The OnePlus EngineerMode imbroglio
The smartphone company OnePlus this month was found to have shipped phones with an app installed that could root the phones.
The app is called “EngineerMode,” and it’s the kind of diagnostic software often installed on prototype or pre-shipping phones but removed or never installed on phones to be shipped to the public.
There are three ways to activate “EngineerMode”: with a dialer command, the Android activity launcher or the command line.
The feature of the app that enables root access is password-protected, but it was a bad password quickly discovered and shared online. Exploiting the app requires physical access to the phone.
(OnePlus didn’t respond to my request for comment.)
OnePlus said in a blog post that the company doesn’t “see this as a major security issue” because of the unlikely combination of factors required to exploit it, but that the company will remove the app in an upcoming software update.
EngineerMode was a modified Qualcomm app, and there’s some evidence that other phones, including phones from Asus and Xiaomi, may contain similar apps.
While it’s possible that a major smartphone company might ship a phone without knowing exactly what software is installed, that possibility seems unlikely to me.
It’s more likely that OnePlus decided on purpose to include EngineerMode on the phone to speed manufacturing — skipping the time-consuming process of doing an uninstall on every phone.
If OnePlus’s assurances that EngineerMode doesn’t represent a “major security issue” are accurate, then including the software was the right thing to do.
But including it secretly without explicitly informing users and telling them how to uninstall it was the wrong thing to do.
Why smartphone customers must demand trust
Deliberately installing features that create potential security risks (or even features that users believe create such risks) and then not even informing customers about those features reveals a new dismissive, condescending and cavalier attitude toward buyers.
In all three cases, these smartphone companies have taken control away from the users by hiding activity.
In all three cases, the companies are saying, in effect, “We trust ourselves, so users don’t need the information to make their own decisions on these features.”
Android phones secretly transmitted location data after users specifically turned off location services.
iOS 11 phones’ Wi-Fi and Bluetooth radios secretly remained on and functioning after users specifically turned off Wi-Fi and Bluetooth.
OnePlus phones contained a secret app capable of rooting the phone.
Neither the Google Cell ID behavior nor the OnePlus EngineerMode app were disclosed by the companies, but addressed and remedied only once discovered by researchers.
That fact makes me wonder what else is happening on our phones we don’t know about.
Sign up for Computerworld eNewsletters.