Galaxy Nexus Security - Samsung Galaxy Nexus

Sup all
I've seen a bunch of scattered threads about security issues...But nothing satisfying enough.
Basically, I was thinking about the encryption option we have with ICS on the GN. From what I understand, staying stock with encryption enabled is the safest way to go if you fear of ever losing your phone.
Think about it, if you lose your phone and the "thief" is smart enough, he can get your passwords and data of your the accounts you have (Facebook, Gmail, Twitter, Whatsapp, Skype, etc).
From what I understand, encryption is "kinda" incompatible with cmw. I'm not an expert, but from what I read, you can't access CWM if your phone is encrypted.
Since we obviously want to run roms for the many advantages they give over stock, there must be a way to "fix" that security hole that comes with rooting/unlocking.
Like I said earlier, I'm not expert, but couldn't there be a way to have your device encrypted and running a custom rom at the same time? Something about partitioning your internal "sdcard", or maybe doing something like this if possible
unlock/root-> Flash rom-> encrypt -> lock.
TLDR: How do you effectively keep your phone secured from any unauthorized access when running custom roms?
Thanks

Some infos
http://forum.xda-developers.com/showthread.php?p=27482516
Sent from my Galaxy Nexus using xda premium

Cerberus app.
"Long is the way, and hard, that out of hell leads up to light."

To just safely run a custom ROM: install stock recovery, re-lock the bootloader, disable USB debugging, and create a PIN/password.

crachel said:
To just safely run a custom ROM: install stock recovery, re-lock the bootloader, disable USB debugging, and create a PIN/password.
Click to expand...
Click to collapse
So basically, flash the rom and mods of choice and then restore bootloader and recovery. Easily doable with the toolkit I suppose. Do I also need to unroot to make it anymore secure?
Your answer makes me wonder, what is the benefit then of having encryption on vs locked boot/stock recovery? Couldn't you somehow access data through command lines even with locked boot and stock recovery?
Thanks

la7lou7a said:
So basically, flash the rom and mods of choice and then restore bootloader and recovery. Easily doable with the toolkit I suppose. Do I also need to unroot to make it anymore secure?
Your answer makes me wonder, what is the benefit then of having encryption on vs locked boot/stock recovery? Couldn't you somehow access data through command lines even with locked boot and stock recovery?
Thanks
Click to expand...
Click to collapse
With USB debugging turned off, you cannot issue any commands to the device using ADB via command line. With a locked bootloader, you cannot boot an insecure image to give you root access. With a stock recovery, you do not gave access to the file system. So, as long as you have a lock screen PIN, I can't see how someone can get any data off the device without JTAG or some other hardware hack.
Encryption would prevent even that, given that any data extracted via JTAG would be encrypted.
Sent from my Galaxy Nexus using Tapatalk 2

la7lou7a said:
So basically, flash the rom and mods of choice and then restore bootloader and recovery. Easily doable with the toolkit I suppose. Do I also need to unroot to make it anymore secure?
Your answer makes me wonder, what is the benefit then of having encryption on vs locked boot/stock recovery? Couldn't you somehow access data through command lines even with locked boot and stock recovery?
Thanks
Click to expand...
Click to collapse
If you disable USB Debugging and use a PIN/Password/Face Unlock/Pattern you'll be safe. To access your phone data from pc, you need USB Debugging(with MTP you can't transfer app-data) to be able to use ADB. And to enable USB Debugging, they need the password/pin/...
And then if they want to use recovery, they need to unlock the bootloader(which wipes the device).

Great. Another noobie question:
If you still have root access (with locked boot and stock recovery)
and somehow the rom doesn't boot correctly, because of something like changing the boot animation via root explorer
Without USB debug, can you still get back to a functional device?
Another way to ask the question: Does USB debug/Adb commands function only when the android os is running?
What i mean is that, in case **** happens, you can just use the toolkit to unlock (wipe)/cwm/flash again, correct?
Thanks guys

la7lou7a said:
Great. Another noobie question:
If you still have root access (with locked boot and stock recovery)
and somehow the rom doesn't boot correctly, because of something like changing the boot animation via root explorer
Without USB debug, can you still get back to a functional device?
Click to expand...
Click to collapse
Not without losing all of your data, because with USB debugging off, you would have to unlock the bootloader, which would require a wipe.
la7lou7a said:
Another way to ask the question: Does USB debug/Adb commands function only when the android os is running?
Click to expand...
Click to collapse
Correct, either the Android OS, or if you have a custom recovery (which has it enabled by default).
la7lou7a said:
What i mean is that, in case **** happens, you can just use the toolkit to unlock (wipe)/cwm/flash again, correct?
Click to expand...
Click to collapse
I always say using toolkits is a bad idea -- you should figure out how to do it by issuing commands via ADB and fastboot. But yes, your statement is generally correct.

If you truly want a custom rom to be as secure as stock, it needs to be signed with something OTHER than AOSP public test keys, not rooted, and usb debugging shut off.
Most are signed with test keys. I know BAMF Paradigm is privately signed, but I cannot vouch for others.
http://uncutandroid.com/2011/03/theyre-called-testkeys-for-a-reason/
I've been asking folks to stop using test keys for a while now (as have some hacker/cracker/security nuts), and it has fallen on mostly deaf ears. It takes a rom dev 30 seconds (if he/she is slow) to correct this.

Interesting

Related

Flashing ROM after turning on Encryption

I've either made a hugely stupid error and turned on encryption and nobody will detail me why this is a bad idea.....
Or nobody who looks at my post in huge threads seems to want to answer this question:
I enabled encryption in my Galaxy Nexus settings. I am rooted on a custom ROM. I want to update/flash a new ROM.
Will things be different? Can I update like normal? or am I going to need to wipe/reset everything in order to flash an update?
XFreeRollerX said:
I've either made a hugely stupid error and turned on encryption and nobody will detail me why this is a bad idea.....
Or nobody who looks at my post in huge threads seems to want to answer this question:
I enabled encryption in my Galaxy Nexus settings. I am rooted on a custom ROM. I want to update/flash a new ROM.
Will things be different? Can I update like normal? or am I going to need to wipe/reset everything in order to flash an update?
Click to expand...
Click to collapse
Neither Clockwork Mod or even the stock recovery can access the storage on the device after it's encrypted. The fact that the stock recovery can't is exceptionally poor form on Google's behalf.
You can't even perform a factory reset. The only way to unencrypt the device is to flash it via fastboot.
I posted some details in this thread - http://forum.xda-developers.com/showthread.php?t=1392037
MrPendulum said:
Neither Clockwork Mod or even the stock recovery can access the storage on the device after it's encrypted. The fact that the stock recovery can't is exceptionally poor form on Google's behalf.
You can't even perform a factory reset. The only way to unencrypt the device is to flash it via fastboot.
I posted some details in this thread - http://forum.xda-developers.com/showthread.php?t=1392037
Click to expand...
Click to collapse
Thank you very much! Reading up on that was really a learning experience on this mess lol
Can I flash a ROM via Fastboot using a zip? Im not sure about that... any1 know?
XFreeRollerX said:
Thank you very much! Reading up on that was really a learning experience on this mess lol
Can I flash a ROM via Fastboot using a zip? Im not sure about that... any1 know?
Click to expand...
Click to collapse
Had the exact same problem and found out this solution the hard way. You can't do a factory reset to remove the encryption because the bootloader is different when you root.
The only way is to fastboot as mentioned above. You need to use the files provided for going back to stock. You should find them on here. Good luck.
I found this out the hard way as well, but I think this is the great benefit of encryption. If someone were to get a hold of your phone there would be no way for them to access anything without having or breaking the passcode. For serial rom flashers this kinda sucks but if you really care about your data and are willing to stick with either stock or stock rooted then this means you actually have a phone that's truly secure.
Sent from my Galaxy Nexus using Tapatalk
You'd have to be extremely paranoid about your data to want to encrypt your phone. I couldn't care less, nothing of importance is on my phone anyway
EddyOS said:
You'd have to be extremely paranoid about your data to want to encrypt your phone. I couldn't care less, nothing of importance is on my phone anyway
Click to expand...
Click to collapse
I run my business on Google Apps and my data would be sensitive. Not everyone uses there phones just for personal stuff.
I don't use it for that either! I delete SMSs after they've been read, email is downloaded to my PC once Outlook is opened and bar Facebook/Twitter and a small selection of other apps there's nothing personal on my phone
Funnily enough I use it as a phone more than anything
EddyOS said:
I don't use it for that either! I delete SMSs after they've been read, email is downloaded to my PC once Outlook is opened and bar Facebook/Twitter and a small selection of other apps there's nothing personal on my phone
Funnily enough I use it as a phone more than anything
Click to expand...
Click to collapse
Wow, I couldn't operate that way, I use my phone for everything, even my laptop and tablet are a bit useless now Each to their own I suppose
Im having some trouble going back to stock image to factory reset the phone
I flashed stock bootloader, stock radio images and booted into the OS and did factory reset, doesn't seem to work...help? I can't get this encryption off
XFreeRollerX said:
Im having some trouble going back to stock image to factory reset the phone
I flashed stock bootloader, stock radio images and booted into the OS and did factory reset, doesn't seem to work...help? I can't get this encryption off
Click to expand...
Click to collapse
Factory reset won't work. You need to completely wipe the phone by loading the stock img from Google that came on the phone. It is the only way it will work. You can find out how to do that on here, sorry I don't have the link on hand though so just search a bit. Feel free to PM as I had the exact same issue.
EDIT - try this toolkit to go back to the stock rom. You loose everything but it should remove encryption.
http://forum.xda-developers.com/showthread.php?t=1392310
I don't know why Google don't give the option to decrypt from the Google Apps dashboard. So annoying! Good luck, hope you get sorted.
Thanks for posting that - in the end the g-nex toolkit ended up bringing the phone back to stock and rooted the device again and I've now successfully factory reset the device and am back to running a custom ROM with root and no encryption
Thanks for the help
XFreeRollerX said:
Thanks for posting that - in the end the g-nex toolkit ended up bringing the phone back to stock and rooted the device again and I've now successfully factory reset the device and am back to running a custom ROM with root and no encryption
Thanks for the help
Click to expand...
Click to collapse
Yaaaaey glad you got sorted. Encryption from GApps at the moment is woeful. I am sure they are working on it.
jd1001 said:
Yaaaaey glad you got sorted. Encryption from GApps at the moment is woeful. I am sure they are working on it.
Click to expand...
Click to collapse
Hopefully they are as if you want a real secure device, its pretty pitiful to bypass if in the wrong hands.
Does this only apply if you've rooted your device and flashed a different ROM? If you have an unrooted phone and turn on encryption, will you have the same issues (i.e. unable to do a factory reset)? Is this only a problem with the Nexus or would any Android phone have this problem?
I ask because the company I work for is talking about forcing users to encrypt their phones if they want ActiveSync enabled. But they also want to be able to run a wipe on the phone if necessary. It would seem to me that encrypting the phone may prevent that as an option.
HuskerWebhead said:
Does this only apply if you've rooted your device and flashed a different ROM? If you have an unrooted phone and turn on encryption, will you have the same issues (i.e. unable to do a factory reset)? Is this only a problem with the Nexus or would any Android phone have this problem?
I ask because the company I work for is talking about forcing users to encrypt their phones if they want ActiveSync enabled. But they also want to be able to run a wipe on the phone if necessary. It would seem to me that encrypting the phone may prevent that as an option.
Click to expand...
Click to collapse
Touchdown.
It's a little pricy at $20 but well worth it in IMHO.
A remote wipe will only kill off touchdown and optionally SDcard storage.
Matridom said:
Touchdown.
It's a little pricy at $20 but well worth it in IMHO.
A remote wipe will only kill off touchdown and optionally SDcard storage.
Click to expand...
Click to collapse
Yeah, they are already looking at using Touchdown for devices that don't support encryption natively, but those that do (support encryption natively) they just want to enable the devices' own encryption.
So I'm still not sure if with encryption turned on, will it prevent a phone from being remotely wiped?
XFreeRollerX said:
Hopefully they are as if you want a real secure device, its pretty pitiful to bypass if in the wrong hands.
Click to expand...
Click to collapse
When you bypass it by flashing a new system over it you wipe all data that was ever on the phone. Ok your phone could be stolen, but no-one will ever know what CP you were hiding with that encryption. I'm very happy with the fact that there is a save backdoor... imagine forgetting your password for some reason or filling out the wrong password on setup... when that happend this thread would have been a "bricked my phone by forgetting the password. Who wants some nice spareparts for his phone" Q&A
Sent from my Galaxy Nexus using XDA
HuskerWebhead said:
Yeah, they are already looking at using Touchdown for devices that don't support encryption natively, but those that do (support encryption natively) they just want to enable the devices' own encryption.
So I'm still not sure if with encryption turned on, will it prevent a phone from being remotely wiped?
Click to expand...
Click to collapse
Just don't tell them you are using touchdown. I've tested the remote wipe in Android, it can kill the whole phone. The only way to keep your personal info safe is to use touchdown
Sent from my Galaxy Nexus
Matridom said:
Just don't tell them you are using touchdown. I've tested the remote wipe in Android, it can kill the whole phone. The only way to keep your personal info safe is to use touchdown
Click to expand...
Click to collapse
I think you're misunderstanding my intentions. I'm not looking for a way to bypass the encryption requirement they may be introducing. I'm just trying to understand if it will cause a problem for the remote wipe functionality if the phone is lost or stolen. If it will, I'll have to let them know so they can decide what is more important: encryption or remote wipe capabilities.
If a remote wipe functions regardless of encryption being enabled, then it's a moot point.

Question on "Phone Encryption"

Hey guys, sorry if this has been answered somewhere else, but I just want to confirm my understanding about encryption.
I'm setting up MobileIron and TouchDown for my work email and paused when the IT policy asked me to encrypt my phone.
So, is doing encryption will make it impossible for us to flash rom, radio, any kind of flashing + impossible to do all other things in CWM - due to the partition is being locked and encrypted before the device boots up?
(I'm not good to explain it technically, hopefully you get what I mean).
Slower boot time? The only way to decrypt is to factory reset and wipe all data? Impossible to backup nandroid? etc etc...
Of course the device would be more secure from the company's security point of view, but is that it?
I'm pretty sure there's no other workaround if I want to setup my phone with work email, since of course the IT policy applies to all employees so I can't ask for an exception.
At the same time I don't want to lose my ability to flash just because of the work email, it defeats the purpose of me having Android (which is to tweak and mess with my phone).
I came from SGSII where the IT policy only enforces PIN/password/pattern requirement, or perhaps because SGSII doesn't have encryption capability.
Appreciate your comment and opinion guys.
Hopefully someone knows.
kisekio said:
Hey guys, sorry if this has been answered somewhere else, but I just want to confirm my understanding about encryption.
I'm setting up MobileIron and TouchDown for my work email and paused when the IT policy asked me to encrypt my phone.
So, is doing encryption will make it impossible for us to flash rom, radio, any kind of flashing + impossible to do all other things in CWM - due to the partition is being locked and encrypted before the device boots up?
(I'm not good to explain it technically, hopefully you get what I mean).
Slower boot time? The only way to decrypt is to factory reset and wipe all data? Impossible to backup nandroid? etc etc...
Of course the device would be more secure from the company's security point of view, but is that it?
I'm pretty sure there's no other workaround if I want to setup my phone with work email, since of course the IT policy applies to all employees so I can't ask for an exception.
At the same time I don't want to lose my ability to flash just because of the work email, it defeats the purpose of me having Android (which is to tweak and mess with my phone).
I came from SGSII where the IT policy only enforces PIN/password/pattern requirement, or perhaps because SGSII doesn't have encryption capability.
Appreciate your comment and opinion guys.
Click to expand...
Click to collapse
Once your device is encrypted you won't be able to flash roms because recovery can't see the SD when you try to flash a kernel or rom.
You can't remove the encryption through a factory reset if your device is rooted and running CWM recovery. It will fail and the phone just boots up as normal. The only way I was able to remove encryption was to ADB/Fastboot the stock images onto my Nexus.
Lastly, I noticed the phone being very slow to boot with encryption.
Until Google give the option to decrypt I won't go near encryption again. Hope this helps and answers some of your questions.
jd1001 said:
Once your device is encrypted you won't be able to flash roms because recovery can't see the SD when you try to flash a kernel or rom.
Click to expand...
Click to collapse
I assume any kind of flashing won't work with encryption, including rom, kernel, radio, circlesmod, and all other kinds of mods that require flashing from CWM.
Is that correct?
If that's the case looks like I'm not going to use my work email on my phone.
Yeah your assumptions are correct!
jd1001 said:
Once your device is encrypted you won't be able to flash roms because recovery can't see the SD when you try to flash a kernel or rom.
You can't remove the encryption through a factory reset if your device is rooted and running CWM recovery. It will fail and the phone just boots up as normal. The only way I was able to remove encryption was to ADB/Fastboot the stock images onto my Nexus.
Lastly, I noticed the phone being very slow to boot with encryption.
Until Google give the option to decrypt I won't go near encryption again. Hope this helps and answers some of your questions.
Click to expand...
Click to collapse
I'm in exactly the same situation, unfortunately found out that i can't decrypt it with factory reset after I'm already encrypted
Do you happen to know good tutorial for flashing via ADB/fastboot?
I flashed my CM10 4.1.1 using galaxy nexus toolkit
http://forum.xda-developers.com/showthread.php?t=1830108 You're welcome.

[Q] adb pull problems on non booting Sprint Galaxy S2/Epic 4G Touch

I have a Sprint Galaxy S2/Epic 4G Touch, Gingerbread which decided to stop booting. Freezes at the 4g screen. I can boot into recovery mode and access the phone through adb. I can do an adb pull from everything but the internal sdcard partition which returns a "remote object does not exist." The phone is not rooted and usb debugging was not enabled to my knowledge. I have an identical, fully funtional Galaxy S2 which behaves the same way when trying to pull without usb debugging enabled. When usb debugging is enabled, I am able to do an adb pull from /sdcard/. I don't care about the phone. I just want to get my data off. Does anyone know of a means to accomplish this without being able to enable usb debugging from the phone? Again, I don't care if I destroy the phone, I just want my data.
Thanks in advance!
Anybody?
CKA1 said:
I have a Sprint Galaxy S2/Epic 4G Touch, Gingerbread which decided to stop booting. Freezes at the 4g screen. I can boot into recovery mode and access the phone through adb. I can do an adb pull from everything but the internal sdcard partition which returns a "remote object does not exist." The phone is not rooted and usb debugging was not enabled to my knowledge. I have an identical, fully funtional Galaxy S2 which behaves the same way when trying to pull without usb debugging enabled. When usb debugging is enabled, I am able to do an adb pull from /sdcard/. I don't care about the phone. I just want to get my data off. Does anyone know of a means to accomplish this without being able to enable usb debugging from the phone? Again, I don't care if I destroy the phone, I just want my data.
Thanks in advance!
Click to expand...
Click to collapse
Do you have access to download mode? You said it boots into recovery? Do you remember what rom you had on it before? Maybe flash a rom and don't wipe?
_dan said:
Do you have access to download mode? You said it boots into recovery? Do you remember what rom you had on it before? Maybe flash a rom and don't wipe?
Click to expand...
Click to collapse
It's stock gingerbread. I don't know which version as I've never paid any attention to such things until now. I can get into download mode but I am reluctant to flash a ROM because it is difficult to predict specific results on specific devices, particularly on devices that are already having problems and where the specific version is not known. My preference is to somehow mount usb storage or otherwise enable usb debugging without access to the phone gui. If this is not possible I suppose I would consider rooting and flashing but I think this route is quite likely to have problems due to the lack of baseline information among other things. I'm new to Android and have no experience with this as I've never had a need for anything other than stock, un-rooted functionality. I know retrieving my data is possible as it's only flash memory. I just hoped that this could be done using Android specific development tools rather than getting down to a board and chip level approach.
I would just recommend using odin to flash the el26 kernel. From that recovery flashing a gingerbread rom zip. Your internal sd card is untouched. Your data would still be there unless you wiped in recovery
Or used odin to flash a one click gingerbread no data rom.
sent from MY BAD A$$ ET4G
patrao_n said:
I would just recommend using odin to flash the el26 kernel. From that recovery flashing a gingerbread rom zip. Your internal sd card is untouched. Your data would still be there unless you wiped in recovery
Or used odin to flash a one click gingerbread no data rom.
sent from MY BAD A$$ ET4G
Click to expand...
Click to collapse
That sounds promising. It was, in fact, the direction I was leaning until I flashed a supposed "no data" rom on a test phone only to have the pictures erased. I accept what you are saying, but as a newcomer to this arena, I have found the reliability of information and the stability and consistency of roms, etc., to be somewhat less than I had hoped for. That being said, I am interested in your approach but again, as a newcomer, I don't know where to look to find either the kernel or rom you mentioned. At least not from sources I know I can trust. I would normally be inclined to go with a stock rom for reliability's sake. Obviously however, by me being here it's clear that Sprint's roms aren't exactly the paragon of stability. Any advice or direction in that regard would be much appreciated.
Thanks!

Help with booting problems?

Hello,
I just noticed something the other day and I do not know if this has any effect on my problem with the phone getting a usb not recognized error so I wanted inquire!
So I did a completely clean install of the [ROM] [Touchwiz-PC1,PD1] [100% Stock, Root, No KNOX, No Itson] [4/5/2016] deodox rom and have noticed that my boot screen no longer shows multiple lines while booting. The only thing I get now is:
Set Warranty Bit : Kernel
Before I would get that and several other lines including one about Knox. I also do not get the Sprint logo as one of the bootup screens. My question is, is this rom suppose to do this or did I do something wrong? I followed the directions 100%. I also notice that I also now get an error that it cannot do a fingerprint unlock on boot and I have to enter my emergency password.
Last but not least, if there is a problem. Is there anyway to put a OG5 rom on my micro sd card (I have a card reader I can put the micro sd card into to transfer files, I cannot odin) and restore it to then?
Thanks for any help!
Most of what you describe is not abnormal.
Your fingerprint may be data left over from Lollipop. Try deleting your fingerprints and add them back.
Be aware, if you factory reset, you'll need to flash systemless root again. Google search SuperSU zip if you need it; it's also linked in the ROM thread. If you factory reset for any reason, make sure you don't keep our have a folder in root folder named /carrier/ItsOn. The apk in that folder could activate causing numerous reboot prompts to complete activation.
Eventually, you're going to need access to a PC to do what you want. You might be stuck and unable to update; modified partitions can cause the failure to update on OTA and KIES. Custom stockish ROMs are coming but they won't be for PD1; it's already outdated.
You can't go back to Lollipop without a PC because you need to revert your bootloader to Android 5.1 to run that ROM. Without a TWRP backup to restore, you should also Odin the full stock tar rather than just the bootloader.
Sent from my SM-N910P using Tapatalk
samep said:
Most of what you describe is not abnormal.
Your fingerprint may be data left over from Lollipop. Try deleting your fingerprints and add them back.
Be aware, if you factory reset, you'll need to flash systemless root again. Google search SuperSU zip if you need it; it's also linked in the ROM thread. If you factory reset for any reason, make sure you don't keep our have a folder in root folder named /carrier/ItsOn. The apk in that folder could activate causing numerous reboot prompts to complete activation.
Eventually, you're going to need access to a PC to do what you want. You might be stuck and unable to update; modified partitions can cause the failure to update on OTA and KIES. Custom stockish ROMs are coming but they won't be for PD1; it's already outdated.
You can't go back to Lollipop without a PC because you need to revert your bootloader to Android 5.1 to run that ROM. Without a TWRP backup to restore, you should also Odin the full stock tar rather than just the bootloader.
Sent from my SM-N910P using Tapatalk
Click to expand...
Click to collapse
I have a PC, the problem is that it will no longer recognize my phone by USB. It always gives the USB not recognized error. I do have a folder in root called carrier but when I try to go into it with root it tells me my phone is not rooted. This does not make sense as my phone is rooted , per the installtion of the rom and I have other apps I have given root access too.
Arrg! Thanks for the info, any more will help greatly!
h4kudoshi said:
I have a PC, the problem is that it will no longer recognize my phone by USB. It always gives the USB not recognized error. I do have a folder in root called carrier but when I try to go into it with root it tells me my phone is not rooted. This does not make sense as my phone is rooted , per the installtion of the rom and I have other apps I have given root access too.
Arrg! Thanks for the info, any more will help greatly!
Click to expand...
Click to collapse
Did you enable developer options (tap build # in Settings/About device 7 times or more until enabled) and enable USB debugging in developer options?
Yes you should be able to detect device when you plug in to PC but you may not see COM connected in Odin without USB debugging.
If it's always not detecting, could be bad USB cable (broken out missing data lines) or bad PC USB port. Try others first, if that's the case. Hardware failure is rare but has been reported as suspect. Hopefully, it's simple rather than that.
Sent from my SM-N910P using Tapatalk

Root and Security / Prevent Flash Recovery / Prevents to Decrypt Data

Hello.
I search for a way to hold my HTC 10 safe if someone sholud take my phone.
Actually i am able to read all my data over the TWRP, doesn't matter if i use the safest security things, like the phone goes back to facroty reset after to much wrong password tries.
No one should be able to Flash a recovery oder take my data out, actually you just need to flash TWRP to uncrypt the Data Partition.
Is there any way to make my phone with root really safe?
Does it affect something if the Option "Unlock OEM" in the Developer Settings ist checked or not?
Thank you
You have to go to Settings->Security->Screen lock
Here you select what you want (pattern, pin, password,..) and then enter yours security, then it will show another screen and just select "Require pattern to start device" and then re-enter security again.
Now after factory reset if someone wants to use the phone he/she will have to enter your gmail credential to use the phone... it will not work without google account. This is as much as we can do. Also you can flash stock recovery and disable USB debugging
CrazyCypher said:
You have to go to Settings->Security->Screen lock
Here you select what you want (pattern, pin, password,..) and then enter yours security, then it will show another screen and just select "Require pattern to start device" and then re-enter security again.
Now after factory reset if someone wants to use the phone he/she will have to enter your gmail credential to use the phone... it will not work without google account. This is as much as we can do. Also you can flash stock recovery and disable USB debugging
Click to expand...
Click to collapse
I guess though, if phone is stolen and you have twrp installed, your in trouble, if they know what they're doing. Cause your phone is decrypted once in recovery, afaik. If someone can correct me, I would like to know. Always assumed all bets are off once twrp installed.
purple patch said:
I guess though, if phone is stolen and you have twrp installed, your in trouble, if they know what they're doing. Cause your phone is decrypted once in recovery, afaik. If someone can correct me, I would like to know. Always assumed all bets are off once twrp installed.
Click to expand...
Click to collapse
Follow what I wrote in my previous post. If you do so, TWRP will ask you for security (pattern, pass, etc) to decrypt data otherwise it will not bi able to
CrazyCypher said:
Follow what I wrote in my previous post. If you do so, TWRP will ask you for security (pattern, pass, etc) to decrypt data otherwise it will not bi able to
Click to expand...
Click to collapse
Oh OK thanks. So when i use encrypted system but choose not to use a password to start phone as you mentioned, twrp is just using a default password to decrypt?
purple patch said:
Oh OK thanks. So when i use encrypted system but choose not to use a password to start phone as you mentioned, twrp is just using a default password to decrypt?
Click to expand...
Click to collapse
I think so, yes. If you correctly enabled security so it appears before phone turns on and also to be enabled in TWRP, you will every reboot get this window before you can use the phone:
http://www.androidcentral.com/sites...2/decrypt-screen-htc-one-a9.jpg?itok=56N6fDJE
I get this window, but I have pattern..this is picture from web
CrazyCypher said:
I think so, yes. If you correctly enabled security so it appears before phone turns on and also to be enabled in TWRP, you will every reboot get this window before you can use the phone:
http://www.androidcentral.com/sites...2/decrypt-screen-htc-one-a9.jpg?itok=56N6fDJE
I get this window, but I have pattern..this is picture from web
Click to expand...
Click to collapse
Yes, I've seen that before phone boots. But did not realise it stops you from decrypting in twrp. I have always been able to get in to twrp without pin/pattern. Now you mention though, wipe data in twrp was the only way to remove that security screen, so it's probably still encrypted until that is done. Thanks, makes sense now.
purple patch said:
Yes, I've seen that before phone boots. But did not realise it stops you from decrypting in twrp. I have always been able to get in to twrp without pin/pattern. Now you mention though, wipe data in twrp was the only way to remove that security screen, so it's probably still encrypted until that is done. Thanks, makes sense now.
Click to expand...
Click to collapse
Try to boot in TWRP... I am being asked to input pattern to decrypt data before I can enter TWRP... I wasn't always being asked, before I selected the setting in "Settings->Security->Screen lock" TWRP just said it decrypted data with default passowrd... now that I enabled in "Settings->Security->Screen lock", also TWRP ask me to input before it can decrypt.
ALSO be sure you have latest TWRP installed, previous version were not able to decrypt data no matter what setting you had.
CrazyCypher said:
You have to go to Settings->Security->Screen lock
Here you select what you want (pattern, pin, password,..) and then enter yours security, then it will show another screen and just select "Require pattern to start device" and then re-enter security again.
Now after factory reset if someone wants to use the phone he/she will have to enter your gmail credential to use the phone... it will not work without google account. This is as much as we can do. Also you can flash stock recovery and disable USB debugging
Click to expand...
Click to collapse
Thank you for this Information, if this is really safe it would be really nice.
I will try it as soon as possible after i backed my device up.
And it is still save, doesn't matter which TWRP version (or maybe other recovery) you will flash?
I like the idea to still use TWRP. Could it be still possible to have root with the strok recovery?
USB Debugging is still off since i got my device and i flashed it already back to stock recovery for the OTA and again to TWRP, i never enablet USB Debuging, i think this option does not affect anything?
Or do you mean i shold disable "OEM Unlock" or what will happen if you set disable to this option?
Nobody who steals a phone is too interested in your data unless that is the sole reason why they took your phone.
Sent from my HTC 10 using XDA-Developers mobile app
Thank you, it seems like it works if you choose "Require pattern to start device"
Actually i didn't try to flash, wipe, format or something else but i guess whatever you will do, its not possible to decript the internal storage again?
@Android The Greek.. yes this is the reason for this thread, because if you took a rooted phone, i guess you always will be able to flash them so that you can use it again?.. If its not rooted, you should not be able to use this phone again if you choose this security.
I actually got another question. What is if someone does flash another backup to system and more, but just let "data" stay.
Is the encryption still save and all the keys stored in the "data" partition or its possible to get access to data?

Categories

Resources