OnePlus has again caused alarm among its users over tools it uses to manage devices.
Only last month OnePlus was criticized for collecting too much personal information about users without gaining their consent. It subsequently made changes to collect only what was necessary and created an opt-in process for users to provide usage analytics.
However, the latest alarm is a security flaw linked to an app called EngineerMode, a diagnostics tool created by Qualcomm but customized by OnePlus to the extent that the chipmaker says it isn't its product anymore.
It appears the app should be on firmware builds used by OnePlus engineers but not builds for the general public.
As Android Police reports, EngineerMode is installed on the OxygenOS-based OnePlus 3, 3T, and 5. While it's just a OnePlus diagnostics tool that can check whether a device is rooted, a OnePlus owner who uses the Twitter name Elliot Alderson -- the main character in Mr Robot -- and security firm NowSecure discovered that the app itself can be used to root the device.
NowSecure criticized OnePlus for using an easily reversed hash of a password for the app, which turned out to be 'angela'.
Once known, it can be used in a PC-to-phone command from the Android Debug Bridge (ADB) to give root privileges to the phone, which creates a backdoor that persists after reboot, according to NowSecure. It also said a diagnostics app like this one shouldn't be on publicly available firmware, as it introduces risks to end-users.
A potentially worse scenario is if a malicious third-party app could exploit the weak password.
OnePlus denied that this situation is a major security issue but has still promised to remove the ADB root function from EngineerMode in an update. It also pointed out a few mitigating circumstances and that EngineerMode will not let third-part apps access full root privileges.
"We've seen several statements by community developers who are worried because this apk grants root privileges. While, it can enable adb root, which provides privileges for adb commands, it will not let third-party apps access full root privileges. Additionally, adb root is only accessible if USB debugging, which is off by default, is turned on, and any sort of root access would still require physical access to your device," OnePlus said in a statement on its user forums.
"While we don't see this as a major security issue, we understand that users may still have concerns and therefore we will remove the adb root function from EngineerMode in an upcoming OTA."
However, OnePlus may need to make further changes after Elliot Alderson found another app that probably shouldn't be on devices for the public.
Called OnePlusLogKit, this app logs Wi-Fi, NFC, GPS, and other components and then stores them unencrypted on the device's SD card, according to a series of tweets by Elliot Alderson. He points out that any apps with the READ_EXTERNAL_STORAGE permission can read these files.