What exactly does encryping encrypt? Any point? - Sprint Samsung Galaxy S III

Since I'm totally new to Android. When you select encrypt internal memory what exactly is going on? What does it encrypt exactly? Contacts? Memos? Messages?
Are there any know exploits / gaping security holes?
If my phone is lost or stolen is encrypted going to prevent any data theft?
Is it possible to have a separate (more secure) password that is just for device encryption other than the screen lock password? seems redundant that I must put in a password for device access and use the same password to unlock the home screen. Can two passwords be used?
Last question would be password. Is there a recommended minimum length? Don't want to type in a paragraph every time I unlock my phone.
Thank you for any info,
BR

bob_ross said:
Since I'm totally new to Android. When you select encrypt internal memory what exactly is going on? What does it encrypt exactly? Contacts? Memos? Messages?
Click to expand...
Click to collapse
It encrypts your entire drive, at least /data and /sdcard, not individual files.
Are there any know exploits / gaping security holes?
Click to expand...
Click to collapse
It uses AES-256 encryption. Not even the NSA (or any other government agency, or anyone without a supercomputer) can crack it.
If my phone is lost or stolen is encrypted going to prevent any data theft?
Click to expand...
Click to collapse
Supposedly, yes. But only if: 1.) You use a pattern/password/pin/face unlock on your lockscreen or 2.) You leave your phone off. If someone finds your phone, and you use only the slide lock and you leave it on, encryption is worthless.
Is it possible to have a separate (more secure) password that is just for device encryption other than the screen lock password? seems redundant that I must put in a password for device access and use the same password to unlock the home screen. Can two passwords be used?
Click to expand...
Click to collapse
I haven't used encryption, but I would have assumed that it would use a different password than the one for your Android user account. I'm assuming by your question that that's not how it works, in which case, that's kind of stupid.
Last question would be password. Is there a recommended minimum length? Don't want to type in a paragraph every time I unlock my phone.
Click to expand...
Click to collapse
Same rules apply to any password you create anywhere ever. A good mix of numbers and letters, no dictionary words, and probably 10 chars +. Use mnemonic devices to remember without making the password too obvious.
Thank you for any info,
BR
Click to expand...
Click to collapse
I should mention that you should also only bother encrypting if you will remain stock. If you plan on flashing ROMs, you'll just have to re-encrypt constantly. Plus, I'm pretty sure CWM and TWRP would be unable to wipe or install anything unless you unencrypt first anyway.

EndlessDissent said:
It uses AES-256 encryption. Not even the NSA (or any other government agency, or anyone without a supercomputer) can crack it.
Click to expand...
Click to collapse
Eh, I wouldn't be so sure. If I can build a device for like $3k that uses an array of consumer grade graphics cards to test 30B+ hashes per second the NSA probably has some insane computing power. Not saying it's cheap, but if they want to decrypt something of very high importance I bet they can do it, even for 256-bit AES.

advancedbasic said:
Eh, I wouldn't be so sure. If I can build a device for like $3k that uses an array of consumer grade graphics cards to test 30B+ hashes per second the NSA probably has some insane computing power. Not saying it's cheap, but if they want to decrypt something of very high importance I bet they can do it, even for 256-bit AES.
Click to expand...
Click to collapse
Thanks. I hadn't read about AES-256 since I encrypted my laptop several months ago. I looked it up again, and the part about the NSA was that they approved AES-256 as their own encryption model for top secret documents. The NSA must trust AES-256 at least marginally.

Related

[Q] any tech details for galaxy nexus full disk encryption ?

i am using a nexus S with whisper systems whisper core
it has real luks based AES full disk encryption and the ability to selectivity revoke application permissions
there seems to be no public info on the encrytion on ice cream sandwich
can anyone comment on it?
Anyone?
Sent from my Nexus S using Tapatalk
thanks for the replys
I got my LTE Galaxy Nexus today by far the best android device ever
I enable encryption
and it works fine
I wonder how long till theres a story about cops unable ( or able ) to get into someones phone because of encryption..
You must use a password/pin to encrypt. Swipe and face unlock are not a option. In cant be more than 16 characters. The same password used to encrypt the device must be used to unlock the screensaver. VERY annoying. You can however change your pass code/pin used to encrypt the device after encrypted nearly instantly. I'm not sure how its able to do this without a complete re-encryption of all encrypted blocks?
Sent from my Galaxy Nexus using Tapatalk
gophet said:
You must use a password/pin to encrypt. Swipe and face unlock are not a option. In cant be more than 16 characters. The same password used to encrypt the device must be used to unlock the screensaver. VERY annoying. You can however change your pass code/pin used to encrypt the device after encrypted nearly instantly. I'm not sure how its able to do this without a complete re-encryption of all encrypted blocks?
Sent from my Galaxy Nexus using Tapatalk
Click to expand...
Click to collapse
So, if you encrypt you have to enter your PIN to start the phone AND unlock the phone?
The information I read says you only need the PIN when you "turn on" your phone...
That would be okay but not for unlock too...
Yes your pin (or pass code) is used both to turn on the device and unlock the lock screen... I initially created a long random hard to type string of characters for my password but when I figured out I'd have to type it in for my unlock code also I quickly change into a numerical pin the fact I could change it without re encrypting the the tire device leave me to believe encryption keys for the entire disk is stored in small separate encrypted file somewhere.
Still wondering if this is AES or something else? And what partitions exzatly is encrypted.
Sent from my Galaxy Nexus using Tapatalk
gophet said:
Yes your pin (or pass code) is used both to turn on the device and unlock the lock screen... I initially created a long random hard to type string of characters for my password but when I figured out I'd have to type it in for my unlock code also I quickly change into a numerical pin the fact I could change it without re encrypting the the tire device leave me to believe encryption keys for the entire disk is stored in small separate encrypted file somewhere.
Still wondering if this is AES or something else? And what partitions exzatly is encrypted.
Sent from my Galaxy Nexus using Tapatalk
Click to expand...
Click to collapse
Thanks for the clarification... that sucks...
Ive been begging for this option on my Nexus One and now that ive upgraded are there any negatives to doing this? any negative performance hits etc.
What happens when you connect the Nexus to a computer? Can you see the contents of the internal memory via MTP, ei. pictures?
bunklung said:
What happens when you connect the Nexus to a computer? Can you see the contents of the internal memory via MTP, ei. pictures?
Click to expand...
Click to collapse
Yes you can.
gophet said:
You must use a password/pin to encrypt. Swipe and face unlock are not a option. In cant be more than 16 characters. The same password used to encrypt the device must be used to unlock the screensaver. VERY annoying. You can however change your pass code/pin used to encrypt the device after encrypted nearly instantly. I'm not sure how its able to do this without a complete re-encryption of all encrypted blocks?
Sent from my Galaxy Nexus using Tapatalk
Click to expand...
Click to collapse
you can change the password quickly because it does not reencrypt the whole storage. the actual key used for encryption is static, the password encrypts the key itself, not the storage.
it's a common theme in encryption schemas, truecrypt does the same thing. you generate strong keys once, and protect them with passwords. PGP does the same thing to your private key...
gkaugustine said:
Ive been begging for this option on my Nexus One and now that ive upgraded are there any negatives to doing this? any negative performance hits etc.
Click to expand...
Click to collapse
whisper system whispercord does FDE on nexus one and S
no notable performance issues - have not run any benchmarks
mvorbrodt said:
you can change the password quickly because it does not reencrypt the whole storage. the actual key used for encryption is static, the password encrypts the key itself, not the storage.
it's a common theme in encryption schemas, truecrypt does the same thing. you generate strong keys once, and protect them with passwords. PGP does the same thing to your private key...
Click to expand...
Click to collapse
yeah thats what i kinda figured - now i wonder what file it is that hold the key and how it is encrypted
Petrovski80 said:
Yes you can.
Click to expand...
Click to collapse
Does MTP or Windows prompt you for a password?
Does your phone need to be unlocked for the MTP drive to show? If you lock your phone does a file transfer stop?
Thanks again.
Do you know if the encryption slow down the phone?
It must encrypt every new file. Does this result in slower operations?
sblantipodi said:
Do you know if the encryption slow down the phone?
It must encrypt every new file. Does this result in slower operations?
Click to expand...
Click to collapse
The overhead will be when writing to and reading to the block device. There will be very few scenarios where you are maxing io (aka writing/reading) and the cpu at the same time. And that's the only scenarios where you'd really notice any slowdown.
There will be some increased cpu usage while writing to/reading from file though, so you could take a theoretical battery usage hit. But I doubt you'll notice it.
//edit, I should also point out that even if you find a game that's bothered doing background loading and pushing some cpu task in parallel, the phone has 2 cores.
//edit 2, some more digging:
http://source.android.com/tech/encryption/android_crypto_implementation.html
So we're talking dm-crypt with aes-cbc-essiv 128bit keys and sha256.
thanks! just what i was looking for
I had encryption on for a while. It took 45mins to encrypt my device when first activated. If I rebooted my phone it would take 3mins to boot up during which time I would be asked for my sim pin, encryption pin and finally the SIM pin again. The screen would repeatedly turn off during this time. In the end I removed encryption (factory reset is the only way to do this).
Sent from my Galaxy Nexus using Tapatalk
How does this work for flashing/upgrading the rom? I suppose it would need be be re-encrypted each time, however is the pin entered even before fastboot?
you cant backup a encrypted running system
you can only do a wipe
taking the galaxy nexus back as my nexus S seems to do most everything the galaxy nexus does only slower and smaller

[Q] LUKS Full Disk Encryption

Has any one done any work on getting LUKS working on the Galaxy Nexus yet? I know ICS has encryption but it is not the same (It is file level; dm-crypt encryption and leaves room for data leaks).
For that reason does any know of a WhisperCore alternative?
Thanks!
ICS encryption is dm-crypt based whole partition encryption. See ht tp://source.android.com/tech/encryption/android_crypto_implementation.html for details.
Now it does seem to have lots of drawbacks, but i don't think luks would be much safer. Well, it seems they differ in the used encrypted key headers. Google could have got that insecure.
Just using the lockscreen password strikes me as a bad choice in googles solution.
textshell said:
ICS encryption is dm-crypt based whole partition encryption. See ht tp://source.android.com/tech/encryption/android_crypto_implementation.html for details.
Now it does seem to have lots of drawbacks, but i don't think luks would be much safer. Well, it seems they differ in the used encrypted key headers. Google could have got that insecure.
Just using the lockscreen password strikes me as a bad choice in googles solution.
Click to expand...
Click to collapse
You can tell the whole OS is not encrypted since you can make emergency calls when at the preboot authentication screen.Only /data is encrypted and thus leaves room for data leakage. WhisperCore just managed it perfectly- just like LUKS on a computer. Preboot authentication, ENTIRE disk encrypted (minus /boot), and secondary lock screen (login) password that can be anything include "pattern".
Not to mention ICS is only AES-128 bit, I mean c'mon why not just use 256 bit like everyone else? It's cleared by FIPS for a reason.
x942 said:
You can tell the whole OS is not encrypted since you can make emergency calls when at the preboot authentication screen.Only /data is encrypted and thus leaves room for data leakage. WhisperCore just managed it perfectly- just like LUKS on a computer. Preboot authentication, ENTIRE disk encrypted (minus /boot), and secondary lock screen (login) password that can be anything include "pattern".
Not to mention ICS is only AES-128 bit, I mean c'mon why not just use 256 bit like everyone else? It's cleared by FIPS for a reason.
Click to expand...
Click to collapse
changing the key length for encryption should be an easy thing when compiling from source. Not sure what's the performance impact and security gain.
Having different crypto passphrase and screen unlock code might be a good thing, but if i start caring about encryption of my phone i'd try to push the key into the smartcard inside every phone (SIM card) and just enter the smartcard pin. Depends on amount of paranoia wrt security of these cards though.
But i don't understand why you would like to encrypt /system with a stock ROM. Nothing gained there. /system is read only so it can't really leak data. And as the kernel in the boot partition is unencrypted and unauthenticated anyway the OS code is open for changes anyway.
Without special hardware help or keeping the boot media separate and very safe, encryption will always only work against simple thiefs. If your attacker can get the phone do something to it and return it without you getting suspicious you lost anyway. Assuming he can get it again once you booted and used the phone again.
textshell said:
changing the key length for encryption should be an easy thing when compiling from source. Not sure what's the performance impact and security gain.
Having different crypto passphrase and screen unlock code might be a good thing, but if i start caring about encryption of my phone i'd try to push the key into the smartcard inside every phone (SIM card) and just enter the smartcard pin. Depends on amount of paranoia wrt security of these cards though.
But i don't understand why you would like to encrypt /system with a stock ROM. Nothing gained there. /system is read only so it can't really leak data. And as the kernel in the boot partition is unencrypted and unauthenticated anyway the OS code is open for changes anyway.
Without special hardware help or keeping the boot media separate and very safe, encryption will always only work against simple thiefs. If your attacker can get the phone do something to it and return it without you getting suspicious you lost anyway. Assuming he can get it again once you booted and used the phone again.
Click to expand...
Click to collapse
Not true. You an relock the bootloader on the Nexus phones, this completely prevents evil maid attacks. Secondly if I ever lose my phone and "happen to get it back" the first thing I am doing is wiping it and selling it for another one.
If you have ever use encryption you would know that the less an attacker knows the better. Hence encrypting the entire system is better than only encrypting a partition.
I don't like how Google implements dm-crypt. It would be more secure if the entire device was encrypted as it would completely look like random data to an attacker.
Why would you only encrypt your home folder and not every thing BUT /boot?
I prefer the whispercore way of doing it. I poweroff and you can't access anything except the login screen.
x942 said:
Not true. You an relock the bootloader on the Nexus phones, this completely prevents evil maid attacks. Secondly if I ever lose my phone and "happen to get it back" the first thing I am doing is wiping it and selling it for another one.
Why would you only encrypt your home folder and not every thing BUT /boot?
Click to expand...
Click to collapse
I don't think trusting the locked bootloader is a good idea. Look for e.g. "unbrickable mod" for an example how a lot of samsung phones can be forced to bypass the bootloader on the internal flash and forced to load arbitrary code from outside. So if somebody is willing to do an evil maid attack, they will likely do enough research to know these kinds of backdoors in your hardware platform. JTAG is another usual way. Or whatever the phone manufacturer uses to unbrick phones. I think it prudent to assume any sufficiently founded attacker will have unrestricted read/write access.
And why only encrypt real data? Speed gain for no measurable loss in security. At least from the google perspective. Google will rightfully assume customers are using official ROMs and the exact bit patterns of there are publicly available to everyone. So why waste cpu cycles to encrypt them. What could be useful would be integrity protection.
But while a fully integrity protected boot under the control of the enduser would be very nice (with a bootloader that's unlocked but needs a key or password) if only the manufacturer gets to authorise new software it's evil.
textshell said:
I don't think trusting the locked bootloader is a good idea. Look for e.g. "unbrickable mod" for an example how a lot of samsung phones can be forced to bypass the bootloader on the internal flash and forced to load arbitrary code from outside. So if somebody is willing to do an evil maid attack, they will likely do enough research to know these kinds of backdoors in your hardware platform. JTAG is another usual way. Or whatever the phone manufacturer uses to unbrick phones. I think it prudent to assume any sufficiently founded attacker will have unrestricted read/write access.
And why only encrypt real data? Speed gain for no measurable loss in security. At least from the google perspective. Google will rightfully assume customers are using official ROMs and the exact bit patterns of there are publicly available to everyone. So why waste cpu cycles to encrypt them. What could be useful would be integrity protection.
But while a fully integrity protected boot under the control of the enduser would be very nice (with a bootloader that's unlocked but needs a key or password) if only the manufacturer gets to authorise new software it's evil.
Click to expand...
Click to collapse
Yes but as I said any one that would put that effort in would have to get the phone from me (which I carry 24/7) and once I know I no longer have control of it I would (as I said) reset it and sell it. You are basically saying all Full Disk Encryption (including on computers) is useless because someone can modify the bootloader. I hate to say it (and this is not directed to any one in this thread) but only a true ignorant person would fall victim to a evil maid attack, It is common sense NOT to trust something that you lost control of.
My situation is different: I run a non-profit organization and my employees need to carry sensitive data with them. Why risk security with the built in dm-crypt when something like WhisperCore is much better? I don't won't an attacker knowing ANYTHING about the device.
ICS built in encryption is just as useful as Home folder encryption in Linux. Your data may be safe but an attacker can ascertain how much data is there. And in some case use this information to infer what data may be present on the device. This is why most people using encryption use FDE and not just home folder encryption. When you are done there should be absolutely no way for anyone to tell the encrypted partition from random data (wiped data).
No, i'm just saying the full partition encryption of /data is enough on galaxy nexus and that you can't protect from an evil maid attack except by drastic measures after you lost control of your phone.
Understandable but I respectfully disagree. I want FULL DISK Encryption not Partition encryption. Take a look here: http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS#Security_levels
Either way (even if it is secure enough) It's not going to get approved for me to use in a work environment (FIPS 140-2). This is why I need some like WhisperCore. We handle sensitive data at my company.

bypass mail app password checker?

so i just my new galaxy nexus and to check my work email (through an app called lotus), it checks my phone to make sure i have a 10char+ complicated password set. as you can imagine, having to enter a 10char+ complicated password everytime you want to get to your phone is annoying. is there a way to bypass this? i am rooted...
The password is thought, to kep the phone safe. Just make an easy password, and leave it be. And why not just use the mail app, that is shipped? It's good enough.
familyguy59 said:
The password is thought, to kep the phone safe. Just make an easy password, and leave it be. And why not just use the mail app, that is shipped? It's good enough.
Click to expand...
Click to collapse
company requires us use lotus and requires password to be extra strong
unknown00 said:
company requires us use lotus and requires password to be extra strong
Click to expand...
Click to collapse
So let me make sure this is clear: You are asking for help on bypassing security enforced by your employer, without discussing it with the administrative/tech support team? You are aware that many businesses have clauses that if you bypass their security, you can loose your job over it.
Honestly, I would attack this problem from the other end. Go to your manager and put a business case on why having such a strong password on a mobile device is not needed. Do your research and go in detail about how secure different passwords can be, look at the app, see if there is an auto-wipe for # of incorrect password attempts (if you can't brute force it, then a weaker password might just be as good). Mention the enhanced security the nexus device has (full device encryption), etc etc etc.
If you do it right, you will get recognition for being a forward thinker, for following the rules, and if successful, for saving the company money on their bottom line.
I do IT support and if one of my users by-passes my security, I'm talking to their boss and will SEVERELY restrict anything they do down to the bare minimum needed for the job.
It's also possible that you are in a position where you e-mail is highly sensitive and the risk of having that e-mail fall into a competitors hand is so great, that these security needs are required.
You can set the timeout b4 you are asked to enter your password again. I did it when i was on 4.0.2, but I can't remember where or how i did it though.
manager hates the pw requirement too and wants to get rid of it. it's something corporate put up that everyone complains about. there is nothing i can do personally as the company is too large. i just want to figure a way around it if possible
Herman76 said:
You can set the timeout b4 you are asked to enter your password again. I did it when i was on 4.0.2, but I can't remember where or how i did it though.
Click to expand...
Click to collapse
Bump, in case you missed it since we answered simultaniously.
unknown00 said:
there is nothing i can do personally as the company is too large.
Click to expand...
Click to collapse
And it's that attitude that will prevent any changes from occurring.
Personally, I worked at a company of about 100,000 people that has an international presence. I was successful with a BPI project where we licensed an application to manage multiple monitors (this is before win7) I had to show that the increased productivity offset the cost of the application.
Matridom said:
And it's that attitude that will prevent any changes from occurring.
Personally, I worked at a company of about 100,000 people that has an international presence. I was successful with a BPI project where we licensed an application to manage multiple monitors (this is before win7) I had to show that the increased productivity offset the cost of the application.
Click to expand...
Click to collapse
i work in a company of 400000+ internationally and is one of the largest IT companies in the entire world (take a guess ) but in all seriousness, it's not possible that 1 person can get rid of pw requirement. sry, don't argue that point
Figured it out. If you set security to pin (I only tested it with pin), you will get an option to choose timeout b4 you will get asked for pin again.
Combined with short timeout for screen off, I think this will be a good workaround.
Sent from my Galaxy Nexus using Tapatalk 2
Herman76 said:
Figured it out. If you set security to pin (I only tested it with pin), you will get an option to choose timeout b4 you will get asked for pin again.
Combined with short timeout for screen off, I think this will be a good workaround.
Sent from my Galaxy Nexus using Tapatalk 2
Click to expand...
Click to collapse
i understand this is a "workaround" that may work but i'm looking for a permanent fix to get rid of it as a whole

Encycption?

How does this work and is it good to use?
Go to Google and type "5.1 encryption" and read about it.
here is my benchmarK.
Not encrypted
Sent from my SAMSUNG-SM-N920A using Tapatalk
Slie said:
here is my benchmarK.
Click to expand...
Click to collapse
So it's faster after you do it? Will I lose any data by doing it and have to re download everything?
rtubbs85 said:
So it's faster after you do it? Will I lose any data by doing it and have to re download everything?
Click to expand...
Click to collapse
No you will not lose data, just don't forget your password. My girlfriend did and ha ha ha yeah she lost everything after failing ten times.
But no I doubt it's faster from my experience I'm sure i had something running when I bench marked it before I encrypted it. Other then that it just shows how awesome it is even after encryption. I've done this to several phones and this one blows everything out of the water.
Slie said:
No you will not lose data, just don't forget your password. My girlfriend did and ha ha ha yeah she lost everything after failing ten times.
But no I doubt it's faster from my experience I'm sure i had something running when I bench marked it before I encrypted it. Other then that it just shows how awesome it is even after encryption. I've done this to several phones and this one blows everything out of the water.
Click to expand...
Click to collapse
Do I have to use a lock screen?
rtubbs85 said:
Do I have to use a lock screen?
Click to expand...
Click to collapse
Yes, very much so. However the difference between kitkat and lollipop is that the operating system allows for fingerprint unlocking. With a passphrase backup of course.
I am not sure however if samsung encrypts your fingerprint data. I read an article that several phones including the s6 may be vulnerable stolen biodata because the fingerprint data wasn't encrypted. Don't quote me on it without extra research. This came up about the time defcon 23. So if you are worried about that stick with a passphrase.
However it's quick and easy with the fingerprint unlock and still dominates with benchmark while encrypted.
I encrypted my device. Normally when it boots it asks for the keyword. Today it not only did NOT ask for the keyword but booted straight to my home screen. It didnt even request my fingerprint. Very worrying.
I rebooted, still no keyword request but finger print was required.
Anyone else ever seen that?
ekerbuddyeker said:
I encrypted my device. Normally when it boots it asks for the keyword. Today it not only did NOT ask for the keyword but booted straight to my home screen. It didnt even request my fingerprint. Very worrying.
I rebooted, still no keyword request but finger print was required.
Anyone else ever seen that?
Click to expand...
Click to collapse
I had the exact same thing happen, figured it was just me. I un-encrypted and re-encrypted and it is again asking for the password at boot. Not sure what happened but it isn't very reassuring.
It means it doesn't really work!
ekerbuddyeker said:
I encrypted my device. Normally when it boots it asks for the keyword. Today it not only did NOT ask for the keyword but booted straight to my home screen. It didnt even request my fingerprint. Very worrying.
I rebooted, still no keyword request but finger print was required.
Click to expand...
Click to collapse
I've never had that happen. Could you have accidentally decrypted the phone? Does it still say it's encrypted?

What security options do we have?

A little while ago my brother had his iphone6 snatched. Now with Iphone, I know cannot be mounted to usb directly or even via recovery.
I know pin, fingerprint etc block access to the phone. I want to understand about other ways to access internal storage to gain access to photos and any other documents
That makes me ask - What security options we have for android - in particular OP3 (have 2 of them) and how can we make it more secure. ? Both my phones have Blu_spark TWRP + Freedom OS 2.10, if that matters.
Just to share, I found following to be foolproof
- Setup Pin + Fingerpints
- Setup Pin / Password for phone startup
This
- Keeps the device encrypted
- Unable to boot without pin
- Unable to access TWRP without pin
- Doesn't auto-mount on USB connect
Still, it would be interesting to hear about any cons of the above setup.
hyperorb said:
A little while ago my brother had his iphone6 snatched. Now with Iphone, I know cannot be mounted to usb directly or even via recovery.
I know pin, fingerprint etc block access to the phone. I want to understand about other ways to access internal storage to gain access to photos and any other documents
That makes me ask - What security options we have for android - in particular OP3 (have 2 of them) and how can we make it more secure. ? Both my phones have Blu_spark TWRP + Freedom OS 2.10, if that matters.
Click to expand...
Click to collapse
The easiest is to not get it snatched. Or if it does you chase them down and get your phone back. But barring that not alot you can really do and ill explain why.
When someone steals a phone, they dont care about the data on it. They are either gonna sell it or use it. Either way The device has the sim removed with in sec of it being taken and then it is reset or flashed to stock to remove any and all locks. This normally happens within minutes if not seconds of a device being stolen.
zelendel said:
The easiest is to not get it snatched. Or if it does you chase them down and get your phone back. But barring that not alot you can really do and ill explain why.
When someone steals a phone, they dont care about the data on it. They are either gonna sell it or use it. Either way The device has the sim removed with in sec of it being taken and then it is reset or flashed to stock to remove any and all locks. This normally happens within minutes if not seconds of a device being stolen.
Click to expand...
Click to collapse
Interestingly that was not the case. They remained in contact and kept on asking for phone passcode; which we did not give.
I'm not aware if its equally east in iPhone to enter into (kind of) fastboot mode and erase entire storage. In such case the loss remains of the phone and nothing else ; specially when we may have financial apps too on the phone.
hyperorb said:
Interestingly that was not the case. They remained in contact and kept on asking for phone passcode; which we did not give.
I'm not aware if its equally east in iPhone to enter into (kind of) fastboot mode and erase entire storage. In such case the loss remains of the phone and nothing else ; specially when we may have financial apps too on the phone.
Click to expand...
Click to collapse
No apple doesn't have the option. Main reason the fbi had to pay to have an iPhone unlocked not to long ago.
Part of the reason I never advise doing any sort of banking on a device as there is just too many security risks. I, mean even android keyboards monitor what you type.
hyperorb said:
A little while ago my brother had his iphone6 snatched. Now with Iphone, I know cannot be mounted to usb directly or even via recovery.
I know pin, fingerprint etc block access to the phone. I want to understand about other ways to access internal storage to gain access to photos and any other documents
That makes me ask - What security options we have for android - in particular OP3 (have 2 of them) and how can we make it more secure. ? Both my phones have Blu_spark TWRP + Freedom OS 2.10, if that matters.
Click to expand...
Click to collapse
Cerberus is a really nice app... You have alot of options sadly it isn't free! But heyy, it's cheap and it's functional! Other then that keep your device encrypted and a boot password should do.
As long as you're not rooted and unlocked, it will be a bit hard for an thieve to have access to your phone. Leaving ADB on, might as well decrease the overall security of the phone.
I for example was given a tablet which had a Google account synced with it, and resetting from recovery only made me renter the credidentials previously used to be able to pass the setup.
My luck was that the guy left ADB on and with a simple command I bypassed the setup screen.
hyperorb said:
Interestingly that was not the case. They remained in contact and kept on asking for phone passcode; which we did not give.
I'm not aware if its equally east in iPhone to enter into (kind of) fastboot mode and erase entire storage. In such case the loss remains of the phone and nothing else ; specially when we may have financial apps too on the phone.
Click to expand...
Click to collapse
Not sure about iPhone's but for newer Android phones as long as you are encrypted and have a pin/password set for boot, a thief would just wipe the phone return to stock and sell or use it. 99.9% of the time they just want money so the likely reason they wanted your pass code is they couldn't sell it cause they were blocked from resetting it temporarily. As long they have a physical device and unlimited time they will eventually reset it and get rid of it.
Renosh said:
Not sure about iPhone's but for newer Android phones as long as you are encrypted and have a pin/password set for boot, a thief would just wipe the phone return to stock and sell or use it. 99.9% of the time they just want money so the likely reason they wanted your pass code is they couldn't sell it cause they were blocked from resetting it temporarily. As long they have a physical device and unlimited time they will eventually reset it and get rid of it.
Click to expand...
Click to collapse
Exactly. If someone steals your device 99.98% of the time it is too use it or sell it. With way your data is meaningless.
As for them wanting your pass code the above is right. But as they couldn't reset it you could have reported it stolen and the police may be able to find it but most of the time they have better things to do then recover a lost cell phone.
I used to work with people that felt with stolen cell phones. I can say the normally. Withing 30 min of a device being stolen the data is gone. And when I say that I mean a complete DOJ style wipe, format and imei change.
zelendel said:
No apple doesn't have the option. Main reason the fbi had to pay to have an iPhone unlocked not to long ago.
Part of the reason I never advise doing any sort of banking on a device as there is just too many security risks. I, mean even android keyboards monitor what you type.
Click to expand...
Click to collapse
....so do all iOS keyboards, both first and third party. it's required for them to function
---------- Post added at 09:25 AM ---------- Previous post was at 09:23 AM ----------
zelendel said:
Exactly. If someone steals your device 99.98% of the time it is too use it or sell it. With way your data is meaningless.
As for them wanting your pass code the above is right. But as they couldn't reset it you could have reported it stolen and the police may be able to find it but most of the time they have better things to do then recover a lost cell phone.
I used to work with people that felt with stolen cell phones. I can say the normally. Withing 30 min of a device being stolen the data is gone. And when I say that I mean a complete DOJ style wipe, format and imei change.
Click to expand...
Click to collapse
this is exactly why that semi-recent feature added by google which requires you to log in with the previously added google account in the phone before initial setup following a factory reset is very useful - it makes the phone unusable/unsellable (unless im missing something?)
2x4 said:
....so do all iOS keyboards, both first and third party. it's required for them to function
---------- Post added at 09:25 AM ---------- Previous post was at 09:23 AM ----------
this is exactly why that semi-recent feature added by google which requires you to log in with the previously added google account in the phone before initial setup following a factory reset is very useful - it makes the phone unusable/unsellable (unless im missing something?)
Click to expand...
Click to collapse
That can easily be bypassed by wiping the data off the device and flash a stock rom to it. The only the the FRP does is prevent them from getting at the data.
No its not really. It's so they can send relevant ads. Those that remember smartphones before Apple or Android knows that it is not really needed.
zelendel said:
That can easily be bypassed by wiping the data off the device and flash a stock rom to it. The only the the FRP does is prevent them from getting at the data.
Click to expand...
Click to collapse
but how can they flash a stock ROM onto the device if the "require PIN before startup" option is selected? how can they flash if recovery has a PIN on it?
2x4 said:
but how can they flash a stock ROM onto the device if the "require PIN before startup" option is selected? how can they flash if recovery has a PIN on it?
Click to expand...
Click to collapse
Because that is before startup and not the bootloader, even with those set up they normally dont cover download mode or what ever mode that particular OEM uses (not all use the same). In extreme cases with some apps that make it a bit harder or people just dont want to be bothered to mess with things too deeply there are tools available that Will push the update right to the board bypassing all security. Sure its a little extra work but it is a sure bet when you cant get into a device and cant be bothered hunting down getting around it.
Also for the passwords on startup. any password cracker would take out the average password in a matter of min.
This has been very interesting and so much to learn. Thank you all for great inputs.
zelendel said:
I never advise doing any sort of banking on a device as there is just too many security risks. I, mean even android keyboards monitor what you type.
Click to expand...
Click to collapse
Yes. But then Microsoft too is not clean. Browser , Windows.... That way we can never work.
Puddi_Puddin said:
Cerberus is a really nice app...
Click to expand...
Click to collapse
Have it in all my Androids Very helpful at times, even for non theft purpose..
XDRdaniel said:
Leaving ADB on, might as well decrease the overall security of the phone.
Click to expand...
Click to collapse
Thanks. Will read more on this.
Renosh said:
for newer Android phones as long as you are encrypted and have a pin/password set for boot, a thief would just wipe the phone return to stock and sell or use it. 99.9% of the time they just want money so the likely reason they wanted your pass code is they couldn't sell it cause they were blocked from resetting it temporarily. As long they have a physical device and unlimited time they will eventually reset it and get rid of it.
Click to expand...
Click to collapse
Once a phone is lost, there's little chance to get it back. Device loss is one thing and data loss (or rather data access) is another. The later at times can have more problems.
I used to keep my id papers (for ease of printing anywhere as needed) on phone (Nokia N5). Lost that phone .. and till date I hope no one used those to buy services, do illegal stuff. That was a lesson learnt hard way
zelendel said:
With way your data is meaningless.
Click to expand...
Click to collapse
Depends where you are. There are places where one can avail services in other's name using fake ids or stolen data etc.
2x4 said:
. this is exactly why that semi-recent feature added by google which requires you to log in with the previously added google account in the phone before initial setup following a factory reset is very useful - it makes the phone unusable/unsellable (unless im missing something?)
Click to expand...
Click to collapse
Hmm.. I think I came across that in OP3. Didn't pay attention though.
zelendel said:
Because that is before startup and not the bootloader,
Click to expand...
Click to collapse
It is better to loose one than two. Phone is anyways lost .. so at least we can try secure data. Let them wipe and then get nothing in hand.
hyperorb said:
This has been very interesting and so much to learn. Thank you all for great inputs.
Yes. But then Microsoft too is not clean. Browser , Windows.... That way we can never work.
Have it in all my Androids Very helpful at times, even for non theft purpose..
Thanks. Will read more on this.
Once a phone is lost, there's little chance to get it back. Device loss is one thing and data loss (or rather data access) is another. The later at times can have more problems.
I used to keep my id papers (for ease of printing anywhere as needed) on phone (Nokia N5). Lost that phone .. and till date I hope no one used those to buy services, do illegal stuff. That was a lesson learnt hard way
Depends where you are. There are places where one can avail services in other's name using fake ids or stolen data etc.
Hmm.. I think I came across that in OP3. Didn't pay attention though.
It is better to loose one than two. Phone is anyways lost .. so at least we can try secure data. Let them wipe and then get nothing in hand.
Click to expand...
Click to collapse
You don't need to steal someone's phone to get a fake ID with their info. 1500 usd will get you that without it.
As for getting nothing in hand. They got exactly what they wanted. The device. Unless you work for the government in a high place. Then your data is meaningless on your phone. You already put it in enough places on line while using a pc that if they want it they already have it.
I could easily steal someone identity with a little more then what they post on Facebook or other social media outlets.

Categories

Resources