Phone maker OnePlus is shipping devices with a diagnostics app that allows root superuser access to the smartphone, potentially exposing sensitive user data.
The issue was first discovered by mobile security researcher Robert Baptiste, who has published details of the vulnerability.
Baptiste found that OnePlus was shipping devices with the Qualcomm EngineerMode app - which is used by device makers for testing and diagnostics - with its OxygenOS customised version of Google's Android operating system.
The code for the app is digitally signed and contains a password with weak encryption that is easily discernible, security vendor NowSecure found.
Entering the password into the EngineerMode app provides permanent root access to the Android Debug Bridge process. Through the ADB, it is possible to get full access to all parts of OnePlus devices.
OnePlus has acknowledged the issue, and company founder Carl Pei said it is being investigated.
OxygenOS 4.5.1 on the OnePlus 3 and version 4.5.14 on the OnePlus 5 come with the EngineerMode app installed. NowSecure suggested deleting the app to remove the chances of it being misused.
While the vulnerability allows attackers to use the EngineerMode app to fully compromise devices, a mitigating factor is that local access to devices is needed - no remote exploit is available.
