You might have heard that OnePlus left a "backdoor" in the OnePlus 3, the OnePlus 3T, and OnePlus 5 that could be used to root a phone without unlocking the bootloader. If you're the type of person who thinks this is great news, you already know where to look for instructions and downloads to play with it yourself. But if you're not into all this sort of thing you probably have some questions, especially if you have a OnePlus phone yourself. As well you should, since there's a good chance you have a lot of your personal information stored on your phone and would like to keep much of it private.
So let's talk about what it is we're seeing and everything you need to know about it.
Update: OnePlus has responded (opens in new tab) to the claims in its official forums:
Backdoor is a great description of what's going on because that really is what's happening. There is a piece of software on the affected OnePlus phones that can be used to gain control of the system. But it was never meant to be there once the phone went up for sale.
The app in question initially comes from Qualcomm, which makes the SoC for all OnePlus phones. It's a special app (yes, it's basically just an app) provided by Qualcomm that a company that makes phones using Qualcomm hardware can use to test features and functions of that Qualcomm hardware during development.
Qualcomm provides this type of app to every company that buys its hardware, though it's tailored to the chipset version a good bit so it can be different from phone to phone. Normally, it is removed when the final shipping software is built and flashed on to retail phones, but sometimes it gets forgotten and left behind. That's what happened here, and a fellow by the name of Elliot Alderson found it in a OnePlus device.
<Thread> Hey @OnePlus! I don't think this EngineerMode APK must be in an user build...🤦♂️
This app is a system app made by @Qualcomm and customised by @OnePlus. It's used by the operator in the factory to test the devices. pic.twitter.com/lCV5euYiO6<Thread> Hey @OnePlus! I don't think this EngineerMode APK must be in an user build...🤦♂️
This app is a system app made by @Qualcomm and customised by @OnePlus. It's used by the operator in the factory to test the devices. pic.twitter.com/lCV5euYiO6— Elliot Alderson (@fs0c131y) November 13, 2017November 13, 2017
As an aside, it's also been found in one of the ASUS Zenfones, inside an MIUI ROM, in the Redmi 3S and the OnePlus 5T that doesn't officially exist, but everyone already knows has been shown to at least a few people. So seeing it on a retail phone isn't exactly unheard of.
An Android app is like a Zip file
You might already know this, but an Android .apk file is a compressed folder and can be opened with a program like 7 Zip, or even by changing the file extension to .zip and using a regular file browser. Alderson did just that to the engineering app he found, and that gave access to the components of the app including some compiled bytecode — the kind that's pretty easy to decompile. And that's what he did.
He found a couple functions of the app that were interesting from a security point of view. One specifically that would give a user admin privileges (root) through the Android Debug Bridge. You'll find the decompiled source of the app here, but the method that's causing all the fuss is labeled as "escalatedup" and you use it by calling it true or false, then providing a password.
If you can provide the right string for the password when you call the method, it sets the system properties "persist.sys.adbroot" and "oem.selinux.reload_policy" to true, which means you have a persistent root access through adb and can change the file system to physically root the device.
And the internet quickly ran with this, because it's awesome and terrifying all at once. Awesome for people who want to root their OnePlus phone without unlocking the bootloader, and terrifying for people who see the word "backdoor" tied to their phone.
Finding an encrypted password isn't easy. But without that password, this app and the method that would grant root access doesn't really do anything. After a bit of work over the weekend, Alderson and some other researchers found it. It's "angela."
With the password in hand, it was as easy as sending the right command and Alderson was then able to do anything he wanted, including adding the files necessary to permanently root the phone. Alderson says he will be releasing a tool so you can do this easily with your own OnePlus phone soon.
What does this mean for people who don't want a rooted phone?
Luckily, not much. It uses ADB so it's very unlikely someone can hack your phone without you knowing. But there is always a chance that someone will be able to exploit this remotely or through another app without you knowing. The fix is easy — OnePlus sends out an update right away that removes the factory engineering app. As in, do it right now.
Another question is why the app was left in the software and if there was any malicious intent behind it. OnePlus has come under fire recently for some unethical data collection. Could they also have placed a backdoor so the can spy on users? Anything's possible, but as mentioned, this isn't the only time we've seen this app get left behind. Still, if this was unintentional it's very sloppy work from the company — and if intentional, calls for tar and feathers sound reasonable.
OnePlus CEO Carl Pei has responded, though it's as non-committal as you'd imagine.
Blaming Qualcomm here is misguided. It simply provides a software test suite that a manufacturer needs to build a phone using their stuff. Hate on Qualcomm for the way its SEPs are priced if you need a reason to hate, not for this.
For its part, a Qualcomm spokesperson issued AC the following statement, saying that the EngineeringMode app was not from the company:
What to do if you find this app on your phone
Look in the app list on your phone by opening the Settings, tapping Apps then tapping Show system apps and see if EngineerMode is on the list. If so, you have this app on your phone and you have two options.
- Get in touch with Alderson through Twitter if you want to help see if your phone can be rooted with the engineering app.
- Contact the company you bought your phone from so they know that need to do something about it if you'd rather not have a possible exploit in your app list.
There is no guarantee either of these choices will be effective. Encrypted passwords are tough to crack and companies who make and sell Android phones hate to update them. Advanced users could (in theory) use any root exploit to gain elevated privileges then remove the offending app, but all sorts of chaos could happen if not done just the right way. And probably even if you did do it the right way. Unfortunately, this is the only advice we can give.
The final bit of good news is that Google is surely more unhappy about this than anyone else involved. This is exactly the type of exploit that gets patched every month, and allowing root without unlocking the bootloader defeats several layers of security that Google demands stay intact. Google will certainly pressure OnePlus and others to address this (and likely assist any way they can, because the security team is cool like that). And Google might even make some changes so these kinds of loopholes will stop working in future versions.
For now, though, enjoy this if you want to root your phone. If you don't, be careful what you install and don't panic. At least not yet.
Interesting... And definitely not good from a PR standpoint. Unfortunately, it'll probably be patched out within the a week.
This is why I stick with stock Android on Pixel/Nexus phones. I do like some of the features on the non Google devices but if you're a security first phone type it's tough to justify not going the Google phone route or, heaven forbid, iOS.
It's a feature, not a bug 😋. (Seriously though, with the direction OnePlus is heading I think the 3T is my last phone from them.)
In favor of what?
I love rooting my phones, especially once the manufacturer stops officially supporting them. That being said, how in the hell does this make it out of QC? No phone should leave the factory with this installed, especially not over multiple models of phones over the years. That's when it's no longer a mistake.
"over the years" It's only this year and last year. Nobody has come forward with it being on the One or 2 or X. The 3 was released on June 14 2016, less than 2 (less than 1½) years ago.
f_ c. u k One Plus
plain and simple. 2 "errors" of this kind overlooked for as long as a year or so, ain't no accidental. This company can't be trusted and it's obvious now how they managed 2 deliver premium hardware at low prices.
consumers should vote these practices out of business (with their wallets)
I don't love any kind of exploit, but I'm not too worried about this one. If someone steals my phone, knows about this exploit, knows how to use adb, and is able to get into my personal business, shame on me.
I fail to see the big deal. Threat is negligible as you'd have to physically have access to the phone to exploit it. That's not happening. The gain is tremendous. Easy way to root the phone, drop the binaries in, install SuperSU, and have a locked bootloader with root. It's a win/win.
I'm not very familiar with oneplus, but why would one want to use an exploit to root on a device that has an unlockable bootloader? laziness? the only time I've ever elevated via an exploit was on Galaxy Nexus (of the Verizon type) since getting an ota to 4.0x was about impossible with Verizon's obstructions.
FBI will love these phones, they should get this for their employees.
Get the best of Android Central in in your inbox, every day!
Thank you for signing up to Android Central. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.