According to rumours, two of OnePlus’ most recent flagships feature an app called EngineerMode that leaves them open to hacking. What exactly is it, then, and what dangers does it present? A diagnostic tool called EngineerMode was created by Qualcomm and modified by OnePlus for pre-deployment device testing in the OxygenOS production build. The OnePlus 5, 3T, and 3 are rumoured to come pre-loaded with the app. To access it, navigate to Settings > Apps > Menu (three dots on top-right) > Show System Apps. We can confirm that both of the OnePlus 5 devices utilised by our colleagues have EngineerMode (OxygenOS 4.5.14, build ONEPLUSA5000 23 171031).
EngineerMode can activate ADB root, granting permissions for ADB commands, although OnePlus claims that this will prevent third-party apps from accessing full root privileges. If the correct password is entered, EngineerMode will grant root access to the OnePlus device. Given this, it could pose a serious security risk if knowledgeable reverse engineers are able to determine the password required to activate the diagnostic mode. Several online stories currently seem to imply that security researchers have disassembled the EngineerMode.apk binary using the free reverse-engineering tool Radare, decrypting the password and triggering diagnostic mode on the device.
Many Lenovo and Motorola consumers also reported the presence of the app on their handsets as rumours about the EngineerMode began to circulate online. Which is not surprising given that the majority of both companies’ cellphones employ Qualcomm CPUs. Qualcomm and Lenovo have not yet made any public statements, but OnePlus has already responded to the problem by announcing that it will release an update that will disable the adb root feature from EngineerMode.
