More bad news for OnePlus… on the eve of a new product announcement they’ve been accused of backdooring their devices, allowing an attacker with physical access to gain root access without having to unlock any bootloaders— which we all know would wipe any and all sensitive data from your phone, right? Anyone? Bueller…?
Anyway, as privacy scares go, this one has been blown out of proportion just a bit. It’s still bad, but nowhere near as bad as the data that OnePlus was caught harvesting last month.
The “backdoor” here is actually a Qualcomm testing app called EngineerMode. With the correct password (which has already been reverse-engineered) it will indeed grant root access via the Android Debug Bridge (ADB). What it won’t do is allow malicious software with root privileges to be installed on your device. In fact, XDA has put their own spin on this vulnerability, citing it as a great new way for modders to root their OnePlus device.
OnePlus absolutely should have removed this app before shipping out hardware to their customers. As to why they didn’t, signs point to laziness rather than something more nefarious. Oh, and by the way, some ASUS and Xiaomi phones were also sold with the same Qualcomm testing app on board.