HUGE security flaw - Samsung Galaxy Nexus

Anyone else uneasy that no matter what if someone finds your phone they can hook up to pc and have access to your internal storage?? Is there no way to change this and have a charge only option under usb?

If someone has your phone plugged into their computer, you either:
1) Are with them
2) Had your phone stolen.
If you have your phone stolen, there's nothing stopping them from battery pulling, going into recovery, and getting all your data from there (granted you're rooted).

Still ide rather not anyone including nosey friends get the pics of my ding dong off my phone with out my permission...
All kidding aside you see my point right

It's very simple, set a passcode and MTP does not show any data until the phone is unlocked.

beast67x said:
Still ide rather not anyone including nosey friends get the pics of my ding dong off my phone with out my permission...
All kidding aside you see my point right
Click to expand...
Click to collapse
I typically prefer nekkids of my gf on my phone vs sausage but to each their own

This is why you should likely have the ability to remote-wipe your device (via Software), and why you need to ponder very carefully what data you keep on your phone. The easiest way to avoid your friends finding pictures you'd rather they don't see is not to keep those pictures on your phone in the first place.
There are encryption-based Lockboxes which function on the Galaxy Nexus, and it does actually support Full-Disk encryption (with many bugs and downsides), but in short, you need to assume that anything on your phone is accessible to anybody who cares enough to take it from you. Remember, security never buys you safety against others getting your data, it just gives you time to respond before they can get access.

Wow how foolish of me. I totally didnt realize and i googled this an apparently no.one else did.either thanks

sluflyer06 said:
I typically prefer nekkids of my gf on my phone vs sausage but to each their own
Click to expand...
Click to collapse
Hahaha its my own sausage i swear.
Seriously though the guy above is correct. Locked my phone, plugged in, and no data shows.until i swipe and enter pin

There are also apps you can download to lock certain apps you don't want opened. (Gallery for instance)
I agree though, the safest and best bet is to set a password on your phone and be done with it!

beast67x said:
Hahaha its my own sausage i swear.
Seriously though the guy above is correct. Locked my phone, plugged in, and no data shows.until i swipe and enter pin
Click to expand...
Click to collapse
A setting for my Exchange server for my company that i work for reminds me each time setup my phone that they can remote wipe my phone. As can i From our Web Access portal for email. Just another option.
Will

Mine doesn't work that way.
I have a pattern set on my galaxy nexus. If I connect it to my computer the "internal storage" doesn't show up until I unlock the phone.
However, if you lost your phone, there are numerous ways to get your data. This applies to most phones out there
Sent from my Galaxy Nexus using XDA App

move the pics you don't want people to see into a hidden folder then they wont show up in the gallery

I have "gotya" installed. Not only will send me the gps location of my ohone command but also take a pic of the peraon using the phone when.an incorrect pin is entered. Screw wiping my phone ill just go get it myself

Related

Custom rom/mod to block CelleBrite UFED from accessing any info from EVO

http://www.thenewspaper.com/news/34/3458.asp
http://www.cellebrite.com/forensic-products/ufed-physical-pro.html
regardless of my reasons behind this this makes all phones inherently tappable if stolen etc or from other corporate espionage attempts
this is a serious flaw and i would like to see if its possible for you custom rom bakers to cook us up some protection
if they want my info they should subpoena my records from sprint or Google not be able to brute force into any and every phone with a device
i and many other would be more then happy to donate for such a solution especially if it wasn't dependent upon only 1 rom
seen this but doesn't yet support the evo
http://www.whispersys.com/whispercore.html
+1 to this for my hd2 too please! or just android
I'll throw in
We should start a Kickstarter for this or something. Either way, count me in to contribute $150+
I could foresee a specific app that launches when plugged into a computer.
If the phone fails to receive user authorization or is plugged into a blacklisted device (say, CelleBrite UFED), then the phone is locked down/wiped.
And/or spoof information, a fake system dump.
tropicalbrit said:
I could foresee a specific app that launches when plugged into a computer.
If the phone fails to receive user authorization or is plugged into a blacklisted device (say, CelleBrite UFED), then the phone is locked down/wiped.
And/or spoof information, a fake system dump.
Click to expand...
Click to collapse
excellent thinking glad im not the only paranoid one at this point
or make it so ur phone gives it a virus or borks the device somehow
{ParanoiA} said:
or make it so ur phone gives it a virus or borks the device somehow
Click to expand...
Click to collapse
Wouldn't want to screw up the device, they ain't cheap. A bit too aggressive
Bumping for continued interest.
im not sure if the fulldisk encryption option in android negates this or not but i believe with ICS if u have full disk encryption enabled should negate what this can do correct me if im wrong
spyngamerman said:
im not sure if the fulldisk encryption option in android negates this or not but i believe with ICS if u have full disk encryption enabled should negate what this can do correct me if im wrong
Click to expand...
Click to collapse
Only if you can manage to power off your device before the cops take it from you. Otherwise, the data partition is already mounted, and they can suck it down into their UFED via the ADB interface.
A question, though: if you have USB debugging disabled, then ADB isn't available over USB, so could the UFED still access your data? The cops would need to turn on USB debugging, wouldn't they? And if you have a pattern/passcode lock, they wouldn't be able to get into the settings to do it.
Anyway, encrypting your data partition and powering off your phone before the cops get to it is the safest option. Use a really long passphrase, though, because they could still grab an image of your encrypted data partition and take it to a lab where they could try to brute-force the passphrase.
whitslack said:
Only if you can manage to power off your device before the cops take it from you. Otherwise, the data partition is already mounted, and they can suck it down into their UFED via the ADB interface.
A question, though: if you have USB debugging disabled, then ADB isn't available over USB, so could the UFED still access your data? The cops would need to turn on USB debugging, wouldn't they? And if you have a pattern/passcode lock, they wouldn't be able to get into the settings to do it.
Anyway, encrypting your data partition and powering off your phone before the cops get to it is the safest option. Use a really long passphrase, though, because they could still grab an image of your encrypted data partition and take it to a lab where they could try to brute-force the passphrase.
Click to expand...
Click to collapse
yes good points
the simplest method i find to protect against this is use Full disc encryption for starters
then use cryptfs to set a long ass password for preboot and keep a short pin for lockscreen that's reasonable and have a nice shortcut for immediate poweroff on lockscreen if concerned about this and then powering off is easy/fast
and ofc keep usb debugging off unless needed
if your really adventurous you can also use yubikey key second slot for partial password for the preboot if you have a microsd adapter for it and your device supports it preboot via OTG etc as input
then
type in a brainpassyouknow+yubikeyslot2
and its 2 factor auth and secure as **** long ass random password combining something you know and something you have
I'm also interested in this project
Let me tell you a little story about a guy (me) who was sitting in a car while his girlfriend was working when an officer approached. I wasn't doing anything wrong but due to a little misfortune I had nowhere I could go and stay so I had to just sit in the car until she was done working. The cop came to the car and asked me what I was doing and why I was sitting in the car on my laptop in a public garage. I told him I had nowhere to go and I was waiting on my girl. I noticed his hand placed on his weapon and I realized very quickly this was not going to be a casual encounter. he asked me to step out of the vehicle and I asked him why. Now I know normally you shouldn't question an officer but something seamed very off about this gentleman. It was when I locked the doors that things started to escelate and my anxiety went through the roof. I told the officer that I did not feel safe with him holding his weapon to me when I had done absolutly nothing wrong. He just became aggitated like a guy on steroids and called in some other officers. Well things wasn't looking good for me but I decided to try and use my phone camera as some added protection so I wouldn't get shot for absolutlly no reason at all. Well the cops did back off, but this is where things got really crazy. a few minutes later, and it couldn't have been more than 5 minutes, my phone went to some screen like when you have emergency dialing only. I tried calling my girlfriends job but nothing worked at all. I got scared so I dialed 911...NOTHING!!! These guys basically turned my phone into a paperweight. I couldn't do anything with it. I didn't know what to do so I called out the window to a crowd of people and told them to call 911 for me. I then noticed the officers leaving in their vehicles and I got out and ran to my girlfriends job where I stayed until she got off of work.
Now in all of this there is two main points that I really feel are extreme issues. One is how is it legal for anyone, even an officer of the law, to take away your ability to use emergency services?? And second why do they need this software that basically can give them an opening to do whatever they want to you without you being able to protect yourself. Law enforcement is becoming more and more alarming to me with all the technology that they have at their disposal. I say if they want to be able to have surveillance on us 24/7 I believe we should get the same respect. We cannot stand by and have our basic human rights violated like this!!!!

I could really use some advice from a technical standpoint please

Hi everyone. I recently got a T989 from Telus, to which I used an Ebay unlocked. Now first things first....I have never had my email account or any account hacked. My computers in my home are virus free, so I have eliminated them. Within a week of using my T989 with Mobilicity, my gmail account (which my phone knows the password to) was hacked and logged in by someone in the U.S (Gmail shows IP logins) and they spammed my entire contact list. Now I am trying to think of ways this could have happened, but I honestly think the phone may have a keylogger or something on it.
Here are the steps they had me carry out (and it did unlock the phone immediately).
Download and install necessary files
http://www.UnlockClient.com/SAMSUNG_USB_Driver.exe
http://www.UnlockClient.com/dotNetFx40_Full_setup.exe
Very simple procedure:
1. Enter your paypal email or start in demo mode
2. Type *#7284# and select USB - Modem
3. Type *#9090# and select [1] USB
4. Exit service menu and reboot the phone
5. Once phone rebooted connect the phone and computer
6. Wait until all drivers are installed
7. Click "Unlock" button
8. Enter 00000000
Here is the auction for this unlock I got. http://www.ebay.ca/itm/280852210909?ssPageName=STRK:MEWNX:IT&_trksid=p3984.m1497.l2649
Is there anything there that I should worry about? Or is there any possibility they have someone routed everything I do on my phone through them? I am seriously worried about my online banking information and such. Thank you very much in advance.
not sure if serious?
- taz b.
Why wouldn't I be serious? Isn't this a legitimate conclusion? I don't have a lot of posts but I have been lurking for years. I am serious however.
Unlocking phone is really a matter of entering a simple code in one step. All your steps there including entering your PayPal account, connecting USB?? and installing drivers are unneccesary and sketchy at best.
I've seen some reputable phone unlocking sites but definitely never seen something like that from eBay.
If I were you I would try a darkside full wipe and go back to whatever was at a safe state before.
Sent from my SAMSUNG-SGH-T989 using XDA
Oh I have wiped many times. The problem is that I don't think any of that wipe stuff will go back to factory settings in those *# menus or for the modem settings etc.
I know an unlock code is all that is needed, but I bought from a website that couldn't find the code. This one offered and instant unlock by a program (like the ones shops use) to unlock.
I am also not dumb, the paypal account doesn't require a password or anything it is just a way to identify your keys.
wy2sl0 said:
Oh I have wiped many times. The problem is that I don't think any of that wipe stuff will go back to factory settings in those *# menus or for the modem settings etc.
I know an unlock code is all that is needed, but I bought from a website that couldn't find the code. This one offered and instant unlock by a program (like the ones shops use) to unlock.
I am also not dumb, the paypal account doesn't require a password or anything it is just a way to identify your keys.
Click to expand...
Click to collapse
And did you test your phone with a different sim card? Everything is functional?
As far as I know, the legitimate way and the only way to unlock a phone is through the codes generated by the datebase. All the reputable sites that unlock phones that I know of, all use codes to unlock. When I had bought my telus g2sx the store unlocked it using the code.
Something like a keylogger would be app level, not modem info or hardware level. Also, something transmitting every keystroke would use a LOT of data and battery.
First thing I would do, personally, is check my battery stats to see if any app was using a suspicious amount of battery.
In my opinion, it wouldn't make sense for a company who already got your money for an unlock service to install a key logger to spam your Gmail contacts.
Just my two cents. It would take a tremendous amount of technology to track everyone who used the service. Not to mention man hours in sifting through collected data.
Check the battery stats. Settings>About Phone>Battery Use.
Hope this helps in any way. Hacked accounts are always a bummer man.
Wierd, I used that site a week or two ago and nothing like that happened to me. Makes me worried now.
I didn't use ebay though, I did it directly from the site. You could always re-flash your phone to stock then update it, that would eliminate any possibility of odd software.
In step 1, did you run a program on your computer, on the phone or both?
anomy13 said:
Unlocking phone is really a matter of entering a simple code in one step. All your steps there including entering your PayPal account, connecting USB?? and installing drivers are unneccesary and sketchy at best.
I've seen some reputable phone unlocking sites but definitely never seen something like that from eBay.
If I were you I would try a darkside full wipe and go back to whatever was at a safe state before.
Sent from my SAMSUNG-SGH-T989 using XDA
Click to expand...
Click to collapse
If you want your phone as clean as possible then do this in recovery
go to mounts and storage format /data format /system format /cache format/emmc. Then flash the super wipe followed by the rom but remember doing it this way deletes everything from your phone.
Sent from my SGH-T989 using Tapatalk 2
probably had nothing to do with the unlock, but more likely you had soem one arp attack your wifi on an open hotspot and they just nabbed your password.
I fiddle with this in coffee shops all the time and i always leave with a list of facebook, youtube, gmail hotmail and other passwords.
I'm not a spammer, i just like to see how insecure things are and if any one is intelligent to use ssl... even though ssl can be stripped from a packet now lol
-Mr. X- said:
probably had nothing to do with the unlock, but more likely you had soem one arp attack your wifi on an open hotspot and they just nabbed your password.
I fiddle with this in coffee shops all the time and i always leave with a list of facebook, youtube, gmail hotmail and other passwords.
Click to expand...
Click to collapse
Isn't GMail SSL now?
Joe USer said:
Isn't GMail SSL now?
Click to expand...
Click to collapse
and ssl can be stripped from packets now. Intercept the packet and then use it to sign in. then profit.
an app to play with if you want to try it out for your self is faceniff for andorid.
-Mr. X- said:
probably had nothing to do with the unlock, but more likely you had soem one arp attack your wifi on an open hotspot and they just nabbed your password.
I fiddle with this in coffee shops all the time and i always leave with a list of facebook, youtube, gmail hotmail and other passwords.
I'm not a spammer, i just like to see how insecure things are and if any one is intelligent to use ssl... even though ssl can be stripped from a packet now lol
Click to expand...
Click to collapse
Any recommendations to protect yourself then?
sent from the darkside of the galaxy
Z-Man™ said:
Any recommendations to protect yourself then?
sent from the darkside of the galaxy
Click to expand...
Click to collapse
dont use open hotspots at coffee shops and stuff like that. look for the shady nerd in the corner, and i think there is an app that can detect if your wifi is being arp spoofed.
https://play.google.com/store/apps/details?id=com.gurkedev.wifiprotector&hl=en
i think there may be free ones too, i dont know. but that app will detect if your being attack by a man in the middle/arp spoofing
I don't use Wi-Fi hotspots since I have unlimited data on my phone. I really don't understand how this could've happened.
wy2sl0 said:
I don't use Wi-Fi hotspots since I have unlimited data on my phone. I really don't understand how this could've happened.
Click to expand...
Click to collapse
its not just your phone that is at risk for these attacks. anything you sign on with is if some one does the man in the middle attack, among other attacks.
Other reasons besides your phone unlocking are the root cause of your issue. It's unfortunate none the less but man in the middle password sniffing and fishing are the leading causes i see at work for your spamming hijacking. i work with this stuff daily.
wy2sl0 said:
I don't use Wi-Fi hotspots since I have unlimited data on my phone. I really don't understand how this could've happened.
Click to expand...
Click to collapse
Did you ever figured out if unlockclient.com had injected some malware in your device.
Has anyone on this site had problem with them or any developper had a chance to check what they are doing ?

[Q] Is our information really secure from theft?

If you are like me, you should have all your favorite apps, documents, pictures etc. stored right on your phone that basically gives a full picture of who you are as an individual. You also have been pretty satisfied with the pattern, pin number, password or face unlock or all of these together as a security you have in place to prevent unauthorized access. But here is something that happened by accident that led me down this thought process. While trying to yank out the phone from my pocket while driving (which when you are getting a phone call especially becomes the most impossible task), I noticed that the phone "Power Down", "Restart", "Airplane Mode" pop up was on. This is on top of my regular swipe to unlock with pin number lock screen. This made me curious and noticed that the back button will work to close this pop up and also the power button works to reactivate this pop up. I hope everyone is with me till here. What surprised me was that the phone will actually turn off or restart from this point without the need for an unlock code. This means anyone with rooting and backup knowledge can steal my phone, restart my phone into recovery and wipe it to make the phone their own or just create a backup (CWM) and through that access my personal information. I know that photos and documents stored on the external card is open unless encrypted. But I hoped the internal data would be secure.
What do you guys think about this? Is there any app that would prevent access to the phone while locked via hard keys? What do you do to keep your information safe?
TL;DR version
If phone is stolen and person has knowledge of android they can factory reset your phone, even if you have a password setup. If they enter recovery they can wipe data and factory reset your phone and now it is usable for them.
My theory if you have your phone rooted I wish there was a way to lock the recovery with a password. Unfortunately ODIN will always be available able to get back to stock. Cerberus is a great app to have full control of phone if stolen FYI
DesperateScorpion151 said:
What do you guys think about this? Is there any app that would prevent access to the phone while locked via hard keys? What do you do to keep your information safe?
Click to expand...
Click to collapse
As soon as I realize it is missing I would activate the wipe feature in this software.
https://play.google.com/store/apps/details?id=com.lookout&hl=en
If I have your phone in my possession I guarantee I can hack it regardless of any security measure you make take, so the best solution is to be able to wipe it remotely.
technically even a remote wipe is not enough if the thief is knowledgeable. I accidentally wiped flashing in Odin with nand erase checkd and recovered everything that was on it using this
http://forum.xda-developers.com/showthread.php?t=1994705 so your never completely safe
Exactly my point like everyone else confirms it here. We have advanced so much to a point that even a 9 year old (not that 9 is too young to know computer basics) who is familiar with basics on rooting after reading through forums after forums can get away with stealing a smart phone now a days. At this point the only way I could think of protecting my data (first priority) and then track my phone is if the tracker is incorporated into the boot loader or recovery itself on top of what ever software you have installed in the OS. So if the thief tries to unlock my phone after a restart, the installed software should take care of the rest but If he/she is smart enough to go via boot loader or recovery then the incorporated tracker can do its thing. Anything of that sort exists?
Did you forget you could just pull the battery to get into recovery?
Why do you need to pull the battery?
Aerowinder said:
Why do you need to pull the battery?
Click to expand...
Click to collapse
You don't, but its easier than going through all of the steps OP posted.
I really doubt my data is worth anything. Pictures of my cats aren't exactly hot commodities and I don't store anything on my phone that I wouldn't publicly reveal, anyway.
I wouldn't be worried about my worthless information, just annoyed I was dumb enough to let it get stolen. Yeah, I know that basically anyone with half a brain can wipe a phone and re-sell it - it always amazes me when people think that thieves aren't smart enough to do that.
I'm cynical. Saves a lot of worry since I just expect the worst, I guess.
They get into your email where it may be more info to compromise.
Sent from my SGH-T999 using xda app-developers app
I would be less worried about the minute possibility of a phone thief targeting your personal information than I would be about your personal data being mined from your phone by numerous applications.
Bottom line is, if you use Google or Facebook, you personal information is already in the hands of giant corporations who will never be held accountable for the theft of your personal info.
Take Facebook for example - within the app, the only time it should ever ping your location is if you are using FB chat and have the location setting enabled. However, even when you disable location within FB chat, every single time you open Facebook it uses your GPS to get your location. Every time.
In addition, although you are unable to see it in action because there is no notification icon for it, I would bet a million bucks it's also pulling your network location if your GPS is off.
Facebook is constantly working in the background - even if you never opened it.
Google? I won't even begin to try and explain the amount of data they are collecting from you. As is T-Mobile, Sprint, Verizon, ATT, etc. every single second that your phone is on with data enabled.
Should we be concerned with some random thief who knows the ins and outs of Android pulling your data? Sure, we should think about it. But the reality is, if you own a smart phone your information is already out there in the hands of companies who will use it to any end they can in order to turn a profit. Period.
ButWhile I see the pros and cons of different parts involved in using social networks and so forth, one thing we can (at least for now) be certain of is that they won't use your credit card information etc. to make illegal purchases and so forth. I know of a person who routinely used the credit card app to check balance, pay bill etc. and next thing he was getting phone calls to see if the purchases made at a casino in Spain are OK?! This is without ever losing the phone!!. So, it could be worse in the case of phone loss. Sure, personal data, pictures and even email to some extent is not as bothersome to me as identity theft. Thank to some anti-fraud features of the banks etc. one can deny and simply not be associated with that activity (of course in legitamate cases). My friend ended up getting another card with different number and they closed the online banking account. He had to re-register all over with another id. So, it can be a big hassle. I heard of cases where people had to hire lawyers and run around courts to prove their innocence due to identity theft. Of course if you keep a picture of your driving licence on the phone, you are really asking for it so... (trust me, one girl was doing this because she didn't want to carry her purse/wallet on night outs)
Having said that, I am always worried if the roms we download here in XDA have trojans or backdoors built into kernels and system files... I know that it is like doubting even the good devs but how do we know for sure? Unless you are really an in-depth expert and figure out all the details such as processes and ports that are open and so forth, how do you really know? The phone's data icons keep pinging back and forth every now and then and at times I wonder what's being sent and what is it receiving... just sync'ing contacts...or...??
Call me paranoid but, after what happened to my friend, and similar stories, I am a bit skeptical about the security and integrity of the ROMs in the first place... Now, mostly I download and try different roms and settle on one that suits my preferences. I use the phone for calls as well as to make general tasks easier in many aspects except financial transactions. In short, I don't trust my smart phones.
For those of you wondering what Google is tracking, (not by any means the only place to look) login to your gmail account and look around different settings. You'll see web history, phone data to name a few..

HTC One X - screen broke, access via MHL.

Hi guys!
This is definitely something weird and I can all but guarantee you havn't come across something like this before!!
Ok so, my friend broke his HTC One X, cracked the screen, but it still works. - he just wants the data off it.
Now, i have an MHL cable, plugged that in, rebooted the phone and went from there...the only issue is it boots in landscape. so when we pull the ring to unlock the device, because of poor software in the phone it just FILLS the whole screen with an "emergency call" massive button, but the emergency call text is skewered to the left hand side of the phone. Thus, we cannot enter his username and password into the input fields to give him his access back to his phone!!
Although funnily enough, the phone mysteriously loaded up once in portrait (so we could imagine the keyboard on the screen), but after 100 of attempts its not giving it us again, which means we cant enter his gmail user and pass in again!
Infact, when it did load up in portrait, we entered his gmail address and password, pressed sign in...PATIENTLY WAITED...and said the password was incorrect! FUUUUUU. Also, data is disabled on his phone (maybe why it fired the issue with it saying password was incorrect), and now we're back to square one, trying to get the phone to load up in portrait.
I recall, back when i had my Galaxy S2, that i once flashed a kernel to the device and it would mysteriously remove the password...the only issue we have with this is that the HTC One X, (if it does boot to recovery), doesn't display through MHL, so we can't flash anything to the phone anyway!! basically TOTAL lockout!
So guys...any assistance at all, because he's deeply upset the fact he's going to lose all of his files!!
Regards,
meeeeelz
meeeeelz said:
Hi guys!
This is definitely something weird and I can all but guarantee you havn't come across something like this before!!
Ok so, my friend broke his HTC One X, cracked the screen, but it still works. - he just wants the data off it.
Now, i have an MHL cable, plugged that in, rebooted the phone and went from there...the only issue is it boots in landscape. so when we pull the ring to unlock the device, because of poor software in the phone it just FILLS the whole screen with an "emergency call" massive button, but the emergency call text is skewered to the left hand side of the phone. Thus, we cannot enter his username and password into the input fields to give him his access back to his phone!!
Although funnily enough, the phone mysteriously loaded up once in portrait (so we could imagine the keyboard on the screen), but after 100 of attempts its not giving it us again, which means we cant enter his gmail user and pass in again!
Infact, when it did load up in portrait, we entered his gmail address and password, pressed sign in...PATIENTLY WAITED...and said the password was incorrect! FUUUUUU. Also, data is disabled on his phone (maybe why it fired the issue with it saying password was incorrect), and now we're back to square one, trying to get the phone to load up in portrait.
I recall, back when i had my Galaxy S2, that i once flashed a kernel to the device and it would mysteriously remove the password...the only issue we have with this is that the HTC One X, (if it does boot to recovery), doesn't display through MHL, so we can't flash anything to the phone anyway!! basically TOTAL lockout!
So guys...any assistance at all, because he's deeply upset the fact he's going to lose all of his files!!
Regards,
meeeeelz
Click to expand...
Click to collapse
If you're asking for a method to bypass security, and access an accounts information on a device, I am definitely NOT happy divulging any means to do so.
No-one should ever ask for, nor should anyone ever provide, the means of bypassing any security, logging into any accounts, or accessing device data.
No offence, but you could be anybody and this device could have been acquired by any means.
rubed otallsn
Tigerlight said:
If you're asking for a method to bypass security, and access an accounts information on a device, I am definitely NOT happy divulging any means to do so.
No-one should ever ask for, nor should anyone ever provide, the means of bypassing any security, logging into any accounts, or accessing device data.
No offence, but you could be anybody and this device could have been acquired by any means.
Click to expand...
Click to collapse
Im asking for a method to force the screen to display in portrait!
After doing a bit of research ive noticed a lot of people would come to this conclusion, any assistance at all in WHY the username and password for my friends gmail account allows us to sign in via google, but NOT on the ONE x, even though its the only email address in use on the phone!
is there any way at all in putting the phone into a recovery mode of sorts, maybe via the emergency dial pad?
Understandably there is a lot of confusion/anger towards this subject, but when it comes to 2 people trying to get into a device that is their own...any reasonable suggestion is welcome!!
You could always unlock the bootloader and use a custom recovery then mount the phones as mass storage there.
However this would void is warranty then again it depends how he broke the screen.
It maybe booting portrait as it thinks it's in a dock you tried without the cable?
Sent from my HTC One X using xda app-developers app
treebill said:
You could always unlock the bootloader and use a custom recovery then mount the phones as mass storage there.
However this would void is warranty then again it depends how he broke the screen.
It maybe booting portrait as it thinks it's in a dock you tried without the cable?
Sent from my HTC One X using xda app-developers app
Click to expand...
Click to collapse
Hey!!
Thanks for the idea but we can't tell if its booted in recovery even with the necessary key combo to get it into that mode...we're running out of ideas...im really annoyed that the user and pass for his gmail didnt actually let him in the phone...what other email address would google keep as a backup to confirm he is the owner of the phone?!
Also, the screen is completely destroyed, the digitizer however works lovely!
Alas, any more ideas? x
meeeeelz said:
Hey!!
Thanks for the idea but we can't tell if its booted in recovery even with the necessary key combo to get it into that mode...we're running out of ideas...im really annoyed that the user and pass for his gmail didnt actually let him in the phone...what other email address would google keep as a backup to confirm he is the owner of the phone?!
Also, the screen is completely destroyed, the digitizer however works lovely!
Alas, any more ideas? x
Click to expand...
Click to collapse
if you're connected to a network it should work fine with a gmail/pass however if you can't actually see how do you know what you're typing or even if you are typing?
treebill said:
if you're connected to a network it should work fine with a gmail/pass however if you can't actually see how do you know what you're typing or even if you are typing?
Click to expand...
Click to collapse
genuinely we've tried his gmail username and password on the lucky attempt that is loaded in portrait!!! it just says its invalid!! :|
also, i was aware that the actual gmail account as such was stored locally on the device, and didnt need a data connection?
thanks again guys!
HTC One X ran over by a car... Data Recovery
meeeeelz said:
Hi guys!
This is definitely something weird and I can all but guarantee you havn't come across something like this before!!
Ok so, my friend broke his HTC One X, cracked the screen, but it still works. - he just wants the data off it.
Now, i have an MHL cable, plugged that in, rebooted the phone and went from there...the only issue is it boots in landscape. so when we pull the ring to unlock the device, because of poor software in the phone it just FILLS the whole screen with an "emergency call" massive button, but the emergency call text is skewered to the left hand side of the phone. Thus, we cannot enter his username and password into the input fields to give him his access back to his phone!!
Although funnily enough, the phone mysteriously loaded up once in portrait (so we could imagine the keyboard on the screen), but after 100 of attempts its not giving it us again, which means we cant enter his gmail user and pass in again!
Infact, when it did load up in portrait, we entered his gmail address and password, pressed sign in...PATIENTLY WAITED...and said the password was incorrect! FUUUUUU. Also, data is disabled on his phone (maybe why it fired the issue with it saying password was incorrect), and now we're back to square one, trying to get the phone to load up in portrait.
I recall, back when i had my Galaxy S2, that i once flashed a kernel to the device and it would mysteriously remove the password...the only issue we have with this is that the HTC One X, (if it does boot to recovery), doesn't display through MHL, so we can't flash anything to the phone anyway!! basically TOTAL lockout!
So guys...any assistance at all, because he's deeply upset the fact he's going to lose all of his files!!
Regards,
meeeeelz
Click to expand...
Click to collapse
Well I tried several display options but upon opening my Exs phone which she decided to stiff me on a 2 year contract and run over the phone with a car. The main board was broken and the digitizer and screen were broken... I had access to a working HTC one X so I took the motherboard, battery assembly reconnected into the working shell with the functional main board and voila! All info and in my case lies revealed... There is also a rainbow table available with an app on Git Hub that will circumvent any password on the phone using a Dual Mini Usb go cable I believe, it is demonstrated on the Hak5 show... Hope this helps!

What security options do we have?

A little while ago my brother had his iphone6 snatched. Now with Iphone, I know cannot be mounted to usb directly or even via recovery.
I know pin, fingerprint etc block access to the phone. I want to understand about other ways to access internal storage to gain access to photos and any other documents
That makes me ask - What security options we have for android - in particular OP3 (have 2 of them) and how can we make it more secure. ? Both my phones have Blu_spark TWRP + Freedom OS 2.10, if that matters.
Just to share, I found following to be foolproof
- Setup Pin + Fingerpints
- Setup Pin / Password for phone startup
This
- Keeps the device encrypted
- Unable to boot without pin
- Unable to access TWRP without pin
- Doesn't auto-mount on USB connect
Still, it would be interesting to hear about any cons of the above setup.
hyperorb said:
A little while ago my brother had his iphone6 snatched. Now with Iphone, I know cannot be mounted to usb directly or even via recovery.
I know pin, fingerprint etc block access to the phone. I want to understand about other ways to access internal storage to gain access to photos and any other documents
That makes me ask - What security options we have for android - in particular OP3 (have 2 of them) and how can we make it more secure. ? Both my phones have Blu_spark TWRP + Freedom OS 2.10, if that matters.
Click to expand...
Click to collapse
The easiest is to not get it snatched. Or if it does you chase them down and get your phone back. But barring that not alot you can really do and ill explain why.
When someone steals a phone, they dont care about the data on it. They are either gonna sell it or use it. Either way The device has the sim removed with in sec of it being taken and then it is reset or flashed to stock to remove any and all locks. This normally happens within minutes if not seconds of a device being stolen.
zelendel said:
The easiest is to not get it snatched. Or if it does you chase them down and get your phone back. But barring that not alot you can really do and ill explain why.
When someone steals a phone, they dont care about the data on it. They are either gonna sell it or use it. Either way The device has the sim removed with in sec of it being taken and then it is reset or flashed to stock to remove any and all locks. This normally happens within minutes if not seconds of a device being stolen.
Click to expand...
Click to collapse
Interestingly that was not the case. They remained in contact and kept on asking for phone passcode; which we did not give.
I'm not aware if its equally east in iPhone to enter into (kind of) fastboot mode and erase entire storage. In such case the loss remains of the phone and nothing else ; specially when we may have financial apps too on the phone.
hyperorb said:
Interestingly that was not the case. They remained in contact and kept on asking for phone passcode; which we did not give.
I'm not aware if its equally east in iPhone to enter into (kind of) fastboot mode and erase entire storage. In such case the loss remains of the phone and nothing else ; specially when we may have financial apps too on the phone.
Click to expand...
Click to collapse
No apple doesn't have the option. Main reason the fbi had to pay to have an iPhone unlocked not to long ago.
Part of the reason I never advise doing any sort of banking on a device as there is just too many security risks. I, mean even android keyboards monitor what you type.
hyperorb said:
A little while ago my brother had his iphone6 snatched. Now with Iphone, I know cannot be mounted to usb directly or even via recovery.
I know pin, fingerprint etc block access to the phone. I want to understand about other ways to access internal storage to gain access to photos and any other documents
That makes me ask - What security options we have for android - in particular OP3 (have 2 of them) and how can we make it more secure. ? Both my phones have Blu_spark TWRP + Freedom OS 2.10, if that matters.
Click to expand...
Click to collapse
Cerberus is a really nice app... You have alot of options sadly it isn't free! But heyy, it's cheap and it's functional! Other then that keep your device encrypted and a boot password should do.
As long as you're not rooted and unlocked, it will be a bit hard for an thieve to have access to your phone. Leaving ADB on, might as well decrease the overall security of the phone.
I for example was given a tablet which had a Google account synced with it, and resetting from recovery only made me renter the credidentials previously used to be able to pass the setup.
My luck was that the guy left ADB on and with a simple command I bypassed the setup screen.
hyperorb said:
Interestingly that was not the case. They remained in contact and kept on asking for phone passcode; which we did not give.
I'm not aware if its equally east in iPhone to enter into (kind of) fastboot mode and erase entire storage. In such case the loss remains of the phone and nothing else ; specially when we may have financial apps too on the phone.
Click to expand...
Click to collapse
Not sure about iPhone's but for newer Android phones as long as you are encrypted and have a pin/password set for boot, a thief would just wipe the phone return to stock and sell or use it. 99.9% of the time they just want money so the likely reason they wanted your pass code is they couldn't sell it cause they were blocked from resetting it temporarily. As long they have a physical device and unlimited time they will eventually reset it and get rid of it.
Renosh said:
Not sure about iPhone's but for newer Android phones as long as you are encrypted and have a pin/password set for boot, a thief would just wipe the phone return to stock and sell or use it. 99.9% of the time they just want money so the likely reason they wanted your pass code is they couldn't sell it cause they were blocked from resetting it temporarily. As long they have a physical device and unlimited time they will eventually reset it and get rid of it.
Click to expand...
Click to collapse
Exactly. If someone steals your device 99.98% of the time it is too use it or sell it. With way your data is meaningless.
As for them wanting your pass code the above is right. But as they couldn't reset it you could have reported it stolen and the police may be able to find it but most of the time they have better things to do then recover a lost cell phone.
I used to work with people that felt with stolen cell phones. I can say the normally. Withing 30 min of a device being stolen the data is gone. And when I say that I mean a complete DOJ style wipe, format and imei change.
zelendel said:
No apple doesn't have the option. Main reason the fbi had to pay to have an iPhone unlocked not to long ago.
Part of the reason I never advise doing any sort of banking on a device as there is just too many security risks. I, mean even android keyboards monitor what you type.
Click to expand...
Click to collapse
....so do all iOS keyboards, both first and third party. it's required for them to function
---------- Post added at 09:25 AM ---------- Previous post was at 09:23 AM ----------
zelendel said:
Exactly. If someone steals your device 99.98% of the time it is too use it or sell it. With way your data is meaningless.
As for them wanting your pass code the above is right. But as they couldn't reset it you could have reported it stolen and the police may be able to find it but most of the time they have better things to do then recover a lost cell phone.
I used to work with people that felt with stolen cell phones. I can say the normally. Withing 30 min of a device being stolen the data is gone. And when I say that I mean a complete DOJ style wipe, format and imei change.
Click to expand...
Click to collapse
this is exactly why that semi-recent feature added by google which requires you to log in with the previously added google account in the phone before initial setup following a factory reset is very useful - it makes the phone unusable/unsellable (unless im missing something?)
2x4 said:
....so do all iOS keyboards, both first and third party. it's required for them to function
---------- Post added at 09:25 AM ---------- Previous post was at 09:23 AM ----------
this is exactly why that semi-recent feature added by google which requires you to log in with the previously added google account in the phone before initial setup following a factory reset is very useful - it makes the phone unusable/unsellable (unless im missing something?)
Click to expand...
Click to collapse
That can easily be bypassed by wiping the data off the device and flash a stock rom to it. The only the the FRP does is prevent them from getting at the data.
No its not really. It's so they can send relevant ads. Those that remember smartphones before Apple or Android knows that it is not really needed.
zelendel said:
That can easily be bypassed by wiping the data off the device and flash a stock rom to it. The only the the FRP does is prevent them from getting at the data.
Click to expand...
Click to collapse
but how can they flash a stock ROM onto the device if the "require PIN before startup" option is selected? how can they flash if recovery has a PIN on it?
2x4 said:
but how can they flash a stock ROM onto the device if the "require PIN before startup" option is selected? how can they flash if recovery has a PIN on it?
Click to expand...
Click to collapse
Because that is before startup and not the bootloader, even with those set up they normally dont cover download mode or what ever mode that particular OEM uses (not all use the same). In extreme cases with some apps that make it a bit harder or people just dont want to be bothered to mess with things too deeply there are tools available that Will push the update right to the board bypassing all security. Sure its a little extra work but it is a sure bet when you cant get into a device and cant be bothered hunting down getting around it.
Also for the passwords on startup. any password cracker would take out the average password in a matter of min.
This has been very interesting and so much to learn. Thank you all for great inputs.
zelendel said:
I never advise doing any sort of banking on a device as there is just too many security risks. I, mean even android keyboards monitor what you type.
Click to expand...
Click to collapse
Yes. But then Microsoft too is not clean. Browser , Windows.... That way we can never work.
Puddi_Puddin said:
Cerberus is a really nice app...
Click to expand...
Click to collapse
Have it in all my Androids Very helpful at times, even for non theft purpose..
XDRdaniel said:
Leaving ADB on, might as well decrease the overall security of the phone.
Click to expand...
Click to collapse
Thanks. Will read more on this.
Renosh said:
for newer Android phones as long as you are encrypted and have a pin/password set for boot, a thief would just wipe the phone return to stock and sell or use it. 99.9% of the time they just want money so the likely reason they wanted your pass code is they couldn't sell it cause they were blocked from resetting it temporarily. As long they have a physical device and unlimited time they will eventually reset it and get rid of it.
Click to expand...
Click to collapse
Once a phone is lost, there's little chance to get it back. Device loss is one thing and data loss (or rather data access) is another. The later at times can have more problems.
I used to keep my id papers (for ease of printing anywhere as needed) on phone (Nokia N5). Lost that phone .. and till date I hope no one used those to buy services, do illegal stuff. That was a lesson learnt hard way
zelendel said:
With way your data is meaningless.
Click to expand...
Click to collapse
Depends where you are. There are places where one can avail services in other's name using fake ids or stolen data etc.
2x4 said:
. this is exactly why that semi-recent feature added by google which requires you to log in with the previously added google account in the phone before initial setup following a factory reset is very useful - it makes the phone unusable/unsellable (unless im missing something?)
Click to expand...
Click to collapse
Hmm.. I think I came across that in OP3. Didn't pay attention though.
zelendel said:
Because that is before startup and not the bootloader,
Click to expand...
Click to collapse
It is better to loose one than two. Phone is anyways lost .. so at least we can try secure data. Let them wipe and then get nothing in hand.
hyperorb said:
This has been very interesting and so much to learn. Thank you all for great inputs.
Yes. But then Microsoft too is not clean. Browser , Windows.... That way we can never work.
Have it in all my Androids Very helpful at times, even for non theft purpose..
Thanks. Will read more on this.
Once a phone is lost, there's little chance to get it back. Device loss is one thing and data loss (or rather data access) is another. The later at times can have more problems.
I used to keep my id papers (for ease of printing anywhere as needed) on phone (Nokia N5). Lost that phone .. and till date I hope no one used those to buy services, do illegal stuff. That was a lesson learnt hard way
Depends where you are. There are places where one can avail services in other's name using fake ids or stolen data etc.
Hmm.. I think I came across that in OP3. Didn't pay attention though.
It is better to loose one than two. Phone is anyways lost .. so at least we can try secure data. Let them wipe and then get nothing in hand.
Click to expand...
Click to collapse
You don't need to steal someone's phone to get a fake ID with their info. 1500 usd will get you that without it.
As for getting nothing in hand. They got exactly what they wanted. The device. Unless you work for the government in a high place. Then your data is meaningless on your phone. You already put it in enough places on line while using a pc that if they want it they already have it.
I could easily steal someone identity with a little more then what they post on Facebook or other social media outlets.

Categories

Resources