Significant security flaw in Google wallet - Samsung Galaxy Nexus

There's quite a significant security flaw in Google wallet at the moment.
Going into application settings and then clearing data for wallet is the same as resetting wallet from within the application, without having to enter a pin. Know what that means? You're able to set up a new password and have access to your prepaid card.
That's right. If a tech-savvy thief has your phone and you don't have a passcode on the lockscreen (possibly because Google's implementation of passcode stuff sucks) or the screen hasn't timed out yet, the thief will have access to whatever funds remain on your Google prepaid card, regardless of the pin you set in the application.
This is yet another reason why Google needs to add the ability to lock out INDIVIDUAL applications with a code or face recognition, not just the friggin' lockscreen. If someone gets your phone after you've entered your lockscreen code/pattern, they have free reign over the device as long as the screen is on. Third party software for this purpose just doesn't work very well at this stage. This functionality needs to be integrated into the OS. Sorry for going off on a tangent.
Basically:
1) Go into application settings
2) Clear data for Google wallet
3) Open wallet and set it back up
4) Everything remaining on your Google prepaid card can now be used.

That's a good point I don't know if Google wallet is supposed to more secure than a credit card.
If some one steals your wallet, what do you do? Suspend any transactions for that stolen card. Just do the same with the cards you have on Google wallet.
Or I'd just remotely wipe the phone , so they have none of your information on your phone .
Sent from my Galaxy Nexus using XDA App

bigmike2424 said:
That's a good point I don't know if Google wallet is supposed to more secure than a credit card.
If some one steals your wallet, what do you do? Suspend any transactions for that stolen card. Just do the same with the cards you have on Google wallet.
Or I'd just remotely wipe the phone , so they have none of your information on your phone .
Sent from my Galaxy Nexus using XDA App
Click to expand...
Click to collapse
Any actual cards that you add to Wallet will of course be removed, but the Prepaid card will still work. How easy would it be to suspend transactions with Google?

Ouch... report it!
Greets
____________
mDroid - Tapatalk
Phone: LG-P500
ROM: Nitrogen - Beta-V1b
Kernel: custom .35
Theme: ICS (Z25 - paid. ported by me )
Tweaks: ALL
Wishlist: Galaxy Nexus

You have to have a passcode to use the wallet feature. I am not following this at all seriously.
To use this application, you have to get into line, make sure that your screen is on when you get to the counter and then make sure you put in your pin #/Passcode before swyping.
The only way for a thief to get access is to take your phone while its in your hand and the screen is open but then also if the screen shuts off, the application closes and you have to input your pin #/passcode again.
Try it.

Ronin09 said:
You have to have a passcode to use the wallet feature. I am not following this at all seriously.
To use this application, you have to get into line, make sure that your screen is on when you get to the counter and then make sure you put in your pin #/Passcode before swyping.
The only way for a thief to get access is to take your phone while its in your hand and the screen is open but then also if the screen shuts off, the application closes and you have to input your pin #/passcode again.
Try it.
Click to expand...
Click to collapse
You can reset the application without the passcode. Once that's done, simply open it up, set it up with a new passcode and you have access to the prepaid card immediately.

Ronin09 said:
You have to have a passcode to use the wallet feature. I am not following this at all seriously.
To use this application, you have to get into line, make sure that your screen is on when you get to the counter and then make sure you put in your pin #/Passcode before swyping.
The only way for a thief to get access is to take your phone while its in your hand and the screen is open but then also if the screen shuts off, the application closes and you have to input your pin #/passcode again.
Try it.
Click to expand...
Click to collapse
try this:
open clear google wallet data, run google wallet again.
it will prompt you for new passcode and link it to the google account on your device.
of course, all the credit card info is wiped, but your google prepaid card can still be added without passcode, so whatever remaining balance you have on it will be usable by whoever activate it

Ronin09 said:
You have to have a passcode to use the wallet feature. I am not following this at all seriously.
Click to expand...
Click to collapse
The OP explains it perfectly.
Evangelion01 said:
1) Go into application settings
2) Clear data for Google wallet
3) Open wallet and set it back up
4) Everything remaining on your Google prepaid card can now be used.
Click to expand...
Click to collapse
That means anyone who gets your phone, even while it's turned off, can follow these steps to remove whatever pin you have set. They can then set up Google Wallet with their own pin and add your prepaid card with all its funds back onto the app and start using it.
To be safe, you'll need to set your lockscreen to use one of the other security types such as pin, pattern, or password, and then hope nobody gets ahold of your phone while the phone itself is unlocked. I don't find face unlock to be very safe at all so I won't even recommend it for protecting Google Wallet funds.

to add some other failure of google wallet...somehow ur wallet gets registered w/ ur device...or that's how it looks like...i had a nexus s w/ wallet fully functional and about $12 left on the prepaid card...bought the GN and gave the NS to my wife...fully wiped the device, reinstalled the wallet and activated w/ my wife's account...guess what she got my remaining balance and when i activated mine on the GN i only got the $10...but to be 100% fair it could be something related with the fact that we're not really supposed to have this running on our phone...so might be something related to that, since my NS was on t-mobile and not sprint...hence i was running a "not approved" app...

Evangelion01 said:
You can reset the application without the passcode. Once that's done, simply open it up, set it up with a new passcode and you have access to the prepaid card immediately.
Click to expand...
Click to collapse
I was having a hard time understanding too until you pointed this out (again?) ... thanks for the heads up.
did you submit this issue to google?

Elganja said:
I was having a hard time understanding too until you pointed this out (again?) ... thanks for the heads up.
did you submit this issue to google?
Click to expand...
Click to collapse
Nope. How would I go about doing that? Knowing Google, even if we were to inform them today there wouldn't be a fix for at least a month.
Still can't believe that after three years they haven't got a solution allowing you to passcode protect individual applications in the OS. Dumbphones could do that back in 2004!

Evangelion01 said:
Nope. How would I go about doing that? Knowing Google, even if we were to inform them today there wouldn't be a fix for at least a month.
Still can't believe that after three years they haven't got a solution allowing you to passcode protect individual applications in the OS. Dumbphones could do that back in 2004!
Click to expand...
Click to collapse
should be here: http://support.google.com/wallet/bin/static.py?hl=en&page=known_issues.cs (click on "let us know") but it isn't working for me atm

Elganja said:
should be here: http://support.google.com/wallet/bin/static.py?hl=en&page=known_issues.cs (click on "let us know") but it isn't working for me atm
Click to expand...
Click to collapse
No surprise there, then. Thanks for the link. Hopefully they'll fix it by Q2.

MIUI had a sweet security app based on individual apps. I would lock down my games cause my boy liked to get in there and press buttons aka delete my saves.
I don't know what process it would involve to port this over. But it would be a welcome one.
Galaxy Nexus - 4.0.3 CM9
Asus Transformer - 3.2 Revolver

I went ahead and emailed the relevant Google deparment about the issue. I'll keep you all updated if I get a response, but bear in mind that this is Google's rubbish customer service that we're talking about... I'm not getting my hopes up.

If you lose your phone just log into your Gmail and change the password. Problem solved.

bp328i said:
If you lose your phone just log into your Gmail and change the password. Problem solved.
Click to expand...
Click to collapse
Yes, problem solved if you can get access to an internet-connected device quickly enough.

Evangelion01 said:
Yes, problem solved if you can get access to an internet-connected device quickly enough.
Click to expand...
Click to collapse
I guess I just don't see it as big of an issue as you do.
I mean if you lose your real wallet you have to track down the phone numbers to your credit card companies and call then all one by one. It would be easier and quicker in this day and age to find an internet-connected device.
All my friends and family have internet-connected devices (smart phones) so I could change my Gmail password faster than I could call one credit card company, get through their phone system, get a live person on the phone and cancel the card.
When it comes to money, credit cards or any thing being use as either of the two there will always be flaws that someone will try to exploit. And with this flaw it can be correct/stopped by the end user within 5 - 10 minutes.
But seriously good find on this!

bp328i said:
I guess I just don't see it as big of an issue as you do.
I mean if you lose your real wallet you have to track down the phone numbers to your credit card companies and call then all one by one. It would be easier and quicker in this day and age to find an internet-connected device.
All my friends and family have internet-connected devices (smart phones) so I could change my Gmail password faster than I could call one credit card company, get through their phone system, get a live person on the phone and cancel the card.
When it comes to money, credit cards or any thing being use as either of the two there will always be flaws that someone will try to exploit. And with this flaw it can be correct/stopped by the end user within 5 - 10 minutes.
But seriously good find on this!
Click to expand...
Click to collapse
That's true, I was trying to look at the worst case scenario. The flaw itself is pretty serious, but the consequences wouldn't be that great yet. I've only heard of one person who had over $100 on their prepaid card, and I think there are extra measures in place when purchasing larger items? Not sure.
But something as simple as this certainly needs to be fixed before NFC payments go mainstream.

Evangelion01 said:
That's true, I was trying to look at the worst case scenario. The flaw itself is pretty serious, but the consequences wouldn't be that great yet. I've only heard of one person who had over $100 on their prepaid card, and I think there are extra measures in place when purchasing larger items? Not sure.
But something as simple as this certainly needs to be fixed before NFC payments go mainstream.
Click to expand...
Click to collapse
I agree it is simple and does need to be fixed. They could make a quick fix by having each app that is based off our Gmail accounts require the Gmail password re-entered when an app is setup and not just ask permission.

Related

[Q] Forgot Lock Pattern and Gmail Password, Please Help

I'm a Sprint employee and I have a customer who's kids set a lock code that they forgot and she doesn't know her gmail password AND she wasn't able to retrieve her password. Besides resetting the phone and making a new gmail, is there any way to get back into the phone??
Nope. I have yet to find where in /data the password is stored, and none of the devs I've talked to know, either. Your only choice is to wipe the phone.
Is the phone rooted (slim chance, I suspect)? If so, would restoring a nand backup work? Just thinking out loud......
Try reseting the Google password online.
https://www.google.com/accounts/recovery
She tried the gmail password recovery, but she didn't know the answer to her security question even though she bought the phone and made the account 2 weeks ago. Thanks for your help guys. I guess I'll have to reset her phone and she'll lose her contacts.
Tazdeviloo7 said:
She tried the gmail password recovery, but she didn't know the answer to her security question even though she bought the phone and made the account 2 weeks ago. Thanks for your help guys. I guess I'll have to reset her phone and she'll lose her contacts.
Click to expand...
Click to collapse
Well if she ever manages to remember the password or answer to her security question she'll get her contacts back. Tell her to take some more vitamin B, helps with memory lol.
Tazdeviloo7 said:
She tried the gmail password recovery, but she didn't know the answer to her security question even though she bought the phone and made the account 2 weeks ago. Thanks for your help guys. I guess I'll have to reset her phone and she'll lose her contacts.
Click to expand...
Click to collapse
tell her to buy an iphone... stupid people everywhere love em
I would prefer that this question remain unanswered. I'm not calling the OP a criminal, but this is exactly what I would do if I just stole a phone that was locked.
I don't want the ability to defeat the security of my phone to be easily accessible.
If someone is stupid enough to forget thier gmail password, the answer to their security question, and allow their kids to set a lock should not be using a smart phone. Just reset her phone and she can start over.
Tazdeviloo7 said:
I'm a Sprint employee and I have a customer who's kids set a lock code that they forgot and she doesn't know her gmail password AND she wasn't able to retrieve her password. Besides resetting the phone and making a new gmail, is there any way to get back into the phone??
Click to expand...
Click to collapse
Sounds like complete bull**** to me............I'm just sayin'
pirish1 said:
Sounds like complete bull**** to me............I'm just sayin'
Click to expand...
Click to collapse
I agree, calling bull**** on this as well & I'm pretty sure consulting xda isn't part of sprints trouble shooting protocal...heh, even if this forum is way more helpful then sprint...
Sent from my phone.
maxomus said:
I agree, calling bull**** on this as well & I'm pretty sure consulting xda isn't part of sprints trouble shooting protocal...heh, even if this forum is way more helpful then sprint...
Sent from my phone.
Click to expand...
Click to collapse
Just wanted to interject here, and say we get at least 1 or 2 customers a week who this happens to. They'll get their phone in a store where the rep sets their Gmail up for them, or they're rushed through the process in store, and forget the info.
Our internal support system doesn't get into EVERY SINGLE THING that can happen, or will give "official" solutions to things. I have OFTEN referred to third party sites to fix issues, so I don't doubt this guy for a second.
edit: This is all from within a retail store, as a rep or in-store technician, I'm not sure if phone tech support would refer to a site such as this, but in the store we exhaust every resource we can.
Found a flaw in my evos security. Maybe is just mine or froyo. My patern security lock opens with any patern I input right after a boot or battery pull. This happens with every custom froyo rom I try. I tried fresh, cyanogen, omj, and damagecontrol. Sometimes it dosnt do it but if I do a fast random swipe of any pattern it opens. I'm in the process of making a video.......help fear for my security!
Found flaw. Titanium backup. The app is great and all and I love it. The problem is that titanium backs up my patern and I guess thers a certain flaw or conflicts when the backup and the original security interact. I fix this by making a new pattern or re entering the patern. But is alot less troubling by just not backing up HTC screen lock
sent from my EVO
when i worked at sprint alot of my stupid arse coworkers would setup gmail for people that didn't have it and not tell the customer...dont ask.... also after working in retail for 5 years lemme tell you something
People are fraggin stupid, not some of them, but like 90%, so when you look at your intelligent friends, look at them with some more respect, cause most people are completely retarded haha.
Anyhow, I can also tell you as an X sprint employee...and probably one of the most empathetic employee's and my store I would never care this much to ask on a forum, so I call BS as well.
Besides come on sprint rep, you should know damn well there aint no way around it, not unless your a super hacker.
lock code, gmail and the security questions, you mean the one like, whats your dogs name? LIES!
i work with a guy that has a hero and was drunk playing with phone and set a lock pattern. he doesn't know his gmail password either and had to go to sprint store and have it reset. lost contacts.
I say that you buy a google phone, you should be a google customer with an account. to be so stupid you forget your password is just lame. to buy a device for cool factor and not know how to use it is stupid. there should be a smart test required before someone is allowed to purchase a smartphone.
OP, make your customers download lookout from market. it saves contacts, and make them use an email they already use on daily basis and have the password the same as the password for their sprint account. then if they forget password, it is same as their account with same email provided with account.
Alanmw86 said:
when i worked at sprint alot of my stupid arse coworkers would setup gmail for people that didn't have it and not tell the customer...dont ask.... also after working in retail for 5 years lemme tell you something
People are fraggin stupid, not some of them, but like 90%, so when you look at your intelligent friends, look at them with some more respect, cause most people are completely retarded haha.
Anyhow, I can also tell you as an X sprint employee...and probably one of the most empathetic employee's and my store I would never care this much to ask on a forum, so I call BS as well.
Besides come on sprint rep, you should know damn well there aint no way around it, not unless your a super hacker.
lock code, gmail and the security questions, you mean the one like, whats your dogs name? LIES!
Click to expand...
Click to collapse
I know, and everyone in my store knows there's no way around it... we don't post to forums asking, but we do read forums for info... but I've used forums to solve several issues on phones that probably goes against policies, like using JL Commander on Blackberries, installing .cab files on WinMo phones to fix small registry issues, etc. Sometimes you gotta do what you gotta do to make the customer happy... but no, I nor anyone I've worked with have POSTED, just read.
if you are rooted there is a way around the pattern unlock screen. Hell it might work if you're not rooted.
Code:
adb -d shell
# sqlite3 data/data/com.android.providers.settings/databases/settings.db
sqlite> update system set value=0 where name='lock_pattern_autolock';
sqlite> .exit
# exit
reboot and tada
At least this works on the hero. It removes the pattern lockscreen
Alanmw86 said:
when i worked at sprint alot of my stupid arse coworkers would setup gmail for people that didn't have it and not tell the customer...dont ask.... also after working in retail for 5 years lemme tell you something
People are fraggin stupid, not some of them, but like 90%, so when you look at your intelligent friends, look at them with some more respect, cause most people are completely retarded haha.
Anyhow, I can also tell you as an X sprint employee...and probably one of the most empathetic employee's and my store I would never care this much to ask on a forum, so I call BS as well.
Besides come on sprint rep, you should know damn well there aint no way around it, not unless your a super hacker.
lock code, gmail and the security questions, you mean the one like, whats your dogs name? LIES!
Click to expand...
Click to collapse
If there was a way to agree more, I would. I work in retail/wholesale and people amaze me every day at how stupid they are. I work at a tire store that shares a building with a collision shop. I can't tell you how many people have walked in and asked for an estimate on collision repair. I mean seriously, we've got frickin tires EVERYWHERE!
Sent from my FROYO'D EVO using xda app
So one nite i was drunk, got out of truck (not driving) and went to bed. Next AM at hotel i couldn't find phone. Because i am smart enough to remember my gmail password (been using it for years) first thing i did was go online and change my password. Phone could no longer sync and gave me a minor sense of security. Found phone in a co-workers hotel room later that nite. I then changed my password back.
For those that wouldn't do the same when they lost or had their phone stollen, you just presented a way for the person that has it access to their device.
Simple..... you forgot your lock pattern or pin (like you need a phone like this then) if you also forgot your email and password, then start over and lesson learned. But to provide this kind of info for a theif or not so honest person access to a phone that doesn't belong to them is just wrong.
unCoRrUpTeD said:
if you are rooted there is a way around the pattern unlock screen. Hell it might work if you're not rooted.
Code:
adb -d shell
# sqlite3 data/data/com.android.providers.settings/databases/settings.db
sqlite> update system set value=0 where name='lock_pattern_autolock';
sqlite> .exit
# exit
reboot and tada
At least this works on the hero. It removes the pattern lockscreen
Click to expand...
Click to collapse
Just guessing...since you are working with /data, you would not need root. Or at least not nand unlocked. I don't believe data is a protected directory.
Nice trick BTW...
Sent from my PC36100 using XDA App
jpwhre said:
So one nite i was drunk, got out of truck (not driving) and went to bed. Next AM at hotel i couldn't find phone. Because i am smart enough to remember my gmail password (been using it for years) first thing i did was go online and change my password. Phone could no longer sync and gave me a minor sense of security. Found phone in a co-workers hotel room later that nite. I then changed my password back.
For those that wouldn't do the same when they lost or had their phone stollen, you just presented a way for the person that has it access to their device.
Simple..... you forgot your lock pattern or pin (like you need a phone like this then) if you also forgot your email and password, then start over and lesson learned. But to provide this kind of info for a theif or not so honest person access to a phone that doesn't belong to them is just wrong.
Click to expand...
Click to collapse
The thing is that this information can be found by anyone or you could do a master reset and would still be able to use the phone. I just put this up there because people were saying there was no way to get around this stuff and there are. In no way do I condone using this info for illegal or dishonest use.

stolen phone and android market

Unluckly my phone was stolen about a week ago. Ignorant thieves didn't change my google account so when I go to android market I can see they're using it and that they changed the sim (I can see which operator they have).
I also blocked the imei but it doesn't seem to have worked because I can see they are still using it. My question is: is there any way to know the phone number of the sim? I could try to track them if it could be possible or it's just the operator? I sooo want my phone back! (even if now I've got a galaxy sl).
gianpa said:
Unluckly my phone was stolen about a week ago. Ignorant thieves didn't change my google account so when I go to android market I can see they're using it and that they changed the sim (I can see which operator they have).
I also blocked the imei but it doesn't seem to have worked because I can see they are still using it. My question is: is there any way to know the phone number of the sim? I could try to track them if it could be possible or it's just the operator? I sooo want my phone back! (even if now I've got a galaxy sl).
Click to expand...
Click to collapse
Did you install Wavesecure or lookout? If so, they let you track the phone etc...
If you use 2-factor gmail login, you can disable the one-time password that your google account uses.
But without Wavesecure or equivalent, you can't really track the number, unless your network can (and most won't do it, citing "data protection" even when you own the phone).
Stupid laws like this mean technical precautions are best. WaveSecure and other such apps can even GPS locate the phone
Sucks man, I feel for ya... Wishing you the best in your search for these idiots. Give them a firm beating.
agentfazexx said:
Sucks man, I feel for ya... Wishing you the best in your search for these idiots. Give them a firm beating.
Click to expand...
Click to collapse
While I couldn't condone that, having a GPS position of your device does have many uses, including directing the relevant law enforcement personnel to them, or indeed anyone else who happened to be in possession of the GPL location
I strongly recommend everyone uses some form of tracking app on their phone. There's free and open source ones available...
Well, if they're still using the phone and it's still connected to your Google account, then you can go to the marketplace from your computer, install Lookout on it, and attempt to track it down, lock it, or wipe it. It's worth a shot.
After that, change your google password. It really sucks though that the Market doesn't have an easy way for you to remove a device from your account though. I had my EVO stolen last week, and I looked for hours trying to figure out a way to separate it from my account with no success.
oh oh?
sorry dude very bad for you. change your password from gmail and save the contacts
CocoaGoddess said:
Well, if they're still using the phone and it's still connected to your Google account, then you can go to the marketplace from your computer, install Lookout on it, and attempt to track it down, lock it, or wipe it. It's worth a shot.
After that, change your google password. It really sucks though that the Market doesn't have an easy way for you to remove a device from your account though. I had my EVO stolen last week, and I looked for hours trying to figure out a way to separate it from my account with no success.
Click to expand...
Click to collapse
Ooh smart I forgot about that. Lookout won't do that unfortunately, as you need to set up an account of sorts...
/me wishes you could VNC into your droid phone via google's cloud to phone system, thus negating the issue of NAT.
I wonder... there MUST be an app that allows you to install an app to the phone, that somehow conveys location to you, without entering info on the device...
If not, perhaps we need to work out a way? The issue is how to tell it who to email... Or...
/me sees an idea emerging...
How about an app allowing you to locate phone AFTER it was stolen, without needing to set anything up?
There is!
It's called Plan B (I can't post the link because I'm too noob on this forum, just search the market)
but the market won't let me install it on any phone, I don't know why
my phone wasent stolen but i always thought if it was that they could just use my card info that is stored and buy any apps they wanted my mom uses my captivate now and for the love of god i cant fig out how to take my info out and replace it with hers when i go to add account it still want let hers add any suggestions
gianpa said:
Unluckly my phone was stolen about a week ago. Ignorant thieves didn't change my google account so when I go to android market I can see they're using it and that they changed the sim (I can see which operator they have).
Click to expand...
Click to collapse
Where can I read on the market which operator is being used on my stolen phone?

Disable PIN lock policy for an Exchange account

My company uses an Exchange server for email, and it works great....except for one thing:
Due to their arcane policies, I am only able to use a pin lock on my phone. All of the other lock options are disabled, even face unlock. Also, they have the screen set to time out at 1 minute, which sucks when trying to use pretty much any application.
Does anyone know of a way to override these policies since my device is rooted?
Try this:
http://forum.xda-developers.com/showthread.php?p=14577188
Sent from my Galaxy Nexus
You could also get Enhanced Email from the market. Although its pricey, it works great.
That is not arcane at all, those are good security practices. This is why Android still lags behind apple and rim at the enterprise level - too many easy hacks to bypass the security that businesses need. Faceunlock can be cracked by a polaroid and many swipe patterns can be guessed by looking at fingerprints on the screen.
Honestly, with all the personal information that resides on a smart phone I don't understand why everyone doesn't have a strong pin on their phones. Hope your buddies don't swipe your phone at the next party, unlock it with a facebook pic, and play some prank with your work email account.
for me I guess its the stupid 1 minute lockout period. For example, if I am trying to use my phone as a GPS, I only get to see the screen for 1 minute. BOOM...locked out.
Pandora... NOPE. locked out after 1 minute, sure the music still plays, but I have to unlock the stupid phone to change songs and what not.
Scold me all you want virtualcertainty, the minimum 6 character pin, and 1 minute lockout drives me nuts.
Wasn't trying to scold you, just explaining the risks involved and the reasons for the policies. I wouldn't recommend to any of my clients to set policies lower than that. And I know a bunch of people that want an android for work but the IT department won't issue one or even allow people to use their own because of the work arounds.
My work policy is a 4 character pin with 1 minute time out. I exceed that on my device - 5 character pin and 30 second time out. In no time you won't notice it at all.
I don't know if this is a bug, but I have been able to remove the pin lock policy on my exchange account EVERY time
This is what I do
Set up Account
When it tells me that it's going to disable face unlock ,etc , HIT THE BACK key
Voila, you're out of there and it lets you go forward.
Don't know if it's our exchange server but that works for me
BooDaddy said:
for me I guess its the stupid 1 minute lockout period. For example, if I am trying to use my phone as a GPS, I only get to see the screen for 1 minute. BOOM...locked out.
Pandora... NOPE. locked out after 1 minute, sure the music still plays, but I have to unlock the stupid phone to change songs and what not.
Scold me all you want virtualcertainty, the minimum 6 character pin, and 1 minute lockout drives me nuts.
Click to expand...
Click to collapse
Then you should probably talk to your employer about it. This is an extremely basic security practice, and like multiple people have already said the easy "hack" to get around the practices is the exact reason most employers don't allow Android users access to their Exchange servers.
My company doesn't allow any Android phones on their Exchange network, exactly for this reason.
BTW, just for reference, it is possible to implement monitoring tools in an Exchange server to notify the administrators of changes to security features. Most employers wouldn't even talk to an employee that's violating security practices...it's just "Here's your box and there's the door". Complain all you want about them, but they're there for a reason. I wouldn't risk it just to escape having to input a key combination.
BooDaddy said:
My company uses an Exchange server for email, and it works great....except for one thing:
Due to their arcane policies, I am only able to use a pin lock on my phone. All of the other lock options are disabled, even face unlock. Also, they have the screen set to time out at 1 minute, which sucks when trying to use pretty much any application.
Does anyone know of a way to override these policies since my device is rooted?
Click to expand...
Click to collapse
I lol'd.
How dare a company try to protect their IP with a password on your phone...
Samsuck said:
I don't know if this is a bug, but I have been able to remove the pin lock policy on my exchange account EVERY time
This is what I do
Set up Account
When it tells me that it's going to disable face unlock ,etc , HIT THE BACK key
Voila, you're out of there and it lets you go forward.
Don't know if it's our exchange server but that works for me
Click to expand...
Click to collapse
Maybe your admins didn't force device security. My company doesn't even allow pattern locks
martonikaj said:
I lol'd.
How dare a company try to protect their IP with a password on your phone...
Click to expand...
Click to collapse
Im totally aware of a company eanting to protect thier IP. I dont even mind having some sort of lock on my phone. But it would br nice to be able to at least bump the lockout time a bit to make the phone useable. Or at least let me do pattern lock.
Theres no sense in trying to make this a pissing contest on security policies.
soapbox,
I sign up to get company email on my own phone as a convenience to both of us. If their security policy was so strict that it made it difficult to use my phone, that convenience would go away and any after hour emails would have to wait until the morning. Obviously not everyone can get away with that, but luckily I can.
I second trying EE,
I picked up Enhanced Email from the amazon app store when it was the free app of the day and have been happy with it(It can disable exchange policies). I do have the lock feature on my phone enabled however because I also use Google Wallet, so I want a little extra protection.
So, you need my phone an also need two separate passwords to use Google Wallet. Hopefully by that time I will have wiped my phone and/or located it.
once on a custom rom, ive never had a problem with exchange security settings. unless i'm going out for a big night (and might lose my phone) i leave the security off.
versd said:
once on a custom rom, ive never had a problem with exchange security settings. unless i'm going out for a big night (and might lose my phone) i leave the security off.
Click to expand...
Click to collapse
If you are able to turn off the PIN lock while using corporate exchange mail then your exchange server does not have the required security policy.
Unless there's something else you've done which you didn't post.
Samsuck said:
I don't know if this is a bug, but I have been able to remove the pin lock policy on my exchange account EVERY time
This is what I do
Set up Account
When it tells me that it's going to disable face unlock ,etc , HIT THE BACK key
Voila, you're out of there and it lets you go forward.
Don't know if it's our exchange server but that works for me
Click to expand...
Click to collapse
Yep, that'll be the server as I get a security pop up and you can't dismiss it. Once setup all other lock options are off limits.
The annoyance for me was the inability to change the time out period, it made it unusable in certain situations.
Sent from my Galaxy Nexus
BooDaddy... I'm an IT Director for a large, publicly held company. We allow iPhones and Android devices to use our enterprise Exchange email with a 4-digit PIN, 1-minute lock AND the understanding that we can wipe the employee's phone if necessary. Installing software to circumvent this security would violate our security policies and would result in a disciplinary action.
Is this your personal phone or did your company provide it?
105437 said:
BooDaddy... I'm an IT Director for a large, publicly held company. We allow iPhones and Android devices to use our enterprise Exchange email with a 4-digit PIN, 1-minute lock AND the understanding that we can wipe the employee's phone if necessary. Installing software to circumvent this security would violate our security policies and would result in a disciplinary action.
Is this your personal phone or did your company provide it?
Click to expand...
Click to collapse
Not sure how the question is relevant to the thread topic but it is my personal phone.
Look here for solution: http://forum.xda-developers.com/showthread.php?p=19792676
BooDaddy said:
Not sure how the question is relevant to the thread topic but it is my personal phone.
Click to expand...
Click to collapse
Not really relevant, just curious because if the company bought it and pays the monthly costs then you really shouldn't have too much to complain about. So I guess it's your choice to connect to the Exchange server, I would never expect a company to mandate corporate email on an employee's personal phone.
105437 said:
Not really relevant, just curious because if the company bought it and pays the monthly costs then you really shouldn't have too much to complain about. So I guess it's your choice to connect to the Exchange server, I would never expect a company to mandate corporate email on an employee's personal phone.
Click to expand...
Click to collapse
Yeah, had it been their phone and plan, I wouldn't mind it. Their dime, their rules.
While its not mandatory for me to have it, it is very handy since I am a systems admin (Linux) and its nice to get alerted via logwatch emails when something bad happens.

What happens to remaining funds when you Reset Google Wallet

Sorry if this has already been asked somewhere, I looked around and searched multiple places but couldn't find an answer. I have a rooted stock ROM running right now. I love using Google Wallet and I am aware of the fact you need to 'Reset Google Wallet' before every flash to protect the Secure Element.
However I enjoyed using Google Wallet so much, I decided to refill the prepaid card. So what happens if I click 'Reset Google Wallet' when I have remaining funds on my Google Prepaid Card? If I reset my payment information, flash a new ROM, then start Wallet again, will I receive that remaining balance again?
Has anyone has any experience with this type of situation?
It's attached to your google account. Next time u open it, your balance will show. I've found that it does not save any cards that you use to reload with tho. That's a good thing tho
My EVO Ways
c'est bien ça.
bon courage !
-------------------
Voyage en Vietnam-Voyage au Vietnam-Jonque Classic sails Halong
Reset Google Wallet - any way to preserve xact history?
18th.abn said:
It's attached to your google account. Next time u open it, your balance will show. I've found that it does not save any cards that you use to reload with tho. That's a good thing tho
My EVO Ways
Click to expand...
Click to collapse
I see from the Google Wallet Help though that this will reset the transaction history. Is there any way to preserve that?
I don't know if it can be reflected online or not but I don't think there is a way to preserve it in app.
This is off topic, mainly because I've never used NFC before (yet). Does keeping NFC on (checked) consume additional battery life? Noticed that the phone will say "google wallet now ready"....just wondering..
Thanks
technomom said:
I see from the Google Wallet Help though that this will reset the transaction history. Is there any way to preserve that?
Click to expand...
Click to collapse
The history and all is actually restored when you go back through the whole Getting Started process.
Duce HD2 said:
This is off topic, mainly because I've never used NFC before (yet). Does keeping NFC on (checked) consume additional battery life? Noticed that the phone will say "google wallet now ready"....just wondering..
Thanks
Click to expand...
Click to collapse
I leave mine on a lot and sometimes leave it off but rarely notice a difference. If there is one, it to me is very slight margin.

Question Critical Bug found affecting Google Pay purchases on Pixel Phones

I have found a nasty bug with my Pixel 6 Pro and Google Play. The bug currently makes it, so any purchases done through Google Play (including in-app purchases) don’t require authentication or biometric prompt even though both options to ask for biometric and ask to authorize every purchase enabled. They all get bypassed.
Here what I mean:
The main configuration page:
https://imgur.com/Xkw4Ssb
Purchases authentification:
https://imgur.com/BK8mzcQ
I have able to replicate that issue three times. I’ve factory reset phone and only kept the bare minimal. And every time I add my Mastercard credit card to my Google Pay, it makes it bypassing all security measures. So, my kids could take my phone and make my wallet cry. But what is strange is my debit card was added and it never did that bug. Mastercard asks to call the bank and authorize your phone. As soon as my card becomes active, the bug is back.
I’ve tried to contact Google about this issue, but I’ve had no one answering me. I don’t know what else to do. Anyone can verify, and see? Three other people confirmed the bug to me so far and they all Pixel phones (5, 4a, 6 pro). I have a video too, but I need to blur it out and I need a software for that
Phone: Pixel 6 Pro
App: Google Pay
Card: Mastercard
Good find! I hope you report it to google
I've reported it to Google Play, Google Pay, Pixel Hardware and Google general update and I've got yet a proper answer. Everyone just pass the puck asking me to do many things I've done regardless of me saying I've Factory reset without backup restore which is the shotgun approach.
I want to see if this issue is more widespread. I need more sample data. But I don't understand how it could be a problem only affecting me and not other users...
bHello, I have a similar problem I think. when I add my MasterCard card to Google play Impossible to complete the configuration it blocked the validation of the cardHello, I have a similar problem I think. when I add my MasterCard card to Google play Impossible to complete the configuration it blocked the validation of the card
crappp said:
bHello, I have a similar problem I think. when I add my MasterCard card to Google play Impossible to complete the configuration it blocked the validation of the cardHello, I have a similar problem I think. when I add my MasterCard card to Google play Impossible to complete the configuration it blocked the validation of the card
Click to expand...
Click to collapse
That is an entirely different problem. It can happen due to a host of reasons. Maybe your mastercard provider doesn't support Google Pay, maybe you used a VPN, maybe GPay didn't like your IP. It can sometimes be difficult to add cards to GPay. You are not rooted, are you? That makes GPay a bit more complicated.
m the card works great of course my other devices so i assume it is from the pixel
delete
Currently with three tickets open, at Google Play, Google Pay and Google Hardware. All of them are giving me the same answer. Yet, I show video of the bug, they ignore it. I would appreciate if there were people here that can try and test this issue.
Else... I don't get how it could only affect me when my phone is factory fresh and has only a Mastercard credit card added to Google Pay.
Ticket was escalated higher, sent a bug report to Google. Awaiting more info on this bug.
If anyone here could try it on their Pixel phone, it would be appreciated.
From my findings.
Everything updated, Android 12, Google Play up to date
Google Pay with one credit card activated (in my case Mastercard)
Make a purchase of a cheap app. You can get it refund for free if it's the first time you buy it.
You will never get prompted for the authentication.
Thanks guys
Waibashi said:
Ticket was escalated higher, sent a bug report to Google. Awaiting more info on this bug.
If anyone here could try it on their Pixel phone, it would be appreciated.
From my findings.
Everything updated, Android 12, Google Play up to date
Google Pay with one credit card activated (in my case Mastercard)
Make a purchase of a cheap app. You can get it refund for free if it's the first time you buy it.
You will never get prompted for the authentication.
Thanks guys
Click to expand...
Click to collapse
Print authorisation required for me.
Pixel 6 Pro with Feb update...
disregard this message, sent without quoting or reply.
Follow-up, Google has been making me go back and forth with basic troubleshooting. I've got yet an answer to this bug. I'm trying to find more people with this same issue but seems I'm the only crazy one out here. *sigh*
To be continued!
simannjo said:
Print authorisation required for me.
Pixel 6 Pro with Feb update...
Click to expand...
Click to collapse
You have a credit card activated on Google Pay ?
Waibashi said:
You have a credit card activated on Google Pay ?
Click to expand...
Click to collapse
Yes I do.
So. Google support is not doing anything and just ignoring my plea. I've end up with a RMA. Factory sealed phone. Up to date. No restore. Stock OS and only enter my card in Google Pay.
Bam. As soon as I do this. All purchases go thru without any authentication. Straight purchase.
I'm getting really tired by the lack of urgency on this matter from Google. This opens up a lot of issues for phone users with kids and also opens up a lot of room for accidental in-app purchases...
Anyway to go further with this issue ? This is insane. I can reproduce the issue everytime and all I'm getting from Google are emails saying. Hey, sync your accounts
Waibashi said:
Anyway to go further with this issue ?
Click to expand...
Click to collapse
Hit up some of the Android news sites like AndroidPolice and 9to5Google and contact the writers. I would bet they will write some articles on it.

Categories

Resources