While unlocking the bootloader on a Galaxy Nexus unleashes the full potential of the bootloader, it also poses a security risk. Even with your lockscreen protected with a pattern/PIN/password, not having flashed a custom recovery, having an anti-theft app installed (maybe even converted/installed as a system app) your phone's data is easily accessible for a knowledgeable thief.
All the thief needs to do is reboot into the bootloader and boot or flash a custom recovery such as ClockWorkMod or TWRP. It's then possible to boot into recovery and use ADB commands to gain access to the phone's data on the internal memory (unless you have it encrypted) and copy/remove files at will.
Granted, the risk seems low. The thief would not only require knowledge of fastboot, he would have to turn off the phone before you have issued a wipe command using an anti-theft app. You could of course flash back the stock recovery & relock the bootloader after being done with flashing stuff, but that would require you to unlock it again if needed which will erase your userdata.
There are two ways to tackle this security risk AND retain unlocked bootloader functionality without losing userdata.
1) Encrypt your phone using Android's built-in encryption feature
Advantages:
- you can leave your bootloader unlocked & leave a custom recovery installed without risk of exposing your data.
Disadvantages:
- unless the custom recovery can decrypt your phone, you cannot use all of its features.
- when decryption fails, you cannot access your phone and need to do a factory reset from recovery. Users have reported not being able to decrypt after applying OTA updates.
- the encryption process is irreversible. The only way to return to an unencrypted phone is to perform a factory data reset which erases all your data.
2) Unlock & relock the bootloader from Android OS
Prerequisites:
- root access
- an app that can unlock/relock the bootloader at will such as BootUnlocker
Steps
Root your device using one of the many guides out there (recommended guide). Install BootUnlocker. Reflash stock recovery and lock the bootloader. Whenever you need an unlocked bootloader again, simply use Bootlocker to unlock it (this won't wipe userdata). When done, relock.
Advantages:
- doesn't require encryption (for those who do not wish to use it).
Disadvantages:
- relies on third-party apps.
- method will not work if you lose root access for whatever reason.
- method will not work when you cannot boot into Android for whatever reason.
USB debugging
Strictly not related to the bootloader, but for maximum security disable USB debugging when not required. Having it enabled allows the execution of ADB commands even if the lockscreen is still locked. Myself, I use Tasker in combination with Secure Settings to automatically enable USB debugging when my device is connected to my home WiFi access point but disabled if not connected.
The following video demonstrates what a knowledgeable thief can do with your phone when you have USB debugging enabled by default: http://www.youtube.com/watch?v=ah7DWawLax8&t=7m0s
More info: recently, an exploit has been discovered that will enable gaining root without going through the 'traditional' process of unlocking the bootloader & flashing a custom recovery in order to flash Superuser or SuperSU packages. See this post for a guide.
Play store devices
Devices bought directly from Google's Play Store apparently do NOT wipe userdata after fastboot oem unlock. So for these devices, method number 2 does not add any security. For more info, read this thread: http://forum.xda-developers.com/showthread.php?t=1650830
Very well written!!
One thing you may want to tie in to your explanation is the effect of having USB Debugging enabled - it's easy to gain root (and subsequently unlock your bootloader) with it enabled, even with a locked bootloader.
Sent from my Galaxy Nexus using Tapatalk 2
Added some information regarding USB debugging. Thanks for the tip efrant.
Good read:good:
Do you have to be on stock rom to lock the bootloader ?
Oscuras said:
Do you have to be on stock rom to lock the bootloader ?
Click to expand...
Click to collapse
Nope.
Sent from my Galaxy Nexus using Tapatalk 2
Thanks for this :good:
Trying to wrap my head around this with regards to anti theft protection etc.
Currently have an unlocked bootloader, custom rom, and root. If I have something like Cerberus or Avast running (both claim to work as system apps so will not be deleted via hard reset), have debugging unchecked and a pin lock at screen on - if I lock bootloader now, how secure am I to data theft?
Presumably, with debug disabled, fastboot from pc command prompt to unlock bootloader will not work? Can ODIN be used to flash a new ROM and if so my system apps (and thus the security apps) will be wiped, rendering the whole thing useless?
Thanks
Guiding.God said:
Thanks for this :good:
Trying to wrap my head around this with regards to anti theft protection etc.
Currently have an unlocked bootloader, custom rom, and root. If I have something like Cerberus or Avast running (both claim to work as system apps so will not be deleted via hard reset), have debugging unchecked and a pin lock at screen on - if I lock bootloader now, how secure am I to data theft?
Presumably, with debug disabled, fastboot from pc command prompt to unlock bootloader will not work? Can ODIN be used to flash a new ROM and if so my system apps (and thus the security apps) will be wiped, rendering the whole thing useless?
Thanks
Click to expand...
Click to collapse
If you have the stock recovery (custom will allow adb), your personal data is as secure as it can be. Of course, you cannot stop anybody from booting into your bootloader and run fastboot oem unlock OR use Odin to flash your device. However, doing so will effectively wipe your device so your personal data cannot be accessed.
I would more worry about my phone then data because I have nothing important on it...
Sent from my Galaxy Nexus using xda premium
Petrovski80 said:
If you have the stock recovery (custom will allow adb), your personal data is as secure as it can be. Of course, you cannot stop anybody from booting into your bootloader and run fastboot oem unlock OR use Odin to flash your device. However, doing so will effectively wipe your device so your personal data cannot be accessed.
Click to expand...
Click to collapse
qtwrk said:
I would more worry about my phone then data because I have nothing important on it...
Sent from my Galaxy Nexus using xda premium
Click to expand...
Click to collapse
Thanks for the clarification.
And I worry more about the work related data, the phone itself is insured
This is important info, and a lot of folks probably don't realize how open they are. This should be stickied or better yet included in the stickied thread where the bootloader unlock instructions are. Thanks for the post.
Great info. One question, I use Titanium Backup automated nightly to backup data and new apps, and it requires USB Debugging on.
I suppose I could use Secure Settings to turn USB Debugging on and off, but that means an opening is available once a day for a few minutes. Thoughts?
Pkt_Lnt said:
Great info. One question, I use Titanium Backup automated nightly to backup data and new apps, and it requires USB Debugging on.
I suppose I could use Secure Settings to turn USB Debugging on and off, but that means an opening is available once a day for a few minutes. Thoughts?
Click to expand...
Click to collapse
You could do as I do: use secure settings in combination with tasker so USB debugging will only be enabled when connected to your home Wifi. It will allow your nightly TiB backups, and I assume the 'ADB opening' is not an issue when at home (not many thieves there I hope).
Petrovski80 said:
You could do as I do: use secure settings in combination with tasker so USB debugging will only be enabled when connected to your home Wifi. It will allow your nightly TiB backups, and I assume the 'ADB opening' is not an issue when at home (not many thieves there I hope).
Click to expand...
Click to collapse
I downloaded Secure Settings to check it, and it will work. I have AutomateIT Pro and it does not support plug-ins. I have been finding more tasks that it seems only Tasker can perform, I guess it is time to get it. Thank you.
Petrovski80 said:
You could do as I do: use secure settings in combination with tasker so USB debugging will only be enabled when connected to your home Wifi. It will allow your nightly TiB backups, and I assume the 'ADB opening' is not an issue when at home (not many thieves there I hope).
Click to expand...
Click to collapse
Great idea.
Petrovski80 said:
You could do as I do: use secure settings in combination with tasker so USB debugging will only be enabled when connected to your home Wifi. It will allow your nightly TiB backups, and I assume the 'ADB opening' is not an issue when at home (not many thieves there I hope).
Click to expand...
Click to collapse
A Jasager router could exploit this if you have WiFi enabled in public. When WiFi is enabled and not connected to a network, every 'x' period of time (depending upon your wifi.supplicant_scan_interval setting in your build.prop) your phone will send out a packet saying "hey, is xyz network around?". It will do that for every network that you have saved settings for.
Under normal circumstances, you get no reply when away from your home router and the phone just waits the interval to try again. A Jasager ("yes man" in German) router waits for a device to send out those packets and simply responds "yep, that's me!". Under this circumstance, your phone would authenticate to their router and think it's on your home network, triggering any applicable Tasker options.
This is one of the reasons that I do not have WiFi enabled unless I actively want to be connected to a router in the area.
Also, I have USB Debugging disabled and my TiBu backups run perfectly fine according to schedule.
I am not a paranoid worry wart so the risk are more than worth it for me. There's nothing on here that I would care if some one got a hold of anyway.
Sent from my Galaxy Nexus using xda premium
Cilraaz said:
A Jasager router could exploit this if you have WiFi enabled in public. When WiFi is enabled and not connected to a network, every 'x' period of time (depending upon your wifi.supplicant_scan_interval setting in your build.prop) your phone will send out a packet saying "hey, is xyz network around?". It will do that for every network that you have saved settings for.
Under normal circumstances, you get no reply when away from your home router and the phone just waits the interval to try again. A Jasager ("yes man" in German) router waits for a device to send out those packets and simply responds "yep, that's me!". Under this circumstance, your phone would authenticate to their router and think it's on your home network, triggering any applicable Tasker options.
This is one of the reasons that I do not have WiFi enabled unless I actively want to be connected to a router in the area.
Also, I have USB Debugging disabled and my TiBu backups run perfectly fine according to schedule.
Click to expand...
Click to collapse
Maybe. Tasker checks both the SSID and the MAC address of my router before it returns 'wifi connected' as true and enables USB debugging. Sure, MAC addresses are easy to spoof, but I don't think the MAC address is part of the broadcast packet (I haven't checked) because that's simply a value stored by Tasker itself.
And even if it is, the combination of a lost/stolen GNEX and a thief who modded their router with jasager firmware + knows ADB is too unlikely for me to worry about it. But indeed, for maximum security it's best not to automate enabling of USB debugging.
Petrovski80 said:
Maybe. Tasker checks both the SSID and the MAC address of my router before it returns 'wifi connected' as true and enables USB debugging. Sure, MAC addresses are easy to spoof, but I don't think the MAC address is part of the broadcast packet (I haven't checked) because that's simply a value stored by Tasker itself.
And even if it is, the combination of a lost/stolen GNEX and a thief who modded their router with jasager firmware + knows ADB is too unlikely for me to worry about it. But indeed, for maximum security it's best not to automate enabling of USB debugging.
Click to expand...
Click to collapse
The MAC check would almost certainly keep you safe.
It's interesting stumbling across this thread after having just seen a podcast episode about Android hacking. If anyone is interested, check out Hak5. One of their recent episodes is about Android hacking via ADB, specifically something called P2PADB that was created for quick device-to-device ADB access. It was fairly amazing the things this person could do to a phone that has USB Debugging enabled.
Cilraaz said:
The MAC check would almost certainly keep you safe.
It's interesting stumbling across this thread after having just seen a podcast episode about Android hacking. If anyone is interested, check out Hak5. One of their recent episodes is about Android hacking via ADB, specifically something called P2PADB that was created for quick device-to-device ADB access. It was fairly amazing the things this person could do to a phone that has USB Debugging enabled.
Click to expand...
Click to collapse
Watching the video right now. Personally, I find it a gaping security hole that the ADB interface is accessible through a locked lockscreen.
For anyone interested in the vid: the ADB part starts at 7:00.
Edit: amazing video. It really proves what a knowledgeable thief can do when you have USB debugging enabled, especially when combined with root access (don't we all?). I'm going to add the video to my post. Thanks for the info Cilraaz!
With Samsung devices, turning on device encryption force you to use 6 characters password (alphanumeric), which is troublesome if you use your phone often.
What I found out is that after I set such password, complete the device encryption and go back to the Lock Screen setting, I can change the password to 4 digits.
Going back to encryption setting, it said I can now encrypt the device, but must use 6 characters password. But isn't my phone already encrypted? AFAIK, there is no turning off encryption once it's done.
So at this point, is my phone encrypted or not?
lanwarrior said:
With Samsung devices, turning on device encryption force you to use 6 characters password (alphanumeric), which is troublesome if you use your phone often.
What I found out is that after I set such password, complete the device encryption and go back to the Lock Screen setting, I can change the password to 4 digits.
Going back to encryption setting, it said I can now encrypt the device, but must use 6 characters password. But isn't my phone already encrypted? AFAIK, there is no turning off encryption once it's done.
So at this point, is my phone encrypted or not?
Click to expand...
Click to collapse
The phone is encrypted but like you said you cannot permanently decrypt the phone once the process is completed.
DConrad2010 said:
The phone is encrypted but like you said you cannot permanently decrypt the phone once the process is completed.
Click to expand...
Click to collapse
Thanks for the info.
I am curious why initially the device requires alphanumeric passwords (which I created), but once encryption is done, I can go back to the "Lock Screen" and change it to just numeric password. I believe this will NOT remove encryption, but for confirmation, want to check if the encryption is still there.
lanwarrior said:
Thanks for the info.
I am curious why initially the device requires alphanumeric passwords (which I created), but once encryption is done, I can go back to the "Lock Screen" and change it to just numeric password. I believe this will NOT remove encryption, but for confirmation, want to check if the encryption is still there.
Click to expand...
Click to collapse
I had to un-encrypt my phone by unrooting via Oden. Once i Odened then you have to do a factory reset and you are un-encrypted for good.
Hey guys,
I have always had my op3 encrypted and I've become used to always entering the pin when booting up, accessing twrp etc. but today when I rebooted into twrp I didn't have to enter any pin to use twrp. When booting up the system I didn't have to enter a pin either.
When I check the settings under Security & Fingerprint it looks as in the attached screenshot, I don't have any options to decrypt or anything either
I'm running OOS 4.1.3, FrancoKernel #23 , Magisk 12, twrp-3.1.0-x_blu_spark_v27.
Is this something that anyone has experienced and know how to fix?
I want to keep my encryption but then, of course, you should have to use the pin.
Cheers!
Then the pin is defaulted and thus you don't need any. I don't need one, too and never did, but all is encrypted (Even locked down with a pin on bootup and fingerprint otherwise)
I believe this is an option you need to setup during the wizard when you initially set up the device. It asks you whether you want to require a pin on startup or not.
But, you can also turn this on by going to settings>security>screen lock.
From there, you click on the area where it says PIN. Confirm your pin, then click PIN again, and there should be an option to require pin for startup. Other than that, you are still encrypted, but it is all bypassed in order for quicker startup.
Sent from my ONEPLUS 3 using Tapatalk
noobtoob said:
I believe this is an option you need to setup during the wizard when you initially set up the device. It asks you whether you want to require a pin on startup or not.
But, you can also turn this on by going to settings>security>screen lock.
From there, you click on the area where it says PIN. Confirm your pin, then click PIN again, and there should be an option to require pin for startup. Other than that, you are still encrypted, but it is all bypassed in order for quicker startup.
Sent from my ONEPLUS 3 using Tapatalk
Click to expand...
Click to collapse
Ah that was it! it had somehow disabled itself, simply going in and enabling "require pin to start device" solved it.
Thanks!
Try removing the lock screen password and setting it up again and it will be back again in twrp.?
So I have got kind of a strange buggy problem. I have an LG G4 with Android 6.0. I recently encrypted my phone with the standard Android encryption method. I used a six character password for this. After about a month my phone prompted that I had to change my password because it had expired. I must change the password in order to gain entry to the phone. So, I click 'change password', type in my old password, click continue and then it returns me to the lock screen?! Locked! It never actually lets me change my password. So I'm kinda stuck.
I tried using software like dr.fone to gain entry to at least save my files, but my phones default pc connection setting is charging and since I can't gain entry, I can't set it to MTP sharing. So I can't even gain entry through my PC.
Is this a known bug? I couldn't find anything on the internet about this. Anybody have any idea? I know I can just factory reset, but I really want to try saving my files. There's some pretty important stuff on my phone.
Thanks in advance,
Greetings,
Luca
lucade2210 said:
So I have got kind of a strange buggy problem. I have an LG G4 with Android 6.0. I recently encrypted my phone with the standard Android encryption method. I used a six character password for this. After about a month my phone prompted that I had to change my password because it had expired. I must change the password in order to gain entry to the phone. So, I click 'change password', type in my old password, click continue and then it returns me to the lock screen?! Locked! It never actually lets me change my password. So I'm kinda stuck.
I tried using software like dr.fone to gain entry to at least save my files, but my phones default pc connection setting is charging and since I can't gain entry, I can't set it to MTP sharing. So I can't even gain entry through my PC.
Is this a known bug? I couldn't find anything on the internet about this. Anybody have any idea? I know I can just factory reset, but I really want to try saving my files. There's some pretty important stuff on my phone.
Thanks in advance,
Greetings,
Luca
Click to expand...
Click to collapse
Bootloader is locked I assume.
So your phone will not let you log in until you change the password but will not let you change the password
How does it affect device encryption by enabling or disabling the 'Encrypt using lock screen password' option (in privacy settings)? What is opposite? What password is used for encryption if this turned off?
If this is enabled, then a password is required before running the android.
But when this option was not turned on, the menu showed "encrypted" anyway and the Terminal (termux), after entering 'getprop ro.crypto.state' and 'getprop ro.crypto.type' I received the message 'encrypted' and 'block'. So, the device was encrypt anyway (at least in theory).
The question is what changes the inclusion of this option and is it really worth?
wholegrain said:
... The question is what changes the inclusion of this option and is it really worth?
Click to expand...
Click to collapse
The result will be that Android (and TWRP) will not start until you enter the lockscreen password. If you don't reboot your phone very often, then you may be able to live with the hassle (bootup will be much slower). And you'd better not forget the lockscreen password. But if the bootloader is unlocked, and/or TWRP is installed, nothing stops anyone from formatting the data partition and using the phone for their own purposes.
Does it give you any extra protection over standard encryption + fingerprint or lockscreen password? If your bootloader is locked, then maybe. Is it worth it? That is a matter of opinion - but I personally wouldn't bother with it. The greatest security risk lies in unlocking the bootloader. Once you unlock it, the phone itself is easy to commandeer, even if your data is safe because of encryption.
DarthJabba9 said:
But if the bootloader is unlocked, and/or TWRP is installed, nothing stops anyone from formatting the data partition and using the phone for their own purposes.
Click to expand...
Click to collapse
You mean 'using for their own purposes' with my data or after wiped? Anyway, I enabled this additional authentication. I don't have unlocked bootloader or TWRP. If the phone is turned off, then stranger can wipe (by holding power + volume up) and use it as its own.
I'm interested in what the difference in access to my data by a stranger is when the option is enabled or disabled. When enabled - I understand that when the bootloader is locked and there is no TWRP, the stranger can't access the device's data. When disabled - data supposedly encrypted, but is not the "default" password recoverable too easily?
wholegrain said:
You mean 'using for their own purposes' with my data or after wiped?....
Click to expand...
Click to collapse
Your data cannot exist after the data partition has been formatted. If your bootloader is locked, then you don't need to worry too much - just don't forget your lockscreen password.
As for standard encryption with default password, this enables TWRP to access the encrypted storage without asking for a password. This is what a lot of people expect (and demand). Some people who are very concerned about data security often prefer to have to enter a password, even to start TWRP. It is all down to individual taste.