OnePlus root 'backdoor': What it is, what it isn't, and what you need to know [update]
You might have heard that OnePlus left a "backdoor" in the OnePlus 3, the OnePlus 3T, and OnePlus 5 that could be used to root a phone without unlocking the bootloader. If you're the type of person who thinks this is great news, you already know where to look for instructions and downloads to play with it yourself. But if you're not into all this sort of thing you probably have some questions, especially if you have a OnePlus phone yourself. As well you should, since there's a good chance you have a lot of your personal information stored on your phone and would like to keep much of it private.
So let's talk about what it is we're seeing and everything you need to know about it.
Update: OnePlus has responded to the claims in its official forums:
The 'backdoor'
Backdoor is a great description of what's going on because that really is what's happening. There is a piece of software on the affected OnePlus phones that can be used to gain control of the system. But it was never meant to be there once the phone went up for sale.
The app in question initially comes from Qualcomm, which makes the SoC for all OnePlus phones. It's a special app (yes, it's basically just an app) provided by Qualcomm that a company that makes phones using Qualcomm hardware can use to test features and functions of that Qualcomm hardware during development.
Qualcomm provides this type of app to every company that buys its hardware, though it's tailored to the chipset version a good bit so it can be different from phone to phone. Normally, it is removed when the final shipping software is built and flashed on to retail phones, but sometimes it gets forgotten and left behind. That's what happened here, and a fellow by the name of Elliot Alderson found it in a OnePlus device.
<Thread> Hey @OnePlus! I don't think this EngineerMode APK must be in an user build...🤦♂️
This app is a system app made by @Qualcomm and customised by @OnePlus. It's used by the operator in the factory to test the devices. pic.twitter.com/lCV5euYiO6<Thread> Hey @OnePlus! I don't think this EngineerMode APK must be in an user build...🤦♂️
This app is a system app made by @Qualcomm and customised by @OnePlus. It's used by the operator in the factory to test the devices. pic.twitter.com/lCV5euYiO6— Elliot Alderson (@fs0c131y) November 13, 2017November 13, 2017
As an aside, it's also been found in one of the ASUS Zenfones, inside an MIUI ROM, in the Redmi 3S and the OnePlus 5T that doesn't officially exist, but everyone already knows has been shown to at least a few people. So seeing it on a retail phone isn't exactly unheard of.
Get the top Black Friday deals right in your inbox: Sign up now!
Receive the hottest deals and product recommendations alongside the biggest tech news from the Android Central team straight to your inbox!
An Android app is like a Zip file
You might already know this, but an Android .apk file is a compressed folder and can be opened with a program like 7 Zip, or even by changing the file extension to .zip and using a regular file browser. Alderson did just that to the engineering app he found, and that gave access to the components of the app including some compiled bytecode — the kind that's pretty easy to decompile. And that's what he did.
He found a couple functions of the app that were interesting from a security point of view. One specifically that would give a user admin privileges (root) through the Android Debug Bridge. You'll find the decompiled source of the app here, but the method that's causing all the fuss is labeled as "escalatedup" and you use it by calling it true or false, then providing a password.
If you can provide the right string for the password when you call the method, it sets the system properties "persist.sys.adbroot" and "oem.selinux.reload_policy" to true, which means you have a persistent root access through adb and can change the file system to physically root the device.
And the internet quickly ran with this, because it's awesome and terrifying all at once. Awesome for people who want to root their OnePlus phone without unlocking the bootloader, and terrifying for people who see the word "backdoor" tied to their phone.
The password
Finding an encrypted password isn't easy. But without that password, this app and the method that would grant root access doesn't really do anything. After a bit of work over the weekend, Alderson and some other researchers found it. It's "angela."
With the password in hand, it was as easy as sending the right command and Alderson was then able to do anything he wanted, including adding the files necessary to permanently root the phone. Alderson says he will be releasing a tool so you can do this easily with your own OnePlus phone soon.
What does this mean for people who don't want a rooted phone?
Luckily, not much. It uses ADB so it's very unlikely someone can hack your phone without you knowing. But there is always a chance that someone will be able to exploit this remotely or through another app without you knowing. The fix is easy — OnePlus sends out an update right away that removes the factory engineering app. As in, do it right now.
Another question is why the app was left in the software and if there was any malicious intent behind it. OnePlus has come under fire recently for some unethical data collection. Could they also have placed a backdoor so the can spy on users? Anything's possible, but as mentioned, this isn't the only time we've seen this app get left behind. Still, if this was unintentional it's very sloppy work from the company — and if intentional, calls for tar and feathers sound reasonable.
OnePlus CEO Carl Pei has responded, though it's as non-committal as you'd imagine.
Thanks for the heads up, we're looking into it.Thanks for the heads up, we're looking into it.— Carl Pei (@getpeid) November 13, 2017November 13, 2017
Blaming Qualcomm here is misguided. It simply provides a software test suite that a manufacturer needs to build a phone using their stuff. Hate on Qualcomm for the way its SEPs are priced if you need a reason to hate, not for this.
For its part, a Qualcomm spokesperson issued AC the following statement, saying that the EngineeringMode app was not from the company:
What to do if you find this app on your phone
Look in the app list on your phone by opening the Settings, tapping Apps then tapping Show system apps and see if EngineerMode is on the list. If so, you have this app on your phone and you have two options.
- Get in touch with Alderson through Twitter if you want to help see if your phone can be rooted with the engineering app.
- Contact the company you bought your phone from so they know that need to do something about it if you'd rather not have a possible exploit in your app list.
There is no guarantee either of these choices will be effective. Encrypted passwords are tough to crack and companies who make and sell Android phones hate to update them. Advanced users could (in theory) use any root exploit to gain elevated privileges then remove the offending app, but all sorts of chaos could happen if not done just the right way. And probably even if you did do it the right way. Unfortunately, this is the only advice we can give.
The final bit of good news is that Google is surely more unhappy about this than anyone else involved. This is exactly the type of exploit that gets patched every month, and allowing root without unlocking the bootloader defeats several layers of security that Google demands stay intact. Google will certainly pressure OnePlus and others to address this (and likely assist any way they can, because the security team is cool like that). And Google might even make some changes so these kinds of loopholes will stop working in future versions.
For now, though, enjoy this if you want to root your phone. If you don't, be careful what you install and don't panic. At least not yet.
Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Threads.