An application called EngineerMode was found on OnePlus devices (as well as other devices from different manufacturers). This app is used at the factory to test various functions of the device. However, it was left in the software builds that ship with the OnePlus 3, 3T, and 5.
A developer managed to use this very app to root the device by figuring out the password used to gain root access. This is definitely exciting for phone enthusiasts because it means that achieving root is surprisingly easy with affected devices. However, there’s still a backdoor in all of these devices that can grant root to anyone who knows what they’re doing, and that’s a security risk.
The risk isn’t huge, since you technically need ADB to take full advantage of it. Rogue apps shouldn’t be able to exploit EngineerMode for root access. Nonetheless, it’s a backdoor many wouldn’t want on their devices.
OnePlus responded to the issue with a statement:
Yesterday, we received a lot of questions regarding an apk found in several devices, including our own, named EngineerMode, and we would like to explain what it is. EngineerMode is a diagnostic tool mainly used for factory production line functionality testing and after sales support.
We’ve seen several statements by community developers that are worried because this apk grants root privileges. While, it can enable adb root which provides privileges for adb commands, it will not let 3rd-party apps access full root privileges. Additionally, adb root is only accessible if USB debugging, which is off by default, is turned on, and any sort of root access would still require physical access to your device.
While we don’t see this as a major security issue, we understand that users may still have concerns and therefore we will remove the adb root function from EngineerMode in an upcoming OTA.
Thankfully OnePlus will fix the issue with a software update, so people have nothing to worry about. Until then, don’t let anyone take your phone for extended periods of time or it might come back rooted!