This issue has been fixed in OxygenOS version 4.1.7 for the OnePlus 3 and OnePlus 3T.
The software flavor found on OnePlus phones is known as OxygenOS. It adds a couple of nifty feature on top of stock Android without deviating too far from what you would expect on a Google device. I recently started using the OnePlus 5 as a daily driver myself, and despite the controversies I think it's a great upgrade for any fans of the Google Nexus line. With that being said, I scrutinize every new device I receive for every minor aspect I like or dislike. While digging around in the OxygenOS settings, I came across the OnePlus App Locker feature which locks apps that you choose behind your pin/password/fingerprint.
Left: XDA Labs Hidden by App Locker. Right: XDA Feed Hidden by the App Lock Feature.
I'm generally a fan of third-party solutions to feature requests since they aren't forced on you and usually offer more features than a first-party solution. In the case of an app lock, though, I much prefer an integrated solution such as the OnePlus App Locker as they are supposed to be harder to kill (thus more secure) as well as faster (since they don't rely on Accessibility Services or read from the Usage Statistics API). I was shocked, however, to find that the OxygenOS app lock feature could be easily bypassed.
The above demonstration was performed on a OnePlus 5 running OxygenOS 4.5.8
Admittedly, I'm not treating this as some major security flaw or anything as this feature is mostly used when you want to share your phone with someone (hopefully someone you already trust). If you're relying on this feature, then that means you're handing your phone over already unlocked to someone, so it's not as if this bypass gets around your phone's main security measures like the password/pin/fingerprint or other encryption measures or factory reset protection. Still, a flaw is a flaw, and if someone like me, who isn't a security researcher, could find this then anybody could.
OnePlus App Locker Bypass Explanation
As shown in the video above, I have hidden the XDA Feed application behind the app lock feature. As expected, I cannot open the app without entering my password. If I attempt to go to Settings --> Security & fingerprint --> App locker, I am prompted to enter my password. But when I go back to the home screen and tap on a mysterious app icon for an app I made called "OnePlus App Locker Bypass", it opens the App Locker settings page where I can freely disable any existing app locks.
Accessing the OxygenOS App Locker feature normally requires password/PIN input
Anyone should be able to replicate this process on their OnePlus device running OxygenOS if they have a launcher such as Nova Launcher installed (that would be a ton of people) or any other application that can launch activities. Since the app lock feature is most likely used by people who only want to hide certain sensitive applications (such as a super secret gallery app containing totally family friendly pictures) while showing off their shiny new phone, it's unlikely that most people would think to hide their launcher app. Furthermore, since there's no way to hide the package installer behind an app lock, one could also install a bypass app like my own to get around the OnePlus App Locker.
If you're using Nova Launcher and are curious how to do this, it's simple. Just add an activity shortcut to "App Locker" which is found under "Dashboard." Simply tapping on this shortcut will launch the App Locker settings without it asking for your password.
OxygenOS App Locker Settings Activity
I am not really sure why the App Locker settings doesn't ask for password entry when the activity is launched from a third-party app. One way to solve this would be to simply make the activity an unexported activity so it cannot be accessed from any other app.
<activity android:label="@string/app_lock_label" android:name=".applocker.AppLockerSettingsActivity" android:screenOrientation="nosensor">
<intent-filter>
<action android:name="com.oneplus.security.action.APP_LOCKER"/>
<category android:name="android.intent.category.DEFAULT"/>
</intent-filter>
</activity>
The AndroidManifest.xml file of com.oneplus.security, part of which is reproduced above, shows that indeed the activity for the OnePlus App Locker feature is an exported activity. Adding android:exported=false to the activity label should solve this problem, I believe.
OnePlus is Aware, will Fix in OxygenOS Update
We notified the OxygenOS team of this issue and they have acknowledged it in the following statement:
We are aware of this issue, and we will be fixing it in an upcoming OTA.
If you are using the App Lock feature right now and want to make sure that nobody can bypass it, I recommend that you add any launcher and browser apps on top of your existing app locks. This issue, in my opinion, doesn't detract from the software experience of the OnePlus 5, but let this be a reminder that any security measure might potentially have a hole in it. Thankfully this time, the security hole is a rather minor one.