Chinese Smartphone maker OnePlus is accused of shipping its devices with a diagnostic app that allows root superuser access to its Smartphone users, potentially exposing sensitive data.
The flaw was first discovered by mobile security research Robert Baptiste, who discovered the vulnerability in June this year. Baptiste found that OnePlus was shipping devices with Qualcomm Engineer Mode App used for testing and diagnosis of the device.
Security vendor NowSecure found that the code of the app is said to be digitally signed and contains a password with weak encryption that is easily visible. And on entering that password, it provides a permanent root access to the Android Debug Bridge Process.
OnePlus founder Carl Pei has already acknowledged the issue and announced that a fix will be made available after a thorough investigation. He added that phones using OxygenOS 4.5.1 on the OnePlus3 and Android version 4.5.14 on the OnePlus 5 devices are having the Engineer Mode app installed on them by default.
Meanwhile, Andrew Jaquith, The CTO of Perimeter E-Security released a media statement saying that all phones which have a self-diagnostics tool have the ability to offer superuser privileges to hackers. He included some renowned names such as Samsung, BLU, and Lenovo into the list and said that such devices may also leak sensitive data to device manufactures without the consent of users—Interesting….isn’t it?
Note- OnePlus is a Smartphone manufacturer which is headquartered in Guangdong, China. The company announced in March 2016 that its devices are being served to mobile phone users located in 38 countries and regions around the world.