Slashdot Mirror

← Back to Stories (view on slashdot.org)

OnePlus Phones Come Preinstalled With a Factory App That Can Root Devices (bleepingcomputer.com)

Posted by msmash on from the meanwhile-in-Chinese-phones dept.

Catalin Cimpanu, writing for BleepingComputer: Some OnePlus devices, if not all, come preinstalled with an application named EngineerMode that can be used to root the device and may be converted into a fully-fledged backdoor by clever attackers. The app was discovered by a mobile security researcher who goes online by the pseudonym of Elliot Alderson -- the name of the main character in the Mr. Robot TV series. Speaking to Bleeping Computer, the researcher said he started investigating OnePlus devices after a story he saw online last month detailing a hidden stream of telemetry data sent by OnePlus devices to the company's servers.

30 of 73 comments (clear)

  1. Factory root is a feature. by CptLoRes · · Score: 5, Informative

    Seriously no joke. Once you have gotten used to a rooted phone features like full file access etc, there is no going back.

    1. Re:Factory root is a feature. by Anonymous Coward · · Score: 3, Insightful

      Going from the Nexus4 running LineageOS to a Nexus6P, I stopped rooting. Stock Android had become "good enough" for what I wanted and the only thing I was "missing" was arrow keys in the navbar to move the cursor, which you're now able to turn on through ADB.

      But yeah, reading the headline I thought it was describing a feature, not a complaint. I was thinking "that sure is convenient that they can just press a 'be rooted' button in an app and not need to use a PC"

    2. Re:Factory root is a feature. by Anonymous Coward · · Score: 1

      I'm sure there is a place for you. somewhere on redit maybe, but slashdot isn't it. Maybe there is a walled guard you might enjoy.

      I think I would have more in common with Ukrainian bitcoin miners and would people in that garden and gladly pay extra for a phone 'not designed' to protect you.

    3. Re:Factory root is a feature. by azrael29a · · Score: 1

      So install a Ukranian bitcoin mining program I guess? That has nothing at all to do with root. Do you even know how any of this works?

      These days it only requires browsing a specific web page. No need to install any app.
      A Surge of Sites and Apps Are Exhausting Your CPU To Mine Cryptocurrency

    4. Re:Factory root is a feature. by alexo · · Score: 1

      Serious question:

      I have an non-rooted Nexus 5 which I've been quite happy with, as it does what I want it to do.
      Unfortunately, Google no longer offers security updates for the phone, so I guess that my best option going forward is to root it and install Lineage or some other ROM.

      What would be the most straightforward and least painful way of going about it? I understand that backup can be a problem.

      Thanks.

    5. Re:Factory root is a feature. by DigitAl56K · · Score: 1

      Sure is! Can't wait until every cop who pulls you over clones your entire phone with the backdoor!

  2. Awesome! by Opportunist · · Score: 4, Insightful

    No longer you have to tinker around and find an app you can install to root your device, now you can root it out of the box, delete the app to root it and you have a rooted device.

    And even one where OnePlus cannot complain about you voiding your warranty by rooting it. Because who said you did it and not some malicious actor, using what they themselves handed to him?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Awesome! by Anonymous Coward · · Score: 1

      OnePlus don't invalidate warranties for rooting anyway.

  3. Oneplus X by ichthus · · Score: 3, Interesting

    I have an X, and I love it. The first thing I did after taking it out of the box was install TWRP and Cyanogen. Currently running LineageOS 14.1. Aside from the so-so camera, this is a great phone.

    --
    sig: sauer
    1. Re:Oneplus X by bluefoxlucid · · Score: 1

      Same. Lineage OS on my OPO; looking at Resurrection Remix for OnePlus 5.

      --
      Support my political activism on Patreon.
    2. Re:Oneplus X by Anonymous Coward · · Score: 1

      posting AC to protect moderation

      Oneplus One here with LineageOS (https://download.lineageos.org/bacon) and except for compass calibration it runs better than it did with original firmware. And I can have current security patch level within a week

  4. Exists on OnePlus 3T by chill · · Score: 3, Interesting

    This exists on my OnePlus 3T. When listing apps on the phone, there is an option to Show System Apps. You need to turn that on to see EngineerMode.

    "Test Root" is one of the many functions it offers from the main screen. I don't see a way to *gain* root without using the adb command.

    --
    Learning HOW to think is more important than learning WHAT to think.
  5. How is this different than OEM signed apps? by cloud.pt · · Score: 4, Interesting

    Let's get some facts straight:

    System apps are (or can easily become) root by design, so they can do a lot of things other apps can't. This is true for ANY OEM ROM since the anals of Android - preloaded apps are signed with developer keys, so they get API and Linux system privileges.

    System apps chose to perform anything they want, silently. They don't need to ask permission through UI for stuff like Runtime.exec("su"..., or access protected/secured Android API - they just do it. And even if they don't do it from factory, OEMs like Samsung can just put in place a system-level updater that force app updates (they do this actually with samsung store), and eventually turn system apps into something they originally were not.

    Now, Oneplus having an app, a preloaded one at that, which enables third-party apps to have root access is effectively unusual. I am indeed surprised Google sanctioned a ROM with such a feature, because Google does not want typical users circumventing most things Google Play, which can be done with root (common examples are adblocking through hosts files, or changing device properties such as for overclocking) . But then again, this feature is nothing special from a security standpoint. You will still get prompted by the OS whenever an app requests root even after this app turns root on for third-parties.

    So, what kind of exploit can be attained from this kind of app in OnePlus devices? Is there anything different than what you could with an app that is signed with dev keys and already has root access? If an actor is managing to trigger root through the EngineeringMode app automagically, he likely also can do similar stuff with system apps that do NOT allow root to thrid-party apps. They are already injecting code or input after all, they can very well go the extra mile and do it all at once. Why bother escalating another app when you're already in control of an escalated process?

    1. Re:How is this different than OEM signed apps? by cloud.pt · · Score: 4, Informative

      I just want to add the fact that before Samsung, Google Play itself updates without user prompt as soon as you get internet. The very first app that was self-updatable, and such an update is unblockable, is Google Play and Google Play Services themselves.

    2. Re:How is this different than OEM signed apps? by cloud.pt · · Score: 1

      I am triple posting just to make one thing very clear: Google, Samsung, and whatever OEM has an app that self-updates or that updates other apps unnatendedly, and most of all, without an opt-out setting, has a backdoor built-in. I'm gonna make it short and bold:

      • Any Android device with Google Play Services can potentially have a backdoor pushed at Google's discretion.
      • Same for Samsung's discretion, on any device with Galaxy Apps preinstalled (or whatever it's called this week), only by Samsung.
      • Same for Facebook's discretion, on any device with it preinstalled, specifically the package com.facebook.appmanager (I believe applies throughout OEMs, but cammy is also a usual suspect).
      • Any and all OEMs have the potential to push OTAs/ROMs with sudoer apps that eventually do the same, or even have backdoors baked in the image itself.

      There is absolutely nothing you can do about this, other than having a full open source version of Android on your device (unlikely even with custom ROMs, as they usually depend on closed driver blobs). And even then you're putting faith that both the kernel, the hardware or the pre-boot aren't tampered.

    3. Re:How is this different than OEM signed apps? by Hentes · · Score: 2

      According to the article this "vulnerability" can only be exploited through adb which pretty much limits it to cases where the attacker already has physical access to the device.

    4. Re:How is this different than OEM signed apps? by cloud.pt · · Score: 1

      Which in turn means dev options must be on, for which the OnePlus must be unlocked (screenlock-dismissed) to do so if not already. I'm also assuming it will need to allow the adb-triggering device to be authorized for adb on first prompt, again only doable on an unlocked OnePlus unless the attacker also has the user's PC.

      When a phone doesn't have security lockscreens in place, you can assume it's pretty much an open book - most installed apps such as gmail should have been "trusted" by now, and 2-factor authetications are rendered useless, well, because you have the phone. GG.

      So basically, unless the owner has no pin/password/fingerprint protection put in place, or is being coerced to create this set of conditions, we can pretty much assume that "vulnerability" is only going to be taken advantage of by the owners themselves. And that, as probably many here already noticed, is the very definition of "it's not a bug, it's a feature".

  6. I have that option in setrigs by kristofer.vesi · · Score: 1

    UMIDIGI Crystal Settings>DeveloperOptions>Root (switch) then enter 12 digit code (copypaste) and press root. After 2 minutes you can get a rooted device!

  7. How did we get to this brain-dead state by jabberw0k · · Score: 2

    What kind of insane dystopia is it, where even geeks do not question paying for computers that they do not control?

    1. Re:How did we get to this brain-dead state by cloud.pt · · Score: 1

      Indeed. Maybe my comment read otherwise, but I completely with you. Unfortunately this is becoming standard, and Android is just one example. Windows Home and it's snooping, it's Administrative Templates who nobody really cares about (wasn't regedit enough of a hassle?), it's unblockablae, P2P-based updates that will work on caped networks as long as one PC in the network has the update; Amazon and it's Kindle Fires and their closed stores; Apple...oh Apple; And Cloud services and storage - that is the dream of any company for supreme 1-sided control. The list goes on and on but monetization is taking precedence over function, and there is nobody at all trying to stop this. Even the EU with it's browser-choice mandate and anti-monopoly endeavours are an absolute joke on policy for such control being taken away.

      But geek as I am, I do see a mild point for making SOME things hard and for taking some things AWAY, and that point is support. Obviously companies want to monetize from apps and data, but they will always use this excuse, and this excuse is, nevertheless, valid - preventing user bad behavior is key to prevent bad behavior support, and a surefire way to excuse 90% liability for any product malfunction that can be linked to "abuse".

      Where one sees progress, others see regression. But we can definitely aggree things are moving forward, unless you're not being honest to yourself. Progress isn't always things going our own way, it's accepting the market moves by itself, and that the market autonomy is part of democratic, capitalist and global society we find ourselves in. You demand regulation on every single thing, and you are not acting that differently than the companies trying to reap benefits from taking some control from users to themselves.

  8. telemetry is dumb by originalGMC · · Score: 1

    From the article ... a hidden stream of telemetry data sent by OnePlus devices to the company's servers.

    When are we going to find out that this is a.) privacy violation; and b.) just dumb? Even if you can learn things about your users, even if that helps you, how is this better than talking to users? Asking questions? Getting honest feedback? Collecting telemetry is somehow ... dishonest. It's like you're lying to yourself, looking for a better picture, but what you're really getting is obfuscated view of truth. Sure, people clicked this, typed that, but if that's telling you something, then you're just hearing things.

  9. That isn't all they come with by p51d007 · · Score: 1

    As we have found out in the past.

  10. Writer and Editor are fucking idiots. by Dishevel · · Score: 3, Insightful

    This is what the owners of these phones WANT!
    They want full ownership over their device. Take you sensationalist bullshit and fuck off.

    --
    Why is it so hard to only have politicians for a few years, then have them go away?
    1. Re:Writer and Editor are fucking idiots. by cloud.pt · · Score: 1

      Actually, as I tried to explain in my comment, they are simply stating something for OnePlus hat actually also happens in any device. Any OEM can potentially covert one of its preloaded apps into a backdoor, or simply force installation of one signed with their keys, which grants them root.

      I believe this is called cherry-picking - in this case picking one OEM that does one (supposedly bad) thing, but not actually admiting everyone else can do the exact same...

      Every OEM app has root. Every OEM can turn your device into a bug (the cold-war, anti-privacy type, not the quality assurance, software-centric one) or even their IP Cam.

      All you have is the trust you place on these manufacturers' closed source. And this is why China government avoids Cisco or Google, and US gov. avoids Kaspersky or ZTE. Simple.

    2. Re:Writer and Editor are fucking idiots. by Dishevel · · Score: 1

      It is almost like you are retarded. That App is there to give the owner of the phone, wait for it ....

      Ownership over their phone! There are some companies that restrict the, "Owner" from owning their phone. One Plus though gives you the power.

      Bitching at people for allowing you to control your own phone because someone else might use it makes you a fucking idiot at best.

      --
      Why is it so hard to only have politicians for a few years, then have them go away?
    3. Re:Writer and Editor are fucking idiots. by Dishevel · · Score: 1

      There are no HIDDEN APPS on One Plus phones.
      User has total file control. User can see it, modify it, delete it.

      --
      Why is it so hard to only have politicians for a few years, then have them go away?
    4. Re:Writer and Editor are fucking idiots. by cloud.pt · · Score: 1

      I love the way I actually agreed with you, yet somehow you're so dumb, some might even say "almost retarded", to actually notice...

      If it wasn't clear: I APPRECIATE THE FACT ONEPLUS DOES THIS, AND MORE COMPANIES SHOULD ALLOW ROOT JUST LIKE SONY DID BACK IN 2011 BY JUST CLICKING A LINK. ...All I wanted was to make a fucking point that while OnePlus allows third-party, every other OEM also has the means to do it. In fact, they pretty much do it by preloading self-updater apps on their hardware such as Facebook App Manager or Galaxy Apps, they just don't allow third-party root at user discretion because Google might notice and they frown upon it...

      Now go find someone else to troll. I sense you still have some frustration left to vent. Just make sure you're not wasting it on someone who is just completing your fucking argument.

    5. Re:Writer and Editor are fucking idiots. by cloud.pt · · Score: 1

      Oh my god, you're dumber than I suspected, some might say "almost fanboy"... OnePlus are decent and all, but they're not the 2nd coming of GNU Jesus. They are a for-profit company backed by investors with investor interests, so take a fucking hint. Last time I checked they no longer provide source code on the OS their devices ship with.

    6. Re: Writer and Editor are fucking idiots. by Brockmire · · Score: 1

      Then don't start your reply post with "actually", which isn't often used when agreeing with someone. You caused this confusion. You used way more words than being straight to your point. You really don't have a point. Or the point that anyone CAN do this is immaterial, fucking talk about the others that do this NOW.

    7. Re:Writer and Editor are fucking idiots. by Dishevel · · Score: 1

      I never said they did anything other than give you total control over the files on your phone. Anything you read into that is on you. Created so that you could make someone other than yourself seem stupid.

      --
      Why is it so hard to only have politicians for a few years, then have them go away?