Hi all,
bit of an emergency here. I am running rooted Chroma rom, just went into twrp to backup my EPS, and upon reboot it is saying I need to enter my password. I have done this several times. Now, it keeps saying the password is incorrect, and after the 5th time, there is no option to reset it! Help please!! Don't feel like wiping my phone again...
greves1 said:
Hi all,
bit of an emergency here. I am running rooted Chroma rom, just went into twrp to backup my EPS, and upon reboot it is saying I need to enter my password. I have done this several times. Now, it keeps saying the password is incorrect, and after the 5th time, there is no option to reset it! Help please!! Don't feel like wiping my phone again...
Click to expand...
Click to collapse
You can search that but might as wipe in the meantime. Get yourself a working phone.
bobby janow said:
You can search that but might as wipe in the meantime. Get yourself a working phone.
Click to expand...
Click to collapse
Thanks for the reply. Going through the post-wipe setup now. Grrrr. It's just that I entered the password a bunch of times, and it always worked. Just on reboot from recovery it didnt. Now I'm afraid to go back into twrp...
Anyone know if this could be caused by some android security feature that doesnt like systemless root, xposed, etc.
greves1 said:
Hi all,
bit of an emergency here. I am running rooted Chroma rom, just went into twrp to backup my EPS, and upon reboot it is saying I need to enter my password. I have done this several times. Now, it keeps saying the password is incorrect, and after the 5th time, there is no option to reset it! Help please!! Don't feel like wiping my phone again...
Click to expand...
Click to collapse
I assume this is the same problem as the Nexus 6P. You need to disable the security before making a TWRP backup. The fix is:
After restoring the nandroid, boot into twrp and then delete /data/sytem/locksettings.db. If that doesn't fix it, delete the locksettings.db-shm and locksettings.db-wal in the same location. If that doesn't fix it either, delete gatekeeper.password.key and gatekeeper.pattern.key in the same location.
Click to expand...
Click to collapse
KennyG123 said:
I assume this is the same problem as the Nexus 6P. You need to disable the security before making a TWRP backup. The fix is:
Click to expand...
Click to collapse
Thanks for this fix. I'll keep it in mind next time. My broader question is now about security in general, since there seems to be a way to remove security from our roms?? For example, if someone got ahold of your phone, couldnt they just follow these steps to get in? Is this just a side-effect of unlocking the phone that is unavoidable? If I'm missing something about how to maintain security in the unlocked/rooted environment, please let me know. I've looked around but I haven't found any great guides for best practices regarding nandroids/security, etc. Thanks all!
greves1 said:
Thanks for this fix. I'll keep it in mind next time. My broader question is now about security in general, since there seems to be a way to remove security from our roms?? For example, if someone got ahold of your phone, couldnt they just follow these steps to get in? Is this just a side-effect of unlocking the phone that is unavoidable? If I'm missing something about how to maintain security in the unlocked/rooted environment, please let me know. I've looked around but I haven't found any great guides for best practices regarding nandroids/security, etc. Thanks all!
Click to expand...
Click to collapse
Rooting is in itself the biggest security risk. This is why carriers are working with manufacturers to make many phones fully locked and unrootable. Our main security expert Jcase does not use a rooted phone. He recommends if you need to root, go ahead, make the changes you want, then quickly unroot. So sure, if someone stole your phone they could follow that procedure to get into it. They could also just force a fresh stock version on it to wipe everything. Security and locks are meant to keep out honest people and slow down the dishonest.
KennyG123 said:
Rooting is in itself the biggest security risk. This is why carriers are working with manufacturers to make many phones fully locked and unrootable. Our main security expert Jcase does not use a rooted phone. He recommends if you need to root, go ahead, make the changes you want, then quickly unroot. So sure, if someone stole your phone they could follow that procedure to get into it. They could also just force a fresh stock version on it to wipe everything. Security and locks are meant to keep out honest people and slow down the dishonest.
Click to expand...
Click to collapse
Just so I'm clear, the only thing keeping a stock phone safe is that when its locked, it can't be unlocked/rooted because the option to allow oem unlocking/adb connections are not (or should not be) checked in the developer options, is that correct? From what you're saying, as long as those two boxes are checked, there is essentially nothing stopping someone from wiping out your password and getting into your device. I'd love to run unrooted, but would adaway still have an effect? I'm thinking that the definitions are already applied, so maybe it would work unrooted. But cf.lumen, which I love and can't find the same functionality anywhere else, seems to always "enable interactive shell" on boot. Would this work unrooted? But again, as long so you're doing all this stuff, you can't lock your bootloader again, can you? Or can you lock it on a stock rom with the kind of modifications I'm talking about. I read that locking bootloader while having a custom rom loaded can cause a brick, although I'm not quite sure why. Couldn't you just always get into fastboot to unlock it again?
greves1 said:
Just so I'm clear, the only thing keeping a stock phone safe is that when its locked, it can't be unlocked/rooted because the option to allow oem unlocking/adb connections are not (or should not be) checked in the developer options, is that correct? From what you're saying, as long as those two boxes are checked, there is essentially nothing stopping someone from wiping out your password and getting into your device. I'd love to run unrooted, but would adaway still have an effect? I'm thinking that the definitions are already applied, so maybe it would work unrooted. But cf.lumen, which I love and can't find the same functionality anywhere else, seems to always "enable interactive shell" on boot. Would this work unrooted? But again, as long so you're doing all this stuff, you can't lock your bootloader again, can you? Or can you lock it on a stock rom with the kind of modifications I'm talking about. I read that locking bootloader while having a custom rom loaded can cause a brick, although I'm not quite sure why. Couldn't you just always get into fastboot to unlock it again?
Click to expand...
Click to collapse
Pfew...so many questions...there are always vulnerabilities out there that hackers can find..like Stagefright...but a rooted phone is the most vulnerable. So having a phone with a locked bootloader and unrooted is the best security...still not guaranteed against every possible thing. But it is the best...now what are you trying to protect? Your data...or someone being able to wipe and use the phone as their own? All you can do really is try to protect from a phone being hacked remotely...and a rooted phone is like leaving the safe door open. But if someone steals your phone, there are always nefarious ways to make it usable.
KennyG123 said:
Pfew...so many questions...there are always vulnerabilities out there that hackers can find..like Stagefright...but a rooted phone is the most vulnerable. So having a phone with a locked bootloader and unrooted is the best security...still not guaranteed against every possible thing. But it is the best...now what are you trying to protect? Your data...or someone being able to wipe and use the phone as their own? All you can do really is try to protect from a phone being hacked remotely...and a rooted phone is like leaving the safe door open. But if someone steals your phone, there are always nefarious ways to make it usable.
Click to expand...
Click to collapse
Yeah, sorry for the wall of questions. I am just trying to wrap my head around some of these issues. At the end of the day, I don't really keep sensitive data on the phone, although it would not be good if a bad actor got into my gmail, for instance. I suppose I should migrate the last of my sensitive accounts to a secondary email, so no password resets could be initiated from a stolen phone. It's always a tradeoff between convenience and security I know. It's also a little worrysome that simply unlocking the phone activates it for androidpay. An unlocked phone stolen out of someone's hand is essentially the same as stealing all the credit cards in their wallet. It would be nice if android pay allowed an additional fingreprint/pin/password to make the transaction. Anyway, I'm now taking my own thread way off topic. Thanks for the insights though.
greves1 said:
Yeah, sorry for the wall of questions. I am just trying to wrap my head around some of these issues. At the end of the day, I don't really keep sensitive data on the phone, although it would not be good if a bad actor got into my gmail, for instance. I suppose I should migrate the last of my sensitive accounts to a secondary email, so no password resets could be initiated from a stolen phone. It's always a tradeoff between convenience and security I know. It's also a little worrysome that simply unlocking the phone activates it for androidpay. An unlocked phone stolen out of someone's hand is essentially the same as stealing all the credit cards in their wallet. It would be nice if android pay allowed an additional fingreprint/pin/password to make the transaction. Anyway, I'm now taking my own thread way off topic. Thanks for the insights though.
Click to expand...
Click to collapse
For most phones that have fingerprint security Android Pay can be set up that way. I won't use it anyway because it would be crazy to hand a waiter your unlocked phone, or to have to follow him to the register. It would only be useful to me in the supermarket but I am carrying a credit card anyway. But that is one thing people forget, rooting a phone means removing the main security.
KennyG123 said:
For most phones that have fingerprint security Android Pay can be set up that way. I won't use it anyway because it would be crazy to hand a waiter your unlocked phone, or to have to follow him to the register. It would only be useful to me in the supermarket but I am carrying a credit card anyway. But that is one thing people forget, rooting a phone means removing the main security.
Click to expand...
Click to collapse
N5X and android pay seems to tell me to just "unlock your phone" and hold it close to the reader. No need for an additional fingerprint. And no option to require this in settings...
greves1 said:
N5X and android pay seems to tell me to just "unlock your phone" and hold it close to the reader. No need for an additional fingerprint. And no option to require this in settings...
Click to expand...
Click to collapse
Yes, that should get you to the authorization screen and then if you have fingerprint set up should ask you for the fingerprint to authorize. Android Pay also now works on phones without fingerprint sensors so that is why they provide those simple instructions. Final authorization instructions will appear on your screen.
KennyG123 said:
Yes, that should get you to the authorization screen and then if you have fingerprint set up should ask you for the fingerprint to authorize. Android Pay also now works on phones without fingerprint sensors so that is why they provide those simple instructions. Final authorization instructions will appear on your screen.
Click to expand...
Click to collapse
Ah, great to know. Thanks.
greves1 said:
Ah, great to know. Thanks.
Click to expand...
Click to collapse
Unfortunately I can't test that theory since I am on a custom ROM and also Xposed. But everything I read says it should utilize the fingerprint if available.
KennyG123 said:
Unfortunately I can't test that theory since I am on a custom ROM and also Xposed. But everything I read says it should utilize the fingerprint if available.
Click to expand...
Click to collapse
Real word use shows that android pay does not ask for an additional fingerprint at the time of use. It's just as the instructions say, as long as your phone is unlocked at the time it is held up to the scanner, androidpay will work. I kind of wish they allowed for the additional security of an at-scan fingerprint read, but oh well. I have yet to test if the password/pin can be removed by the methods discussed in this thread, and androidpay working after defeating this security. If it does, then this is obviously a major security vulnerability of having an unlocked phone and using androidpay at the same time. Probably not more dangerous in terms of protecting against CC thieves, since they can just swipe a card stolen from your wallet at a terminal, but you probably wouldn't want to keep too many cards on your phone. Again, I haven't tested this out, if a fingerprint is still required to get in after a password database defeat, but someone should do this test.
If you have your phone lost or stolen just cancel your cards as if it happened to your wallet. Simple no?
Related
Good evening all!
Question I have is simply when does everyone suspect a single-click Root might come along that doesn't wipe the phone's memory? I've already had to reset my phone once (because of Verizon) and hoping to not have to do it again for awhile (restoring 12k SMS takes awhile). I know many phones in the past have eventually gotten a one-click method that doesn't wipe the phone and wondering how feasible it is that we'll see one here in a short amount of time.
Thanks in advance, all! Keep up the good work.
Rooting doesn't wipe the device, the problem is that you have to unlock the device first, which will.
champers said:
Rooting doesn't wipe the device, the problem is that you have to unlock the device first, which will.
Click to expand...
Click to collapse
Can I ask why? Many devices have had single-click roots that retained locked bootloaders. A reference would be my Atrix 4G. Motorola locked the bootloader fairly hard and I never unlocked mine, but I still managed to root the device using Z4Root, without a whipe. I downloaded the app, opened it, and clicked the "Root" button. I restarted the phone and the phone was rooted with SuperUser and BusyBox installed.
hotleadsingerguy said:
Can I ask why? Many devices have had single-click roots that retained locked bootloaders. A reference would be my Atrix 4G. Motorola locked the bootloader fairly hard and I never unlocked mine, but I still managed to root the device using Z4Root, without a whipe. I downloaded the app, opened it, and clicked the "Root" button. I restarted the phone and the phone was rooted with SuperUser and BusyBox installed.
Click to expand...
Click to collapse
Those are usually hacks that take advantage of security flaws found in the OS or other software... the same way that malware authors find holes in Windows and write software to take advantage of it to exploit your computer. The bugs that allow you to root without unlocking are the same kind of bugs that has given Microsoft a bad reputation for security over the years, and naturally Google doesn't want security flaws in Android so they try to minimize them and fix any that are found.
A hole might be found in ICS eventually.
phazerorg said:
Those are usually hacks that take advantage of security flaws found in the OS or other software... the same way that malware authors find holes in Windows and write software to take advantage of it to exploit your computer. The bugs that allow you to root without unlocking are the same kind of bugs that has given Microsoft a bad reputation for security over the years, and naturally Google doesn't want security flaws in Android so they try to minimize them and fix any that are found.
A hole might be found in ICS eventually.
Click to expand...
Click to collapse
I wasn't really asking about the ethical use of such things...just whether anyone could see it being feasibly possible in the near future. Then again, if anyone knows of a way to restore 12k SMS in 5 minutes I'm open to unlocking/rooting the old-fashioned way.
By the way, even the way unlocking/rooting is accomplished now is considered a "hack". Using ADB to unlock/root the phone isn't the way it's meant to be used. ADB stands for Android Debugging Bridge...it's meant to debug, not crack open the bootloader.
hotleadsingerguy said:
I wasn't really asking about the ethical use of such things...just whether anyone could see it being feasibly possible in the near future. Then again, if anyone knows of a way to restore 12k SMS in 5 minutes I'm open to unlocking/rooting the old-fashioned way.
Click to expand...
Click to collapse
Sorry about that, I didn't mean to imply any ethics here. I was just trying to answer the question about why there isn't a one-click root. I may have misinterpreted your "why?" question.
I don't see that happening any time soon. It's so effortless to unlock the bootloader that why would anyone waste their time trying to find a workaround.
jhuynh said:
I don't see that happening any time soon. It's so effortless to unlock the bootloader that why would anyone waste their time trying to find a workaround.
Click to expand...
Click to collapse
I wouldn't call re-configuring everything effortless lol I'd rather spend 45 minutes unlocking and rooting than spend 5 minutes doing it and another hour getting it set up...again. Restoring all of your stuff can be a pain if you don't have it empty. It downloads the apps but it doesn't set them up.
Have you tried restoring a massive number of text messages? I had to delete half of mine simply because it took well over an hour and a half to restore the first time and I had to reset the phone anyway. It's extremely time-consuming to have to clear out the phone. I'd say it was a strong 2 1/2 or 3 hours from start to finish yesterday to do it (and yes, there was a reason I couldn't unlock+root at the same time).
I've flashed a rom, kernel, radio, some UI tweaks, and I think I'm done with all that and reached a point I'm happy with. Should I relock? Will I lose root/my tweaks by doing that? What are the security risks with keeping the bootloader unlocked? I don't use google wallet or anything else super personal/detrimental if in the wrong hands, but I do have a chasebank app (that requires login every use), the standard gmail integration, and a sensitive photo here and there. I understand that I'll have to unlock it again (and deal with the wipe) if I want to do more serious customizing, but at this point I'm more curious about the pros/cons of keeping the bootloader unlocked during day to day use. In terms of used networks, I connect to my home wifi, and the occasional open wifi when out and about, but usually I forget/don't realize and just keep it on 3g/4g. I also tether every so often. Don't know which of those makes me more vulnerable than others. I live in a pretty unpopulated area so I'm not too concerned about all this, but I am curious.
Don't relock...its pointless if you're not stock
No reason to re-lock. You'll just have to do a data wipe the next time you want to change anything.
Sent from my Galaxy Nexus using Tapatalk
There truly is no reason to relock, there is no difference/point.
I understand having to unlock it again would mean another wipe, as mentioned in the OP. I'm fine with that.
All of these posts conflict with this post from this recent Q&A thread. Which is correct? Why would that user post such a thing if it isn't true?
bfroehlich said:
I would suggest locking it if you plan on doing anything remotely sensitive on your device, Google Wallet, corporate email, naked pics of your spouse, etc.
Sent from my Galaxy Nexus using XDA App
Click to expand...
Click to collapse
not saying it's the case here, but a lot of people just think they know something.
@JBQ said in android-building something like
-However, if you're keeping your bootloader unlocked at all times
(which is a bad idea) and you're running an official build already,
you can flash a newer one without wiping data and that'll work fine.
Note that you can only move forward, not back. Be careful, though,
it's very easy to wipe data by accident when doing that, and the
default script does that.
Click to expand...
Click to collapse
he didn't go any further on that. source
perhaps it's a matter of privilege escalation?
relocking the bootloader help security
relocking the bootloader will help defend against "Evil Maid Attacks" amongst other things.
More background info available if you search for "evil maid goes after WhisperCore
why we need a securable bootloader"
(I'd post a link but account is too new)
Yes it will help with security. But by that point, you might as well get one of the "android lost" apps and remotely brick your phone if it's stolen, imo.
As a custom ROM user, you're responsible for your own updates. Which means you can expect to be reflashing stuff in the future. Thus, I don't think it's worth it to have your data wiped again and again.
(But then again, I flash stuff like crazy, so that might be bias on my part.)
It'd be kinda funny to to lock your bootloader for security after flashing completely custom firmware from some unknown source bit of a contradiction.
No.
In another week or so you are gonna be browsing xda and see a new kernel/rom/theme that you like and you're gonna think well I can't flash it coz for some reason I locked my bootloader and I don't want to wipe my sdcard coz I have stuff I want there.
A few days later you are gonna say f*ck it and you are gonna unlock your bootloader again and lose all your sdcard data.
Why?
Because you may not know it yet but you are now a crackflasher. You tried it once and that's all it takes to get addicted.
As others have said, there is only added security if you lose your phone and at that point if there is extremely sensitive data and you can't get it back, you can just remotely wipe it using an app from the marketplace.
Note: said app must be installed before you lose your phone
Sent from my GT-I9100 using xda premium
joshnichols189 said:
As others have said, there is only added security if you lose your phone and at that point if there is extremely sensitive data and you can't get it back, you can just remotely wipe it using an app from the marketplace.
Note: said app must be installed before you lose your phone
Sent from my GT-I9100 using xda premium
Click to expand...
Click to collapse
Note: Said app not doesn't necessarily have to be installed before you lose your phone because you can go to Play Store, remotely install the app, and issue the commands for tracking. (But if you want it to wipe, I believe you have to give it administrative permissions, which does require you to have it installed before and set it up that way). Maybe Avast! even lets you wipe without administrative positions (haven't tried yet).
In order for you data to be secure in case of theft/loss, locking the bootloader is not enough. You need to turn off USB debugging in settings. Otherwise, if someone finds a GN, he can access all the files on it anyway. Bootloader locked or not.
Questions answered in the below quotes!
cmstlist said:
What it comes down to is, anyone smart enough to know how the GNex works can beat these sorts of things. You'll catch the dumb criminals but few others. Even if you could theoretically put a lock on CWM, the device can be wiped from the bootloader level and made to work. And chances are, if you have CWM loaded you already have an unlocked bootloader. Which means if you put a password on CWM, the thief could just reflash a clean CWM over top of it.
Click to expand...
Click to collapse
martonikaj said:
Exactly. The only criminal getting caught here is an extremely dumb one. If you're stealing phones you know to go in and uninstall Lookout or factory reset the device... then you wont be able to get the device back either way. Any criminal "smart" enough to use CWM to wipe the phone will use one of the many other ways to make it untraceable.
As someone else said, call the carrier and blacklist the SIM and IMEI.
And if you want your phone to be the most secure, use a PIN lockscreen, fully encrypt the device, and keep it stock with a locked bootloader. And above all... keep your phone in your sight/possession whenever in public. All basic stuff.
Click to expand...
Click to collapse
_Dennis_ said:
The anti-theft stuff is not so much anti-theft of the phone as anti-theft of you personal information. Think of it like this, you lose your device, criminal takes your information and uses your stored bank account information to steal your money, your stored address and name to get a new driver's license, and new license to get new credit card to ruin your credit score, along with making $500 on selling your phone.
Or he steals your phone, you remote wipe and blacklist iemi, he makes $200 selling phone for parts.
Sent from my Galaxy Nexus using Tapatalk
Click to expand...
Click to collapse
bwcorvus said:
They can wipe the phone in fastboot also...so this would stop nothing.
Sent from my Galaxy Nexus
Click to expand...
Click to collapse
================================================================================================================
So I got Avast with it's Anti-Theft protection baked into the ROM, but of course if my phone gets lost, it doesn't matter if i remote lock it or wipe it. If the thief is smart enough, they can just reboot into CWM and wipe data/dalvik/cache and flash a new rom onto it and resell the phone as "new". (And trust me, they are in 9/10 cases that smart)
So I was wondering, is there any way to put a password onto CWM? Like a 4 digit pin or similar. I realize it would be hard to do given the limited controls (vol up, down, power), but does the Touch Recovery enable this?
That way it would be a good safeguard for losing your phone as no one without access can wipe the ROM and render your theft-protection useless within seconds..
Thanks
Isn't that what you want them to do? Even if they're not sophisticated enough to wipe it you're just going to wipe it yourself considering the chances of getting it back are slim to none.
Either way, the device gets wiped.
EddieN said:
So I got Avast with it's Anti-Theft protection baked into the ROM, but of course if my phone gets lost, it doesn't matter if i remote lock it or wipe it. If the thief is smart enough, they can just reboot into CWM and wipe data/dalvik/cache and flash a new rom onto it and resell the phone as "new". (And trust me, they are in 9/10 cases that smart)
So I was wondering, is there any way to put a password onto CWM? Like a 4 digit pin or similar. I realize it would be hard to do given the limited controls (vol up, down, power), but does the Touch Recovery enable this?
That way it would be a good safeguard for losing your phone as no one without access can wipe the ROM and render your theft-protection useless within seconds..
Thanks
Click to expand...
Click to collapse
Indeed, I have wondered this a few times too. I mean, hopefully if you lose your phone then you'll be able to find it before any of this stuff happens...but not necessarily. If the thief turns your phone off/battery pulls then they effectively win! I suppose the benefit of a non-removable battery is that, if you have a lockscreen password, then the thief should find it hard to even power off your device!
I think a lock on CWM should be implemented...but who wants to forget their password to CWM and never be able access their device again? Not me!
---------- Post added at 10:35 AM ---------- Previous post was at 10:34 AM ----------
martonikaj said:
Isn't that what you want them to do? Even if they're not sophisticated enough to wipe it you're just going to wipe it yourself considering the chances of getting it back are slim to none.
Either way, the device gets wiped.
Click to expand...
Click to collapse
That's true...didn't think of that. Still though...I'd prefer my phone back!
Unlocking the bootloader would wipe the phone, and afaik there is no way to prevent that. Also, it isn't going to stop your phone from getting stolen...
Well sure, if my phone gets stolen it gets stolen. I don't have it anymore. But Avasts Anti-Theft enables you to send SMS commands to lock/wipe the phone, turn on/off GPS, disable any user interaction except from SMS messages from TRUSTED numbers etc. So even if I don't have the phone, BUT I have a password protected CWM, the phone will be useless as they cant flash a new ROM or have access to the OS/internal SD (thanks to disabling USB when the phone is flagged as lost) so it's just a paperweight with no resell value no matter what sim or battery they insert. It will be locked.
As long as they have the phone turned off, sure, I can't access it's location and whatnot. But at the same time they cant do anything with the phone either. I also doubt they'd disassemble the phone and take the time to somehow hardware flash the ROM chip to force a flash.
There have been cases in my country where people have gotten back their ipads/iphones/phones that have their respective "find my phone" if it gets lost/stolen etc.. Manufacturers don't implement functions like this for nothing, and law enforcement is usually helpful in cases like this if the GPS location and IMEI number are provided, as well as proof of ownership (which is displayed on the lock-screen of Anti-Theft as well as the IMEI).
It just seems contradicting having an Anti-Theft option when CWM is a few button presses away from wiping the phone and everything along with it, totally crippling anti-theft software.
Locking the bootloader every time I flash a rom (just in case i go out that one night and get robbed etc.) is a pain, and even if they unlock the bootloader everything is wiped anyway (including Anti-Theft).
The only reasonable solution is to have a password protected CWM. But of course, it's a HUGE risk if you forget your password to it.
and afaik by wiping through SMS, it only wipes the personal data (pictures, sms, anything personal) but keeps the rom intact as not to break the Anti-Theft. It would be really stupid if you remote wiped and the entire rom was wiped? Given that the thief isn't as smart as the regular XDA-crawler they'd need to flash a custom rom for it to even boot after that. But that's another story. Point being that remote wipe doesn't wipe the rom. Only all settings/personal data so a thief cant access private info.
imo if my phone got lost/stolen i'd try to (before it would happen) safeguard myself as much as I could to maybe at least have a small chance of getting it back. You never know.
Completely unnecessary, just call your carrier and report your phone lost/stolen and have them blacklist the IMEI number, done.
In any case, I can't even see a reason for this sort of childishness. If you lost your phone, bad on you, take better care of your things; if you had your phone stolen because you weren't paying attention to where it was, again, bad on you, take better care of your things; if you were threatened and mugged at knife/gunpoint, give the damn phone up and be happy, your life is worth more than any stupid phone, **** happens and then you die.
ZeroBarrier said:
Completely unnecessary, just call your carrier and report your phone lost/stolen and have them blacklist the IMEI number, done.
In any case, I can't even see a reason for this sort of childishness. If you lost your phone, bad on you, take better care of your things; if you had your phone stolen because you weren't paying attention to where it was, again, bad on you, take better care of your things; if you were threatened and mugged at knife/gunpoint, give the damn phone up and be happy, your life is worth more than any stupid phone, **** happens and then you die.
Click to expand...
Click to collapse
There's no reason to be rude and condescending. A phone can be lost/stolen no matter how careful you are. Of course your life is incomparable in value to a stupid phone, but that's not what this thread is about so no reason to go OT.
Back OT though, I still believe a password system should be looked in to. What if this wasn't about your phone being stolen, what if someone is just screwing with your phone? Why DO we have passwords? We have them to keep intruders at bay for things we don't want them to have access to. I wouldn't want anyone to be able to access CWM and wipe my phone.
It just seems strange how such a powerful tool can render any lockscreen/pin unlock/pattern unlock useless by just wiping the phone and reflashing a rom (keeping personal data such as pictures etc.) and gaining access to them anyway. It renders all these passwords/lockscreens etc. useless.
EddieN said:
I wouldn't want anyone to be able to access CWM and wipe my phone.
It just seems strange how such a powerful tool can render any lockscreen/pin unlock/pattern unlock useless by just wiping the phone and reflashing a rom (keeping personal data such as pictures etc.) and gaining access to them anyway. It renders all these passwords/lockscreens etc. useless.
Click to expand...
Click to collapse
So does the stock recovery. Doesn't seem as if anyone is complaining to Samsung or Google asking them for password protection on stock recoveries.
In the end, it's a portable communications device designed to be in your possession at all times, and if it is in your possession at all times, then there isn't any need to worry about a 3rd party wiping your phone randomly.
I am also hoping for password on the recovery.
What it comes down to is, anyone smart enough to know how the GNex works can beat these sorts of things. You'll catch the dumb criminals but few others. Even if you could theoretically put a lock on CWM, the device can be wiped from the bootloader level and made to work. And chances are, if you have CWM loaded you already have an unlocked bootloader. Which means if you put a password on CWM, the thief could just reflash a clean CWM over top of it.
cmstlist said:
What it comes down to is, anyone smart enough to know how the GNex works can beat these sorts of things. You'll catch the dumb criminals but few others. Even if you could theoretically put a lock on CWM, the device can be wiped from the bootloader level and made to work. And chances are, if you have CWM loaded you already have an unlocked bootloader. Which means if you put a password on CWM, the thief could just reflash a clean CWM over top of it.
Click to expand...
Click to collapse
Exactly. The only criminal getting caught here is an extremely dumb one. If you're stealing phones you know to go in and uninstall Lookout or factory reset the device... then you wont be able to get the device back either way. Any criminal "smart" enough to use CWM to wipe the phone will use one of the many other ways to make it untraceable.
As someone else said, call the carrier and blacklist the SIM and IMEI.
And if you want your phone to be the most secure, use a PIN lockscreen, fully encrypt the device, and keep it stock with a locked bootloader. And above all... keep your phone in your sight/possession whenever in public. All basic stuff.
EddieN said:
So I got Avast with it's Anti-Theft protection baked into the ROM, but of course if my phone gets lost, it doesn't matter if i remote lock it or wipe it. If the thief is smart enough, they can just reboot into CWM and wipe data/dalvik/cache and flash a new rom onto it and resell the phone as "new". (And trust me, they are in 9/10 cases that smart)
So I was wondering, is there any way to put a password onto CWM? Like a 4 digit pin or similar. I realize it would be hard to do given the limited controls (vol up, down, power), but does the Touch Recovery enable this?
That way it would be a good safeguard for losing your phone as no one without access can wipe the ROM and render your theft-protection useless within seconds..
Thanks
Click to expand...
Click to collapse
The anti-theft stuff is not so much anti-theft of the phone as anti-theft of you personal information. Think of it like this, you lose your device, criminal takes your information and uses your stored bank account information to steal your money, your stored address and name to get a new driver's license, and new license to get new credit card to ruin your credit score, along with making $500 on selling your phone.
Or he steals your phone, you remote wipe and blacklist iemi, he makes $200 selling phone for parts.
Sent from my Galaxy Nexus using Tapatalk
They can wipe the phone in fastboot also...so this would stop nothing.
Sent from my Galaxy Nexus
bwcorvus said:
They can wipe the phone in fastboot also...so this would stop nothing.
Sent from my Galaxy Nexus
Click to expand...
Click to collapse
This.
You can wipe (or obtain all the data stored into io) a galaxy nexus directly from the bootloader... Even before loading the recovery...
If I was in you i would care more about stolen data/photos and so on... (ics support full system encryption but clockwork mod does not iirc)
sooooo?
So back to the original question Any1 no of a hack that password protects recovery? Its a great idea and for those that don't think so for whatever reason wouldn't have to use it .
drawde40599 said:
So back to the original question Any1 no of a hack that password protects recovery? Its a great idea and for those that don't think so for whatever reason wouldn't have to use it .
Click to expand...
Click to collapse
Did you not read the thread? Its a waste of time to do this...
I guess it's a conundrum for us hacky types - unlocked bootloader lets us do all sorts of stuff, and gives us an escape hatch from unstable ROMs without losing our data. But it also lets anyone else get full access.
Now what would be nice is if the unlocked bootloader could be configured with a password. So it's effectively locked for everyone else unless they wipe.
cmstlist said:
I guess it's a conundrum for us hacky types - unlocked bootloader lets us do all sorts of stuff, and gives us an escape hatch from unstable ROMs without losing our data. But it also lets anyone else get full access.
Now what would be nice is if the unlocked bootloader could be configured with a password. So it's effectively locked for everyone else unless they wipe.
Click to expand...
Click to collapse
Even if you have a locked bootloader, all they have to do is type Fastboot oem unlock, and your data is wiped. With the phone we have, there is NOTHING you can do to stop someone from wiping it. If we could put a password before that, this would be the only safeguard (like a bios lock on a computer).
Sent from my Galaxy Nexus
bwcorvus said:
Even if you have a locked bootloader, all they have to do is type Fastboot oem unlock, and your data is wiped. With the phone we have, there is NOTHING you can do to stop someone from wiping it. If we could put a password before that, this would be the only safeguard (like a bios lock on a computer).
Sent from my Galaxy Nexus
Click to expand...
Click to collapse
Right, there's the separate questions of data integrity vs. tracking software integrity.
Most Androids, with stock recovery, are capable of being wiped too without booting into the OS at all.
cmstlist said:
What it comes down to is, anyone smart enough to know how the GNex works can beat these sorts of things. You'll catch the dumb criminals but few others. Even if you could theoretically put a lock on CWM, the device can be wiped from the bootloader level and made to work. And chances are, if you have CWM loaded you already have an unlocked bootloader. Which means if you put a password on CWM, the thief could just reflash a clean CWM over top of it.
Click to expand...
Click to collapse
martonikaj said:
Exactly. The only criminal getting caught here is an extremely dumb one. If you're stealing phones you know to go in and uninstall Lookout or factory reset the device... then you wont be able to get the device back either way. Any criminal "smart" enough to use CWM to wipe the phone will use one of the many other ways to make it untraceable.
As someone else said, call the carrier and blacklist the SIM and IMEI.
And if you want your phone to be the most secure, use a PIN lockscreen, fully encrypt the device, and keep it stock with a locked bootloader. And above all... keep your phone in your sight/possession whenever in public. All basic stuff.
Click to expand...
Click to collapse
_Dennis_ said:
The anti-theft stuff is not so much anti-theft of the phone as anti-theft of you personal information. Think of it like this, you lose your device, criminal takes your information and uses your stored bank account information to steal your money, your stored address and name to get a new driver's license, and new license to get new credit card to ruin your credit score, along with making $500 on selling your phone.
Or he steals your phone, you remote wipe and blacklist iemi, he makes $200 selling phone for parts.
Sent from my Galaxy Nexus using Tapatalk
Click to expand...
Click to collapse
bwcorvus said:
They can wipe the phone in fastboot also...so this would stop nothing.
Sent from my Galaxy Nexus
Click to expand...
Click to collapse
Well thanks for the great insight then! I didn't know fully that you could, still, even with a hypothesized passworded CWM, gain access and flash a new recovery before even getting into recovery (i haven't stumbled upon a situation like this yet)
So really there is no way to fully PROTECT the device with a password per se, unless you, like someone said, keep it fully stock with the bootloader locked. That way the device will be wiped anyway. Or have some kind of a BIOS-lock.
The thread was made to merely speculate if a password for CWM was feasible, and if it was, if it would do any good. Since we have come to the conclusion that it is not (any good at least), the best thing to do is to simply encrypt the phone, put a lockscreen pin/pattern or something like it and take care of the phone (of course). If it gets stolen, it does. Call the carrier and flag the IMEI. I know that already, but it would be a nice consolidation to somehow have some hope of getting the device back.
Needless to say you probably never will. So be careful guys!
Thanks for the thread and the knowledgeable inputs, there were apparently a few more peeps wondering about the same thing as I so I hope it helped them
A little while ago my brother had his iphone6 snatched. Now with Iphone, I know cannot be mounted to usb directly or even via recovery.
I know pin, fingerprint etc block access to the phone. I want to understand about other ways to access internal storage to gain access to photos and any other documents
That makes me ask - What security options we have for android - in particular OP3 (have 2 of them) and how can we make it more secure. ? Both my phones have Blu_spark TWRP + Freedom OS 2.10, if that matters.
Just to share, I found following to be foolproof
- Setup Pin + Fingerpints
- Setup Pin / Password for phone startup
This
- Keeps the device encrypted
- Unable to boot without pin
- Unable to access TWRP without pin
- Doesn't auto-mount on USB connect
Still, it would be interesting to hear about any cons of the above setup.
hyperorb said:
A little while ago my brother had his iphone6 snatched. Now with Iphone, I know cannot be mounted to usb directly or even via recovery.
I know pin, fingerprint etc block access to the phone. I want to understand about other ways to access internal storage to gain access to photos and any other documents
That makes me ask - What security options we have for android - in particular OP3 (have 2 of them) and how can we make it more secure. ? Both my phones have Blu_spark TWRP + Freedom OS 2.10, if that matters.
Click to expand...
Click to collapse
The easiest is to not get it snatched. Or if it does you chase them down and get your phone back. But barring that not alot you can really do and ill explain why.
When someone steals a phone, they dont care about the data on it. They are either gonna sell it or use it. Either way The device has the sim removed with in sec of it being taken and then it is reset or flashed to stock to remove any and all locks. This normally happens within minutes if not seconds of a device being stolen.
zelendel said:
The easiest is to not get it snatched. Or if it does you chase them down and get your phone back. But barring that not alot you can really do and ill explain why.
When someone steals a phone, they dont care about the data on it. They are either gonna sell it or use it. Either way The device has the sim removed with in sec of it being taken and then it is reset or flashed to stock to remove any and all locks. This normally happens within minutes if not seconds of a device being stolen.
Click to expand...
Click to collapse
Interestingly that was not the case. They remained in contact and kept on asking for phone passcode; which we did not give.
I'm not aware if its equally east in iPhone to enter into (kind of) fastboot mode and erase entire storage. In such case the loss remains of the phone and nothing else ; specially when we may have financial apps too on the phone.
hyperorb said:
Interestingly that was not the case. They remained in contact and kept on asking for phone passcode; which we did not give.
I'm not aware if its equally east in iPhone to enter into (kind of) fastboot mode and erase entire storage. In such case the loss remains of the phone and nothing else ; specially when we may have financial apps too on the phone.
Click to expand...
Click to collapse
No apple doesn't have the option. Main reason the fbi had to pay to have an iPhone unlocked not to long ago.
Part of the reason I never advise doing any sort of banking on a device as there is just too many security risks. I, mean even android keyboards monitor what you type.
hyperorb said:
A little while ago my brother had his iphone6 snatched. Now with Iphone, I know cannot be mounted to usb directly or even via recovery.
I know pin, fingerprint etc block access to the phone. I want to understand about other ways to access internal storage to gain access to photos and any other documents
That makes me ask - What security options we have for android - in particular OP3 (have 2 of them) and how can we make it more secure. ? Both my phones have Blu_spark TWRP + Freedom OS 2.10, if that matters.
Click to expand...
Click to collapse
Cerberus is a really nice app... You have alot of options sadly it isn't free! But heyy, it's cheap and it's functional! Other then that keep your device encrypted and a boot password should do.
As long as you're not rooted and unlocked, it will be a bit hard for an thieve to have access to your phone. Leaving ADB on, might as well decrease the overall security of the phone.
I for example was given a tablet which had a Google account synced with it, and resetting from recovery only made me renter the credidentials previously used to be able to pass the setup.
My luck was that the guy left ADB on and with a simple command I bypassed the setup screen.
hyperorb said:
Interestingly that was not the case. They remained in contact and kept on asking for phone passcode; which we did not give.
I'm not aware if its equally east in iPhone to enter into (kind of) fastboot mode and erase entire storage. In such case the loss remains of the phone and nothing else ; specially when we may have financial apps too on the phone.
Click to expand...
Click to collapse
Not sure about iPhone's but for newer Android phones as long as you are encrypted and have a pin/password set for boot, a thief would just wipe the phone return to stock and sell or use it. 99.9% of the time they just want money so the likely reason they wanted your pass code is they couldn't sell it cause they were blocked from resetting it temporarily. As long they have a physical device and unlimited time they will eventually reset it and get rid of it.
Renosh said:
Not sure about iPhone's but for newer Android phones as long as you are encrypted and have a pin/password set for boot, a thief would just wipe the phone return to stock and sell or use it. 99.9% of the time they just want money so the likely reason they wanted your pass code is they couldn't sell it cause they were blocked from resetting it temporarily. As long they have a physical device and unlimited time they will eventually reset it and get rid of it.
Click to expand...
Click to collapse
Exactly. If someone steals your device 99.98% of the time it is too use it or sell it. With way your data is meaningless.
As for them wanting your pass code the above is right. But as they couldn't reset it you could have reported it stolen and the police may be able to find it but most of the time they have better things to do then recover a lost cell phone.
I used to work with people that felt with stolen cell phones. I can say the normally. Withing 30 min of a device being stolen the data is gone. And when I say that I mean a complete DOJ style wipe, format and imei change.
zelendel said:
No apple doesn't have the option. Main reason the fbi had to pay to have an iPhone unlocked not to long ago.
Part of the reason I never advise doing any sort of banking on a device as there is just too many security risks. I, mean even android keyboards monitor what you type.
Click to expand...
Click to collapse
....so do all iOS keyboards, both first and third party. it's required for them to function
---------- Post added at 09:25 AM ---------- Previous post was at 09:23 AM ----------
zelendel said:
Exactly. If someone steals your device 99.98% of the time it is too use it or sell it. With way your data is meaningless.
As for them wanting your pass code the above is right. But as they couldn't reset it you could have reported it stolen and the police may be able to find it but most of the time they have better things to do then recover a lost cell phone.
I used to work with people that felt with stolen cell phones. I can say the normally. Withing 30 min of a device being stolen the data is gone. And when I say that I mean a complete DOJ style wipe, format and imei change.
Click to expand...
Click to collapse
this is exactly why that semi-recent feature added by google which requires you to log in with the previously added google account in the phone before initial setup following a factory reset is very useful - it makes the phone unusable/unsellable (unless im missing something?)
2x4 said:
....so do all iOS keyboards, both first and third party. it's required for them to function
---------- Post added at 09:25 AM ---------- Previous post was at 09:23 AM ----------
this is exactly why that semi-recent feature added by google which requires you to log in with the previously added google account in the phone before initial setup following a factory reset is very useful - it makes the phone unusable/unsellable (unless im missing something?)
Click to expand...
Click to collapse
That can easily be bypassed by wiping the data off the device and flash a stock rom to it. The only the the FRP does is prevent them from getting at the data.
No its not really. It's so they can send relevant ads. Those that remember smartphones before Apple or Android knows that it is not really needed.
zelendel said:
That can easily be bypassed by wiping the data off the device and flash a stock rom to it. The only the the FRP does is prevent them from getting at the data.
Click to expand...
Click to collapse
but how can they flash a stock ROM onto the device if the "require PIN before startup" option is selected? how can they flash if recovery has a PIN on it?
2x4 said:
but how can they flash a stock ROM onto the device if the "require PIN before startup" option is selected? how can they flash if recovery has a PIN on it?
Click to expand...
Click to collapse
Because that is before startup and not the bootloader, even with those set up they normally dont cover download mode or what ever mode that particular OEM uses (not all use the same). In extreme cases with some apps that make it a bit harder or people just dont want to be bothered to mess with things too deeply there are tools available that Will push the update right to the board bypassing all security. Sure its a little extra work but it is a sure bet when you cant get into a device and cant be bothered hunting down getting around it.
Also for the passwords on startup. any password cracker would take out the average password in a matter of min.
This has been very interesting and so much to learn. Thank you all for great inputs.
zelendel said:
I never advise doing any sort of banking on a device as there is just too many security risks. I, mean even android keyboards monitor what you type.
Click to expand...
Click to collapse
Yes. But then Microsoft too is not clean. Browser , Windows.... That way we can never work.
Puddi_Puddin said:
Cerberus is a really nice app...
Click to expand...
Click to collapse
Have it in all my Androids Very helpful at times, even for non theft purpose..
XDRdaniel said:
Leaving ADB on, might as well decrease the overall security of the phone.
Click to expand...
Click to collapse
Thanks. Will read more on this.
Renosh said:
for newer Android phones as long as you are encrypted and have a pin/password set for boot, a thief would just wipe the phone return to stock and sell or use it. 99.9% of the time they just want money so the likely reason they wanted your pass code is they couldn't sell it cause they were blocked from resetting it temporarily. As long they have a physical device and unlimited time they will eventually reset it and get rid of it.
Click to expand...
Click to collapse
Once a phone is lost, there's little chance to get it back. Device loss is one thing and data loss (or rather data access) is another. The later at times can have more problems.
I used to keep my id papers (for ease of printing anywhere as needed) on phone (Nokia N5). Lost that phone .. and till date I hope no one used those to buy services, do illegal stuff. That was a lesson learnt hard way
zelendel said:
With way your data is meaningless.
Click to expand...
Click to collapse
Depends where you are. There are places where one can avail services in other's name using fake ids or stolen data etc.
2x4 said:
. this is exactly why that semi-recent feature added by google which requires you to log in with the previously added google account in the phone before initial setup following a factory reset is very useful - it makes the phone unusable/unsellable (unless im missing something?)
Click to expand...
Click to collapse
Hmm.. I think I came across that in OP3. Didn't pay attention though.
zelendel said:
Because that is before startup and not the bootloader,
Click to expand...
Click to collapse
It is better to loose one than two. Phone is anyways lost .. so at least we can try secure data. Let them wipe and then get nothing in hand.
hyperorb said:
This has been very interesting and so much to learn. Thank you all for great inputs.
Yes. But then Microsoft too is not clean. Browser , Windows.... That way we can never work.
Have it in all my Androids Very helpful at times, even for non theft purpose..
Thanks. Will read more on this.
Once a phone is lost, there's little chance to get it back. Device loss is one thing and data loss (or rather data access) is another. The later at times can have more problems.
I used to keep my id papers (for ease of printing anywhere as needed) on phone (Nokia N5). Lost that phone .. and till date I hope no one used those to buy services, do illegal stuff. That was a lesson learnt hard way
Depends where you are. There are places where one can avail services in other's name using fake ids or stolen data etc.
Hmm.. I think I came across that in OP3. Didn't pay attention though.
It is better to loose one than two. Phone is anyways lost .. so at least we can try secure data. Let them wipe and then get nothing in hand.
Click to expand...
Click to collapse
You don't need to steal someone's phone to get a fake ID with their info. 1500 usd will get you that without it.
As for getting nothing in hand. They got exactly what they wanted. The device. Unless you work for the government in a high place. Then your data is meaningless on your phone. You already put it in enough places on line while using a pc that if they want it they already have it.
I could easily steal someone identity with a little more then what they post on Facebook or other social media outlets.
Is there a way to get into the phone after a reboot if the PIN is unknown? The owner died and the family needs to get into the phone. Any pointers appreciated. Thanks!
bitdisturbed said:
Is there a way to get into the phone after a reboot if the PIN is unknown? The owner died and the family needs to get into the phone. Any pointers appreciated. Thanks!
Click to expand...
Click to collapse
It is out there on how to do it, search for it, because we cannot know if this is indeed a truthful and/or legal request we can not answer. Sorry!
"it's out there" - yeah, I figured that much. I'm not about to upload a death certificate on a public board, you'll have to forgive me. Any actually helpful pointers to get this done? Just trying to help the family. Thanks.
Android All_In_One_Tool maybe
Is Jack Bauer involved?
I wish! He'd have the thing enter it's own code just by giving it an angry stare
So I found the tool mentioned above, not quite sure which function I'd use to take a crack at it. Best option would be a giant "remove pin" button, highlighted in yellow for me, lol... The 9 Pro isn't explicitly stated as supported either, hope that's not an issue in this case. Am I going to Recovery/Flasher and Device Rooter or Decrypt internal storage?
Any new Oneplus phone that has a PIN also has FBEv2. Everything that matters on the phone is encrypted at rest.* Even if you bypass lock screen, you need the PIN to open any data in the phone. If the bootloader is unlocked, you can try backing up data with a custom recovery like TWRP or orangefox, but most if not all files stored in internal storage is encrypted.
Basically, if the PIN is lost, bypass the lock screen is no use and you can wipe the data now. See if the PIN is written down somewhere
Mmm was the phone linked to Google? It could be what you're after has been uploaded to Google drive ( photos etc)
its worth a shot
Hacker earned $70,000 for finding a way to bypass Google Pixel’s screen lock - IT World Canada
A security researcher, David Schütz has received a $70,000 bug bounty after inadvertently discovering a Google Pixel lock-screen bypass hack that solved a high-severity security problem on all Pixel smartphones that could easily be exploited to unlock the devices.
www.itworldcanada.com
Let the dead rest in peace , stop messing with his phone.
ElitePotato said:
Let the dead rest in peace , stop messing with his phone.
Click to expand...
Click to collapse
Gotta hide em secrets buried
ElitePotato said:
Let the dead rest in peace , stop messing with his phone.
Click to expand...
Click to collapse
Alright, in the end the family opted for that. Thanks for all your help, learned a few things from you guys (and gals, possibly)