OnePlus in a forum post has confirmed its phones- OnePlus 3, 3T and 5 come pre-loaded with EngineerMode app that 'can enable adb root which provides privileges for adb commands'.
The app provides users with root-level access to the phone without needing to unlock its bootloader. By default bootloader on Android phones are locked and unlocking (rooting) it requires complex product for security reasons, which in most cases voids the warranty of the smartphone.
This provides a potential 'backdoor entry' for third party apps to gain access to the device. In reply, OnePlus says 'adb root is only accessible if USB debugging, which is off by default, is turned on, and any sort of root access would still require physical access to your device.’
But now that the rabbit is out of the hat, an OTA to disable the apps will follow, says the company in the forum post.
Recently OnePlus was in news for a similar security flaw. It was found to be collecting millions of data points from user devices which it said was taken as a feedback for improving it’s software.
With the root access flaw, the OnePlus smartphone don’t seem to have a solid ground in terms of security.