When it comes to Android, the recovery mode is an interesting component. Sharing the same kernel as the stock boot image, this special environment enables users to do tasks like factory resetting, installing new OTA updates, wiping caches etc.
Readers may notice that one can easily wipe the internal data and/or perform a factory reset while they are able the boot the Android powered device (phone/tablet/smart TV) in recovery mode. For most of the retail devices, you just need to press a specific key-combo to force it to boot to recovery.
Google introduced factory reset protection (FRP) as a measure to tackle this scenario and prevent rogue entities to tamper with personal devices powered by Android. FRP requires to login using the same Google Account which was used before factory resetting to use the device.
If you have a Google Account set up on the device, FRP is active. This means that after the reset, you’ll be required to log in to the Google Account using the username and password. If you have multiple Google Accounts set up on the device, you can log in using any of the accounts.
If an unauthorized person tries to reset the device by another method, the device would still require log-in using the Google username and password. This means that if your device is lost or stolen, another person would not be able to reset it and use it.
However, that is not sufficient to block someone to (accidentally) erase the phone and wipe precious personal data by booting the phone in recovery mode, followed by a factory reset.
As a resolution, several OEMs now demand to input the same password/PIN/pattern that is used by the actual owner to secure regular Android environment, to access their stock recovery.
Sounds pretty good idea, doesn’t it? Well, there is a catch!
OnePlus allegedly did not incorporate the feature in both OnePlus 3 and 3T, even after Android 9.0 Pie update. Someone can boot to stock recovery via adb or ‘Advanced restart’ option from the OS or via key-combo and reset the phone(s) without facing any security measure!
After talking with some OnePlus 3/3T owners, they did confirm that the feature was never present on the OnePlus 3 duo. Considering all OnePlus phones share a common codebase, this security issue is highly unexpected.
FYI, OnePlus resumed the Pie rollout for OnePlus 3T and 3 with OxygenOS 9.0.3, but the infamous data corruption issue by while updating from Oreo based OxygenOS 5.0.x on unlocked bootloader is still not patched by the Chinese OEM.
Do you think that the lack of password/PIN in the stock recovery of OnePlus 3/3T is intentional? Comment below.
Thanks Some_Random_Username for the tip!
PiunikaWeb is a unique initiative that mainly focuses on investigative journalism. This means we do a lot of hard work to come up with news stories that are either ‘exclusive,’ ‘breaking,’ or ‘curated’ in nature. Perhaps that’s the reason our work has been picked by the likes of Forbes, Foxnews, Gizmodo, TechCrunch, Engadget, The Verge, Macrumors, and more. Do take a tour of our website to get a feel of our work. And if you like what we do, stay connected with us on Twitter (@PiunikaWeb) and other social media channels to receive timely updates on stories we publish.