They found that the application - used for factory testing - could be easily used to gain root access to phones. But the team proved it can be done without a whole lot effort, which in turn leaves a lot of OnePlus devices vulnerable.
This nonetheless raises questions over why is the device shipping with this app (presumably it has just been overlooked) and whether it's available on other Qualcomm devices. In a Twitter thread, the developer explained how he was able to gain root access and surprisingly, the app has been pre-installed on all current OnePlus phones, and on OxygenOS for OnePlus One. It's used to run system tests for things like GPS, vibration, screen brightness, and also root checking. The developer also stated that deploying the "DiagEnabled" activity found in the APK with a specific password, it is possible to root the device.
Root implies to the highest degree of access to an Android operating system that is usually deployed to safeguard the privacy of the user. "So it's not unsafe, it just means anybody with the password can plug your phone to a computer and take all your data". The app gives unprecedented access to a host of security-sensitive features of your phone, with the worst offender being the "all clear" command, which would erase all data on the phone, internal storage and all.
U-Tennessee Sacks Saugatuck's Butch Jones as Grid Coach
Butch Jones apparently isn't too interested in keeping the recruiting class he assembled in place at Tennessee . Numerous reports Sunday morning say Jones was sacked ; Fox Sports' Bruce Feldman was the first to report it.
An apparent factory cockup has left many OnePlus Android smartphones with an exposed diagnostics tool that can be exploited to root the handsets. OnePlus co-founder Car Pei tweeted that the company will look into the claims made by the developer.
Thanks for the heads up, we're looking into it. He discovered that his OnePlus 2 device was sending data to an HTTPS domain, which was transmitted to Amazon Web Services and belongs to OnePlus (open.oneplus.net domain).