela” password. Regardless, the fact that the attacker would need physical access to the device in order to gain root access to it via EngineerMode means that the existence of the diagnostics tool isn’t considered a major security vulnerability by OnePlus, especially since not even that scenario would allow for backdoor root privileges to be granted to potentially malicious apps. Due to concerns raised by the OnePlus community, the company still promised to eliminate the newly discovered app as part of its next over-the-air (OTA) update to OxygenOS.

While the threat posed by the Qualcomm-made app is being downplayed by the BBK Electronics-owned phone maker, its very existence was still considered a vulnerability due to the fact that it wasn’t intentional. If you aren’t keen on waiting for the promised OTA update to arrive, you can also manually uninstall EngineerMode from your device’s Settings. The Shenzhen-based company addressed the matter less than two days before it’s set to announce its next Android flagship in the form of the OnePlus 5T.