OnePlus inadvertently left a backdoor on its phones (updated)

OnePlus' security troubles aren't over yet. Users have discovered that many of the company's phones from the past few years (including the OnePlus 5) include a Qualcomm testing app, EngineerMode, that lets you get root-level access to the phone without having to unlock its bootloader. An attacker would likely need physical access to your phone to do any damage, but that still means they could insert trackers or otherwise compromise your phone with very little effort.

At first glance, it looks like this is an accident rather than any kind of malicious behavior. The app is normally hidden until you tell Android to show system apps, so you might not notice it unless you went looking for it.

Company chief Carl Pei says his team is "looking into" the software's presence. If it's as widespread as it appears to be, there's a good chance you'll see a software update removing EngineerMode. However, the discovery isn't exactly confidence-inspiring. Between this and previously aggressive data collection, it looks like OnePlus hasn't been paying particularly close attention to security or privacy on its devices. It'll need to run a tighter ship if it wants to persuade users that its software is trustworthy.

Update: OnePlus has issued a statement that recaps the nature of EngineerMode and its threat (again, you need physical access to cause havoc). It's promising to remove the root function from EngineerMode through a future over-the-air update.

Update 2: Qualcomm has looked into EngineerMode and says this isn't its app. There are traces of Qualcomm code, but someone else wrote the bulk of it. We've asked OnePlus if it can comment on this and will let you know what it says, but you can read the full statement below in the meantime.