OnePlus 3/3T recovery lacks password prompt, even after Android Pie (9.0) update

When it comes to Android, the recovery mode is an interesting component. Sharing the same kernel as the stock boot image, this special environment enables users to do tasks like factory resetting, installing new OTA updates, wiping caches etc.

google_nexus_9_stock_recovery
Stock Android recovery in Google Nexus 9

Readers may notice that one can easily wipe the internal data and/or perform a factory reset while they are able the boot the Android powered device (phone/tablet/smart TV) in recovery mode. For most of the retail devices, you just need to press a specific key-combo to force it to boot to recovery.

oneplus_3_3t_recovery_mode_los_wiki
You can easily find such key-combos for popular devices

Google introduced factory reset protection (FRP) as a measure to tackle this scenario and prevent rogue entities to tamper with personal devices powered by Android. FRP requires to login using the same Google Account which was used before factory resetting to use the device.

If you have a Google Account set up on the device, FRP is active. This means that after the reset, you’ll be required to log in to the Google Account using the username and password. If you have multiple Google Accounts set up on the device, you can log in using any of the accounts.

If an unauthorized person tries to reset the device by another method, the device would still require log-in using the Google username and password. This means that if your device is lost or stolen, another person would not be able to reset it and use it.

However, that is not sufficient to block someone to (accidentally) erase the phone and wipe precious personal data by booting the phone in recovery mode, followed by a factory reset.

As a resolution, several OEMs now demand to input the same password/PIN/pattern that is used by the actual owner to secure regular Android environment, to access their stock recovery.

oneplus_5t_recovery_password
OnePlus 5T OxygenOS recovery mode asking for password

Sounds pretty good idea, doesn’t it? Well, there is a catch!

OnePlus allegedly did not incorporate the feature in both OnePlus 3 and 3T, even after Android 9.0 Pie update. Someone can boot to stock recovery via adb or ‘Advanced restart’ option from the OS or via key-combo and reset the phone(s) without facing any security measure!

oneplus_3_3t_recovery_no_password_forum
Bug report on OnePlus forum

After talking with some OnePlus 3/3T owners, they did confirm that the feature was never present on the OnePlus 3 duo. Considering all OnePlus phones share a common codebase, this security issue is highly unexpected.

oneplus_3_3t_recovery_no_password_discord
Click/Tap to zoom

FYI, OnePlus resumed the Pie rollout for OnePlus 3T and 3 with OxygenOS 9.0.3, but the infamous data corruption issue by while updating from Oreo based OxygenOS 5.0.x on unlocked bootloader is still not patched by the Chinese OEM.

Do you think that the lack of password/PIN in the stock recovery of OnePlus 3/3T is intentional? Comment below.

Thanks Some_Random_Username for the tip!

PiunikaWeb is a unique initiative that mainly focuses on investigative journalism. This means we do a lot of hard work to come up with news stories that are either ‘exclusive,’ ‘breaking,’ or ‘curated’ in nature. Perhaps that’s the reason our work has been picked by the likes of Forbes, Foxnews, Gizmodo, TechCrunch, Engadget, The Verge, Macrumors, and more. Do take a tour of our website to get a feel of our work. And if you like what we do, stay connected with us on Twitter (@PiunikaWeb) and other social media channels to receive timely updates on stories we publish.

Want to work for PiunikaWeb and enjoy best-in-industry compensation & benefits? You'll be glad to know we're hiring experienced candidates.

Kingshuk De

I came from a mixed background of Statistics and Computer Science. My research domains included embedded computer systems, mobile computing and delay tolerant networks in post-disaster scenarios. Apart from tinkering with gadgets or building hackintosh, I like to hop on various subreddits and forums like MyDigitalLife and XDA.