The company has issued a statement where it says it acknowledges the problem, but doesn't think of it as a "major security issue."
A number of OnePlus users reported on the company's official forums that the firm has inadvertently left an app accessible on its phones that could potentially let intruders in, as first reported by Engadget.
The app lets users gain root access to the device without the need for unlocking its bootloader — which is a way to say that malicious users could get to the core of a OnePlus phone and install malware with ease, although they would likely need physical access to it.
The app is called "EngineerMode," and is part of a suite of testing applications from Qualcomm, the manufacturer behind the Snapdragon systems-on-a-chip (SoC) inside all of OnePlus' devices, including the latest OnePlus 5.
There is no indication that this is proof of malicious behaviour from OnePlus itself, but rather the result of lack of attention; the EngineerMode app does not show up until a user manually chooses to see system apps, and Android also has extra security measures (in the form of additional steps) that prevent casual access to the app.
In a forum post, a staff member clarified that the company doesn't "see this as a major security issue," but is aware of the problem and actively looking into it, which means that future software updates will hide the app for good.