Last night, we learned that an engineering app left on some OnePlus smartphones could contain a security flaw. Specifically, the EngineerMode app could unlock the Android bootloader and gain root-level access. There were concerns that this could be used as a ‘backdoor’ in cyber attacks, so OnePlus has responded to calm the situation.
In a post over on the OnePlus forum, an OxygenOS developer explained what the EngineerMode app is and how it works. While the app can enable adb root and grants privileges for adb commands, the app does not let 3rd party apps access it. Aside from that, adb root is only accessible while in USB debugging mode, as a result, any attack would require physical access to the device.
“We’ve seen several statements by community developers that are worried because this apk grants root privileges. While, it can enable adb root which provides privileges for adb commands, it will not let 3rd-party apps access full root privileges. Additionally, adb root is only accessible if USB debugging, which is off by default, is turned on, and any sort of root access would still require physical access to your device.”
While OnePlus itself does not see this “as a major security issue”, the OxygenOS devs are happy to remove adb root from the EngineerMode app to quell concerns. The update to remove adb root from EngineerMode will be packaged in with an upcoming OTA update.
KitGuru Says: This may not have been the most dangerous security flaw in existence, but it is good to see a company recognizing community concerns and addressing the issue.