How can I secure my phone/data after installing a custom rom? - Xiaomi Mi A2 Lite Questions & Answers

Hello,
So the title saif it all... How can I secure my data after installing a custom rom (e.g after unlocking the bootloader, root the phone, (when I install my extendedui rom(really great rom by the way) I had to desable enforcing encryption, is that mean that my data in not encrypted by android right now?)
Any suggestions, informations, explanation would be appreciated.
Have a nice day

Don't expect securing your phone if you've unlocked your bootloader, rooted your phone and installed a custom ROM.
Unlocked bootloader means if you lose the device, someone can just flash it and use it as their own or they can reach all your data on the phone as it is unencrypted.
Rooted software means some apps might do shady stuff in the background, if you accidentally allow them.
Custom ROM means you have to trust the dev of the ROM, no one can guarantee the security of your device, which is CLEARLY stated on the thread of every ROM.
So, if you want security, encryption etc. you need stock firmware on the latest update and a locked bootloader. That way, at least if something happens, Xiaomi or Google could be held accountable.

marstonpear said:
Don't expect securing your phone if you've unlocked your bootloader, rooted your phone and installed a custom ROM.
Unlocked bootloader means if you lose the device, someone can just flash it and use it as their own or they can reach all your data on the phone as it is unencrypted.
Rooted software means some apps might do shady stuff in the background, if you accidentally allow them.
Custom ROM means you have to trust the dev of the ROM, no one can guarantee the security of your device, which is CLEARLY stated on the thread of every ROM.
So, if you want security, encryption etc. you need stock firmware on the latest update and a locked bootloader. That way, at least if something happens, Xiaomi or Google could be held accountable.
Click to expand...
Click to collapse
Thanks for your answer, Is there any trick/manœuvre I can do to encrypte my data at least?

marstonpear said:
Don't expect securing your phone if you've unlocked your bootloader, rooted your phone and installed a custom ROM.
Unlocked bootloader means if you lose the device, someone can just flash it and use it as their own or they can reach all your data on the phone as it is unencrypted.
Rooted software means some apps might do shady stuff in the background, if you accidentally allow them.
Custom ROM means you have to trust the dev of the ROM, no one can guarantee the security of your device, which is CLEARLY stated on the thread of every ROM.
So, if you want security, encryption etc. you need stock firmware on the latest update and a locked bootloader. That way, at least if something happens, Xiaomi or Google could be held accountable.
Click to expand...
Click to collapse
The fragment about encryption is incorrect, your data can be and IS encrypted if you choose to, on any custom ROM that supports encryption.
The truth is, you need to trust developers responsible for the code.
For that reason, with your personal sensitive data it is only reasonable to trust big projects, like official LineageOS builds.

general.nie7 said:
The fragment about encryption is incorrect, your data can be and IS encrypted if you choose to, on any custom ROM that supports encryption.
The truth is, you need to trust developers responsible for the code.
For that reason, with your personal sensitive data it is only reasonable to trust big projects, like official LineageOS builds.
Click to expand...
Click to collapse
Oops, my bad. Encryption is possible on custom ROMs but if someone stole your device, I believe it won't be to steal your data but rather to format and sell/use the device; with an unlocked bootloader that is quite easy to do. I also agree with the big projects part, but still, if anything happens to your device, you won't be able to hold anyone responsible for it. Cheers.

Related

[Q] Any reason to (re)lock the bootloader on an S-off device?

Other than warranty issues, and possibly redeeming your Google Drive space, are there any practical ramifications to simply leaving the bootloader unlocked (or, conversely, locked?) on an S-off device? I'm inclined to leave it bootloader unlocked unless I have a warranty issue, as it seems the safest way to make sure I'm never locked out, but I'm curious to know if there are any reasons to lock it from a security perspective.
I say that because right now when I lose root due to an OTA, I just boot (but not install) philz touch recovery to re-root, which I am assuming is allowed because I am s-off. (because otherwise root would be trivial). It seems that as long as I can do that, the bootloader lock/unlock state is somewhat pointless.
You are allowed to flash custom ROMs because you have installed a custom recovery, which was allowed because you unlocked your bootloader. I would leave the bootloader unlocked until a relock is required (if it even comes to that). As far as I know, that poses no threat as long as you know what you're flashing on your device. Anyone with more experience with this may correct me, as I am quite new to the HTC world.
MrKhozam said:
You are allowed to flash custom ROMs because you have installed a custom recovery, which was allowed because you unlocked your bootloader. I would leave the bootloader unlocked until a relock is required (if it even comes to that). As far as I know, that poses no threat as long as you know what you're flashing on your device. Anyone with more experience with this may correct me, as I am quite new to the HTC world.
Click to expand...
Click to collapse
I actually only had TWRP installed briefly to "restore" the Dev Edition nandroid (and by briefly, I mean I booted it once). As soon as the Dev Edition ROM was up, I reverted to the stock DE recovery. Since then, I just "boot" Philz CWM to re-root (since TWRP fails when booted on 4.4.3 for some reason.)

Couple of questions

So I received my new N5X yesterday and loving it. Typically I root Nexus' right out of the box but this time I decided to give it a shot in stock form. Now I'm looking to unlock the bootloader and root but I have a few questions.
Android Pay - will unlocking my bootloader and rooting the stock ROM break Android Pay?
Encryption - will unlocking my bootloader and rooting the stock ROM prevent me from staying encrypted?
I love the stock ROM but would like to add an ad-blocker, snapprefs (for snapchat), among a couple others.
All help is appreciated!
I don't use Android pay so I can't help you with that.
You only need to take care if you want to keep the phone in un-encrypted.
Encrypted mode is the default anyway so you won't have any problems keeping it encrypted.
You may have some trouble keeping you're encrypted data partition when installing a custom ROM though.
peltus said:
You only need to take care if you want to keep the phone in un-encrypted.
Encrypted mode is the default anyway so you won't have any problems keeping it encrypted.
You may have some trouble keeping you're encrypted data partition when installing a custom ROM though.
Click to expand...
Click to collapse
Ah - perfect! No plans for a custom ROM so no worries there.
Anyone have experience with a rooted, stock ROM and Android Pay?
In the following topic they are talking about an exposed app called ' no device check'.
Maybe something to get you started in looking into Android pay:
http://forum.xda-developers.com/nexus-5x/general/marshmallow-xposed-t3249145/page2

Relock the bootloader or not?

I've successfully flashed my first ROM. My purpose in doing so was to get the monthly Android security updates, and more broadly have my phone as secure as practical. In that vein, can I safely relock the bootloader? Should I? I am aware that many (most?) people here choose to keep the bootloader unlocked, and I respect that choice, but I'm seeking maximum security.
Searching here at XDA I see conflicting guidance. Some folks say that re-locking the bootloader with a custom ROM installed is begging to be bricked, while others say they have re-locked with no trouble. So what is your advice, why is that your opinion, and do you speak from experience?
I have not rooted the phone, nor do I plan to. I'm running AICP 8.1 on Nextbit Robin and don't plan to make any changes other than receive OTA updates. Should I make future changes beyond that I would not be bothered by the very minor inconvenience of having to unlock then relock it.
I too want to simply flash the stock recovery and lock my bootloader, but from what I've read to update the ROMs we need an unlocked bootloader. So that needs to be unlocked again does that mean everytime I lock-unlock I will be wiping my data all over? Thats would be a pain.
So this is an experiment I want to run from quite long and might do it sometime next month maybe. I will be wiping-unlocking-flashing-locking and see again if I can unlock without wiping my data and lock again, this way I can know for sure if this is doable because most online answers are weirdly confusing.
javelinanddart found that locking the bootloader on the Robin results in similar behavior as on the Nexus devices. The phone will check and make sure that the key used to sign the recovery partition remains the same as it was when your device got relocked, so as a result, TWRP should still work, and updating to a new version of TWRP would work too since it's (presumably) signed with the same key. System partition checking is handled by the kernel itself (dm-verity), but all the custom roms for the Robin have that disabled, so that wouldn't be a problem.
I've also been running custom roms with my bootloader locked and haven't run into any issues with flashing roms with TWRP.
I will be honest though, since TWRP lets you do so much to your phone, relocking your bootloader wouldn't really help security wise. You can pull up a damn root shell right in TWRP, for crying out loud.
@jabashque
Wait so are you saying despite locking the bootloader I can still go in custom recovery? Whats the point then?
I mean for me why I a considering locking the bootloader is so that if I lose my phone no one can access my data. As of now with custom ROM anyone has free access to my data via TWRP/custom recovery.
/root said:
@jabashque
Wait so are you saying despite locking the bootloader I can still go in custom recovery? Whats the point then?
I mean for me why I a considering locking the bootloader is so that if I lose my phone no one can access my data. As of now with custom ROM anyone has free access to my data via TWRP/custom recovery.
Click to expand...
Click to collapse
I suppose you could flash Lineage recovery instead, which was designed to be an OEM-grade recovery and doesn't include the ability to pull up a root shell or use adb.
Grab that here: http://downloads.codefi.re/jdcteam/javelinanddart/ether/ether-lineage-recovery-20180310_170949.img
Personally, I locked my bootloader so that I could actually see my custom splash screen without having to press the power button to dismiss the warning message.
EDIT: the build of Lineage recovery I linked still has adb shell access enabled it seems; I was wrong on that. Also, I haven't tried flashing another rom's system partition that's been signed with different keys.
jabashque said:
I suppose you could flash Lineage recovery instead, which was designed to be an OEM-grade recovery and doesn't include the ability to pull up a root shell or use adb.
Grab that here: http://downloads.codefi.re/jdcteam/javelinanddart/ether/ether-lineage-recovery-20180310_170949.img
Personally, I locked my bootloader so that I could actually see my custom splash screen without having to press the power button to dismiss the warning message.
Click to expand...
Click to collapse
So for an OTA update do I have to wipe all data to unlock again? I am on Omni btw.
I only unlock my bootloader to flash a cool splash screen then relock it. Even if the bootloader is locked I can still flash custom ROMs using ADB sideload. Works like a charm every time. I'm running the AEX custom ROM with Android 8.1.0
akeemk said:
I only unlock my bootloader to flash a cool splash screen then relock it. Even if the bootloader is locked I can still flash custom ROMs using ADB sideload. Works like a charm every time. I'm running the AEX custom ROM with Android 8.1.0
Click to expand...
Click to collapse
But you still locking it while on TWRP isn't it? Which means anyone has access to shell via TWRP defeats the purpose of security provided by a locked bootloader, isn't it?
/root said:
But you still locking it while on TWRP isn't it? Which means anyone has access to shell via TWRP defeats the purpose of security provided by a locked bootloader, isn't it?
Click to expand...
Click to collapse
I guess that's why Nextbit never had a problem with us unlocking the phone's bootloader.

Modifying G988u from verizon

Can i modify my g988u from verizon in anyway? And if so how? Im new to this kind of stuff. I know i should probably leave verizon
You might be able to disable some packages with ADB , but beyond that, if your phone has been receiving OTA updates, it's likely hopeless. Substantial customization requires root, and that is precluded by locked bootloaders. There are paid services that can unlock bootloaders in S20s with older software, but my understanding is this isn't an option for devices with newer software
I actually just switched to Verizon, entirely motivated by AT&T's hostiliity towards most unlocked devices (that they don't sell). So, if you leave, who are you going to go to? T-Mobile is the most permissive of the big 3, but tends to lag in infrastructure.
Right didnt even look into that. Probably going to stay with verizon now that ya said that lol. Just curious What do people get out of from rooting their phone? I want to learn how and dont know where to start.
CainD5 said:
Right didnt even look into that. Probably going to stay with verizon now that ya said that lol. Just curious What do people get out of from rooting their phone? I want to learn how and dont know where to start.
Click to expand...
Click to collapse
A lot. Android phones have come a long way in past decade and change that they have been available, but root access, which is typically associated with at least an unlocked bootloader and possibly also a custom ROM, remains the single most powerful customization tool. A short non-exhaustive list of what you can do:
Use Magisk (See Magisk Module Repo for ideas of capabilties).
Use EdXposed or LSPosed (See Xposed Module Repo for ideas of capabilities).
Install a custom kernel (natively mount CIFS/NFS filesystems, overclock your device, and all sorts of other options).
Permanently debloat your ROM (survives hard reset).
Enjoy the best ad blocking experience.
View/backup/edit private application data.
There are also downsides to root, such as tripping the warranty void bit (and disabling Knox-related functionality like Samsung Pay, likely losing filesystem encryption, and greatly increasing your odds of a malware infestation. That said, the XDA site is largely powered by the modding/root access community, so those risks aren't discussed much.

Trying to follow the guide of rooting my Moto One Action

So I have successfully unlocked my motorola by following the official guide but am stuck on the next step because I don't know what I'm supposed to download next. I installed magisk from the official github onto my phone but that's about it. Thanks in advance for any help.
Which rom are you using?
So all I have done so far is unlocked my bootloader, do I need to download a rom next. I'm very inexperienced on this subject and saw a video of the different cool customizations you can do with a rooted phone.
So, there are two different things.
1. rooting gives you access to system files, so they can be modified/erased etc.
2. a custom ROM doesn't necessarily give you root access, but it can give you cool customizations built-in, or a newer version of Android, for example.
Personally I'm not a big fan of rooting in general. Because that comes with a couple of caveats. One being that your banking apps won't work anymore, unless you fiddle with magisk stuff to make it show like the device is not rooted, and stuff like that. I don't need root, so I don't generally need Magisk either.
But if you want to try a cool ROM for this phone, and you like stock Android, you could try the Pixel Experience ROM. The only thing that doesn't work (and I don't know how to fix right now), is VoLTE and VoWIFI. But it might work for you.
LineageOS works for VoLTE (with IMS APN added by the user), but still doesn't work for VoWIFI. It could be that it requires a few specific files to be flashed from the stock ROM. I don't know. So far I couldn't get it to work.
So, next step would be either staying on stock ROM, and fiddling with Magisk (but keep in mind some DRM apps won't work, some payment stuff won't work and so on so forth), ooor go flash a custom ROM (such as Pixel Experience), and enjoy it the way it is.
The choice is yours.
One advice I have: don't relock the bootloader unless the option in Developer Options > OEM Unlocking is ON. Doesn't matter if it's greyed out or not. But it needs to be ON.
Why? Because, if something happens and you can't boot because you locked your bootloader on a custom ROM for example (which you should never do, by the way), you won't be able to unlock it again, so you can fix your boot, if that option is OFF. So be very careful with that.
When that option is ON, it means bootloader is allowed to be unlocked (it's unlockable). When it's OFF, it's not. If it's not unlockable, you can't unlock it, so you can't flash anything. Which is really bad if you need to fix something and the only way is flashing.
Ok, I took some time to reflect based on what you said. I really do value being able to use banking apps so i guess I will try to fiddle with magisk stuff after I root my device. Speaking of which I was following this guide and I went through the procedure twice but for some reason after I ran the root checker plus app from the play store it says that root was not properly installed. Not sure what part of the process I did wrong but I await any feedback.
Technically, all you need is Magisk installed. That will also give you root access. You don't need anything else.
But maybe flashing was not done right? I don't know. Do you get an error? If so, it would be good to know which error.

Categories

Resources