BE WARNED !! ONE PLUS IS LEAKING YOUR SYSTEM LOGS..

oneplus-logkit-app The OnePlus Saga Continues…
The OnePlus One was one of the first Android smartphones that proved that consumers didn’t need to shell out $600+ for a flagship experience. In other words, even at a lower price point you should never settle for purchasing an inferior product.

I can still remember the hype surrounding the specification reveal for the OnePlus One – the company capitalized on the fanaticism displayed by Android enthusiasts when it came to leaks. OnePlus decided to slowly unveil the specifications of the phone one-by-one for a few weeks prior to the official launch – and it worked.

At the time, we salivated over the phone’s use of the Snapdragon 801 with a 5.5″ 1080p display as well as the very enticing partnership with the fledgling startup Cyanogen Inc. (of whom Android enthusiasts were very excited about due to the popularity of CyanogenMod). And then OnePlus dropped the biggest bombshell on us all – the $299 starting price. Only one other phone had truly amazed me for its cost-performance – the Nexus 5 – and the OnePlus One blew it out of the water. I remember many Nexus enthusiasts torn between making an upgrade to the OnePlus One or waiting for the release of the next Nexus.Just a day after the revelation of the hidden Android rooting backdoor pre-installed on most OnePlus smartphones, a security researcher just found another secret app that records tons of information about your phone.
Dubbed OnePlusLogKit, the second pre-installed has been discovered by the same Twitter user who goes by the pseudonym "Elliot Alderson" and discovered the controversial "EngineerMode" diagnostic testing application that could be used to root OnePlus devices without unlocking the bootloader.

OnePlusLogKit is a system-level application that is capable of capturing a multitude of things from OnePlus smartphones, including:
Wi-Fi, NFC, Bluetooth, and GPS location logs,
Modem signal and data logs, hot and power issue logs,
list of the running processes, list of running service and battery status,
media databases, including all your videos and images saved on the device.
Unlike EngineerMode (which was found on devices by several manufacturers including HTC, Samsung, LG, Sony, Huawei, and Motorola), the OnePlusLogKit application (decompiled APK) most certainly is present only in OnePlus devices.
Since OnePlusLogKit is disabled by default, the attacker would require access to the victim's smartphone to enable it.
With the physical access to the targeted smartphone, one can quickly enable it by dialing *#800# → "oneplus Logkit" → enable “save log,” or one can use social engineering to get the owner of the device to do it themselves.
Once enabled, any other application installed on your device can collect the logged information (stored unencrypted in the /sdcard/oem_log/ folder) remotely without requiring user interaction.
Although the app in question has been designed for device manufacturers and engineers to log the events/activities to diagnose system issues, the amount of information collected here could also be used for nefarious purposes.

OnePlus has yet to comment on this latest issue, while the Chinese company did not see the previous EngineerMode diagnostic tool as a major security issue, although it promised to remove the adb root function in the upcoming OxygenOS update.
"While it can enable adb root which provides privileges for adb commands, it will not let 3rd-party apps access full root privileges," the OnePlus spokesperson said in a statement.
"Additionally, adb root is only accessible if USB debugging, which is off by default, is turned on, and any sort of root access would still require physical access to your device."
Qualcomm, who was believed to be the creator of the EngineerMode APK, also responded to allegations, saying that there are traces of source code from their original app, but the current APK found on devices from various manufacturers has been modified by someone else.
"After an in-depth investigation, we have determined that the EngineerMode app in question was not authored by Qualcomm," Qualcomm claims.
"Although remnants of some Qualcomm source code is evident, we believe that others built upon a past, similarly named Qualcomm testing app that was limited to displaying device information. EngineerMode no longer resembles the original code we provided."
Meanwhile, another security researcher has released an Android application to root OnePlus phones quickly by using the backdoor discovered in EngineerMode.!
Still, it’s important to safeguard any information that uniquely identifies you or your devices. If privacy issues are important for you, then this practice by OnePlus should be concerning. We hope that this article serves to inform you about this potential security implications behind this practice, and to bring this situation to OnePlus’s attention (once more) so that it may be fixed promptly.
credits: Do check this site https://thehackernews.com/2017/11/oneplus-logkit-app.html