OnePlus Backdoor May Not Have Been Apocalyptic But It Sure Exposes the Company’s Security Processes
Yesterday, an independent security researcher took the social media by a storm alleging that all OnePlus phones come packed with a backdoor. The backdoor in question was an app titled EngineerMode designed by Qualcomm for factory and diagnostic purposes. The researcher later added that it was discovered on several other Android devices, if albeit, without some of the more intrusive functionalities discovered in the OnePlus app. Now the Chinese company has responded to this outcry claiming that it isn’t such a big deal.
OnePlus backdoor isn’t a big deal because it requires physical access to the device
In a statement, the Shenzhen based smartphone company has admitted that the app does indeed potentially enable attackers to root the device. But it will not let third party apps access these privileges, refuting claims that a malicious app can use this backdoor for nefarious purposes. The company has also said that the root would still need physical access, which is why it doesn’t see it “as a major security issue.”
It has, however, promised that the root functionality will be removed from the app in a future update. Here’s the company response in full:
Yesterday, we received a lot of questions regarding an apk found in several devices, including our own, named EngineerMode, and we would like to explain what it is. EngineerMode is a diagnostic tool mainly used for factory production line functionality testing and after sales support.
We’ve seen several statements by community developers that are worried because this apk grants root privileges. While, it can enable adb root which provides privileges for adb commands, it will not let 3rd-party apps access full root privileges. Additionally, adb root is only accessible if USB debugging, which is off by default, is turned on, and any sort of root access would still require physical access to your device.
While we don’t see this as a major security issue, we understand that users may still have concerns and therefore we will remove the adb root function from EngineerMode in an upcoming OTA.
As OnePlus notes, the apk is intended as a factory and diagnostic tool that can be used for tasks like GPS checks, hardware scans, etc. However, these type of features are commonly removed or disabled before the devices ship to consumers since there are high chances of these being abused. While the smartphone company that offers flagship features and premium design aesthetics in affordable rates does indeed responds to all security concerns almost immediately, the latest episode gives yet another hint at the internal company vetting processes where security doesn’t yet appear to be a priority.
“It’s not good,” Robert Baptiste, the researcher who first discovered the flaw said. “In theory, this kind of app must be removed from the final release. But adds another operation in the factory, which costs time and is always complicated. So sometimes – often – companies decide to keep this app.”
Security by obscurity is a common practice.
In an email to Wccftech, Jon Clay, director of global threat communications for Trend Micro, said that “while the attack requires local access to the device, which minimizes the attack surface, any security issue that could allow an attacker to compromise a device should be taken seriously.” Researchers add that not removing the app or at least its more intrusive functionalities before shipping the devices to consumers isn’t exactly catastrophic as it does require physical access. However, it shows how a major security precautionary process was overlooked by the company.
This makes it the second security lapse from the company that was caught collecting personally identifiable data only last month. At that time too, (unlike some major tech companies) OnePlus was quick to respond and make amends, which makes us hope that the company would learn from these mistakes and eventually grow to take security and privacy matters more seriously.