OnePlus is among the most well-known Android brand in the technology community. With the brand luring in a ton of Android enthusiasts, the brand is bound to have users who may want to dive deeper into the phone. Apparently, it seems like an Android developer along with a cyber security team managed to find a backdoor in OnePlus’s phones.
<Thread> Hey @OnePlus! I don't think this EngineerMode APK must be in an user build…🤦♂️
This app is a system app made by @Qualcomm and customised by @OnePlus. It's used by the operator in the factory to test the devices. pic.twitter.com/lCV5euYiO6— Baptiste Robert (@fs0c131y) November 13, 2017
With the company being called out almost a month before as well for mining data from its users, the company has found itself in hot water for more than three times this year. First, when the company was found exploiting synthetic benchmarks for higher scores. Second, by mining user data. And the third by keeping a backdoor open in its smartphones.
https://mobile.twitter.com/fs0c131y/status/930128672023072769
By exploiting the libraries along with the help of ADB shell commands, it seems like a default password was set by Qualcomm for OEMs to work on. Once embedded into OnePlus’s OxygenOS, it creates for a loophole waiting to be exploited.
If the verification is passed the password hash is stored in /data/backup/fpwd pic.twitter.com/lkcWlr7Wfb
— Baptiste Robert (@fs0c131y) November 13, 2017
While many users may not like this, the fact that OnePlus left this open for more than a while makes be worried about the casual user who isn’t tech savvy enough to fix this exploit.
OnePlus’s Carl Pei has promised to like into the matter. Let’s just hope it gets an update.