While most consumers focus on all the flashy features available with every new build of Android, it can be really easy to forget just how complex the software on our devices can be. In order to get everything working and ready for a public debut, it first needs to be safe. So, as you can expect, developers go through a battery of tests in order to ensure the experience is going to be as tight as it can be.
Naturally, you can’t plug all holes, even though developers may try, which is why bug bountry programs exist. One small miss could lead to tremendous consequences, and it could also have a lasting impact on the reputation of the brands involved. In this case, it looks like OnePlus is caught in a bit of trouble, with OxygenOS being exposed as having a “permission bypass vulnerability” by cybersecurity company Rapid7 (via BleepingComputer).
Hopefully OnePlus will act fast
This vulnerability appears to be quite serious considering that it spans across multiple versions of the OS, which can be found across a wide variety of its devices. Rapid7 was only able to test the issue on a small sample of OnePlus phones, but it states that the problem is most likely linked to more OnePlus handsets.
As far as the problem, the company stated that “the vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider.” This occurs without any permission from the user, and it also doesn’t require any user interaction. Basically, this all happens silently in the background without anyone really knowing.
As you can imagine, this not only raises some flags when it comes to privacy issues, but it could also cause some serious damage if 2FA data is accessed through these means. Now, you’re probably asking yourself, why hasn’t OnePlus done anything about this? Well, Rapid7 shares that while it did try and reach out to OnePlus, the brand wasn’t able to initially make contact.
It also shared that while OnePlus does have a bug bounty program in place, it could not “engage with their bug bounty program due to its restrictive Non Disclosure Agreement (NDA) terms and conditions.” And that’s why we’re getting such a public release about a problem that isn’t fixed yet.
The good news is that OnePlus is definitely aware of the problem now, and Rapid7 issued an update that they are now in contact. For now, there really isn’t much that can be done. OnePlus isn’t really broadcasting this across its social media channels as you can imagine, and it’s not exactly clear how this vulnerability can be accessed. So, if you’re a OnePlus owner, you’ll just have to sit tight and hope that the brand comes up with a fix ASAP.
