Some of OnePlus devices come with EngineerMode APK app pre-loaded on them, which reportedly acts as a backdoor, giving people root access without the need for unlocking the phone. This app is used by OnePlus to ensure that a device is working properly before it leaves the factory. A developer has found an application that can be manipulated into to granting a backdoor root access.
The app can diagnose Global Positioning System, check the root status, perform a series of automated tests, and more. Hopefully OnePlus will remove the application from its devices with an update, all the way back to the OnePlus One. The developer also stated that deploying the "DiagEnabled" activity found in the APK with a specific password, it is possible to root the device. It is alarming how easily someone can get access to your smartphones in this day and age. "So it's not unsafe, it just means anybody with the password can plug your phone to a computer and take all your data".
The developer, with the help of few cybersecurity experts, was able to discover the password and was able to root a OnePlus device with few commands. OnePlus has been alerted to the exploit and CEO Carl Pei has confirmed that the company is looking into it. And it looks to be an issue on the OnePlus 5T as well. After bringing it to attention, security outfit NowSecure reverse engineered it and found that it could easily be exploited with a simple ADB command to enable a backdoor into devices that have the application installed. He discovered that his OnePlus 2 device was sending data to an HTTPS domain, which was transmitted to Amazon Web Services and belongs to OnePlus (open.oneplus.net domain).