While unlocking the bootloader on a Galaxy Nexus unleashes the full potential of the bootloader, it also poses a security risk. Even with your lockscreen protected with a pattern/PIN/password, not having flashed a custom recovery, having an anti-theft app installed (maybe even converted/installed as a system app) your phone's data is easily accessible for a knowledgeable thief.
All the thief needs to do is reboot into the bootloader and boot or flash a custom recovery such as ClockWorkMod or TWRP. It's then possible to boot into recovery and use ADB commands to gain access to the phone's data on the internal memory (unless you have it encrypted) and copy/remove files at will.
Granted, the risk seems low. The thief would not only require knowledge of fastboot, he would have to turn off the phone before you have issued a wipe command using an anti-theft app. You could of course flash back the stock recovery & relock the bootloader after being done with flashing stuff, but that would require you to unlock it again if needed which will erase your userdata.
There are two ways to tackle this security risk AND retain unlocked bootloader functionality without losing userdata.
1) Encrypt your phone using Android's built-in encryption feature
Advantages:
- you can leave your bootloader unlocked & leave a custom recovery installed without risk of exposing your data.
Disadvantages:
- unless the custom recovery can decrypt your phone, you cannot use all of its features.
- when decryption fails, you cannot access your phone and need to do a factory reset from recovery. Users have reported not being able to decrypt after applying OTA updates.
- the encryption process is irreversible. The only way to return to an unencrypted phone is to perform a factory data reset which erases all your data.
2) Unlock & relock the bootloader from Android OS
Prerequisites:
- root access
- an app that can unlock/relock the bootloader at will such as BootUnlocker
Steps
Root your device using one of the many guides out there (recommended guide). Install BootUnlocker. Reflash stock recovery and lock the bootloader. Whenever you need an unlocked bootloader again, simply use Bootlocker to unlock it (this won't wipe userdata). When done, relock.
Advantages:
- doesn't require encryption (for those who do not wish to use it).
Disadvantages:
- relies on third-party apps.
- method will not work if you lose root access for whatever reason.
- method will not work when you cannot boot into Android for whatever reason.
USB debugging
Strictly not related to the bootloader, but for maximum security disable USB debugging when not required. Having it enabled allows the execution of ADB commands even if the lockscreen is still locked. Myself, I use Tasker in combination with Secure Settings to automatically enable USB debugging when my device is connected to my home WiFi access point but disabled if not connected.
The following video demonstrates what a knowledgeable thief can do with your phone when you have USB debugging enabled by default: http://www.youtube.com/watch?v=ah7DWawLax8&t=7m0s
More info: recently, an exploit has been discovered that will enable gaining root without going through the 'traditional' process of unlocking the bootloader & flashing a custom recovery in order to flash Superuser or SuperSU packages. See this post for a guide.
Play store devices
Devices bought directly from Google's Play Store apparently do NOT wipe userdata after fastboot oem unlock. So for these devices, method number 2 does not add any security. For more info, read this thread: http://forum.xda-developers.com/showthread.php?t=1650830
Very well written!!
One thing you may want to tie in to your explanation is the effect of having USB Debugging enabled - it's easy to gain root (and subsequently unlock your bootloader) with it enabled, even with a locked bootloader.
Sent from my Galaxy Nexus using Tapatalk 2
Added some information regarding USB debugging. Thanks for the tip efrant.
Good read:good:
Do you have to be on stock rom to lock the bootloader ?
Oscuras said:
Do you have to be on stock rom to lock the bootloader ?
Click to expand...
Click to collapse
Nope.
Sent from my Galaxy Nexus using Tapatalk 2
Thanks for this :good:
Trying to wrap my head around this with regards to anti theft protection etc.
Currently have an unlocked bootloader, custom rom, and root. If I have something like Cerberus or Avast running (both claim to work as system apps so will not be deleted via hard reset), have debugging unchecked and a pin lock at screen on - if I lock bootloader now, how secure am I to data theft?
Presumably, with debug disabled, fastboot from pc command prompt to unlock bootloader will not work? Can ODIN be used to flash a new ROM and if so my system apps (and thus the security apps) will be wiped, rendering the whole thing useless?
Thanks
Guiding.God said:
Thanks for this :good:
Trying to wrap my head around this with regards to anti theft protection etc.
Currently have an unlocked bootloader, custom rom, and root. If I have something like Cerberus or Avast running (both claim to work as system apps so will not be deleted via hard reset), have debugging unchecked and a pin lock at screen on - if I lock bootloader now, how secure am I to data theft?
Presumably, with debug disabled, fastboot from pc command prompt to unlock bootloader will not work? Can ODIN be used to flash a new ROM and if so my system apps (and thus the security apps) will be wiped, rendering the whole thing useless?
Thanks
Click to expand...
Click to collapse
If you have the stock recovery (custom will allow adb), your personal data is as secure as it can be. Of course, you cannot stop anybody from booting into your bootloader and run fastboot oem unlock OR use Odin to flash your device. However, doing so will effectively wipe your device so your personal data cannot be accessed.
I would more worry about my phone then data because I have nothing important on it...
Sent from my Galaxy Nexus using xda premium
Petrovski80 said:
If you have the stock recovery (custom will allow adb), your personal data is as secure as it can be. Of course, you cannot stop anybody from booting into your bootloader and run fastboot oem unlock OR use Odin to flash your device. However, doing so will effectively wipe your device so your personal data cannot be accessed.
Click to expand...
Click to collapse
qtwrk said:
I would more worry about my phone then data because I have nothing important on it...
Sent from my Galaxy Nexus using xda premium
Click to expand...
Click to collapse
Thanks for the clarification.
And I worry more about the work related data, the phone itself is insured
This is important info, and a lot of folks probably don't realize how open they are. This should be stickied or better yet included in the stickied thread where the bootloader unlock instructions are. Thanks for the post.
Great info. One question, I use Titanium Backup automated nightly to backup data and new apps, and it requires USB Debugging on.
I suppose I could use Secure Settings to turn USB Debugging on and off, but that means an opening is available once a day for a few minutes. Thoughts?
Pkt_Lnt said:
Great info. One question, I use Titanium Backup automated nightly to backup data and new apps, and it requires USB Debugging on.
I suppose I could use Secure Settings to turn USB Debugging on and off, but that means an opening is available once a day for a few minutes. Thoughts?
Click to expand...
Click to collapse
You could do as I do: use secure settings in combination with tasker so USB debugging will only be enabled when connected to your home Wifi. It will allow your nightly TiB backups, and I assume the 'ADB opening' is not an issue when at home (not many thieves there I hope).
Petrovski80 said:
You could do as I do: use secure settings in combination with tasker so USB debugging will only be enabled when connected to your home Wifi. It will allow your nightly TiB backups, and I assume the 'ADB opening' is not an issue when at home (not many thieves there I hope).
Click to expand...
Click to collapse
I downloaded Secure Settings to check it, and it will work. I have AutomateIT Pro and it does not support plug-ins. I have been finding more tasks that it seems only Tasker can perform, I guess it is time to get it. Thank you.
Petrovski80 said:
You could do as I do: use secure settings in combination with tasker so USB debugging will only be enabled when connected to your home Wifi. It will allow your nightly TiB backups, and I assume the 'ADB opening' is not an issue when at home (not many thieves there I hope).
Click to expand...
Click to collapse
Great idea.
Petrovski80 said:
You could do as I do: use secure settings in combination with tasker so USB debugging will only be enabled when connected to your home Wifi. It will allow your nightly TiB backups, and I assume the 'ADB opening' is not an issue when at home (not many thieves there I hope).
Click to expand...
Click to collapse
A Jasager router could exploit this if you have WiFi enabled in public. When WiFi is enabled and not connected to a network, every 'x' period of time (depending upon your wifi.supplicant_scan_interval setting in your build.prop) your phone will send out a packet saying "hey, is xyz network around?". It will do that for every network that you have saved settings for.
Under normal circumstances, you get no reply when away from your home router and the phone just waits the interval to try again. A Jasager ("yes man" in German) router waits for a device to send out those packets and simply responds "yep, that's me!". Under this circumstance, your phone would authenticate to their router and think it's on your home network, triggering any applicable Tasker options.
This is one of the reasons that I do not have WiFi enabled unless I actively want to be connected to a router in the area.
Also, I have USB Debugging disabled and my TiBu backups run perfectly fine according to schedule.
I am not a paranoid worry wart so the risk are more than worth it for me. There's nothing on here that I would care if some one got a hold of anyway.
Sent from my Galaxy Nexus using xda premium
Cilraaz said:
A Jasager router could exploit this if you have WiFi enabled in public. When WiFi is enabled and not connected to a network, every 'x' period of time (depending upon your wifi.supplicant_scan_interval setting in your build.prop) your phone will send out a packet saying "hey, is xyz network around?". It will do that for every network that you have saved settings for.
Under normal circumstances, you get no reply when away from your home router and the phone just waits the interval to try again. A Jasager ("yes man" in German) router waits for a device to send out those packets and simply responds "yep, that's me!". Under this circumstance, your phone would authenticate to their router and think it's on your home network, triggering any applicable Tasker options.
This is one of the reasons that I do not have WiFi enabled unless I actively want to be connected to a router in the area.
Also, I have USB Debugging disabled and my TiBu backups run perfectly fine according to schedule.
Click to expand...
Click to collapse
Maybe. Tasker checks both the SSID and the MAC address of my router before it returns 'wifi connected' as true and enables USB debugging. Sure, MAC addresses are easy to spoof, but I don't think the MAC address is part of the broadcast packet (I haven't checked) because that's simply a value stored by Tasker itself.
And even if it is, the combination of a lost/stolen GNEX and a thief who modded their router with jasager firmware + knows ADB is too unlikely for me to worry about it. But indeed, for maximum security it's best not to automate enabling of USB debugging.
Petrovski80 said:
Maybe. Tasker checks both the SSID and the MAC address of my router before it returns 'wifi connected' as true and enables USB debugging. Sure, MAC addresses are easy to spoof, but I don't think the MAC address is part of the broadcast packet (I haven't checked) because that's simply a value stored by Tasker itself.
And even if it is, the combination of a lost/stolen GNEX and a thief who modded their router with jasager firmware + knows ADB is too unlikely for me to worry about it. But indeed, for maximum security it's best not to automate enabling of USB debugging.
Click to expand...
Click to collapse
The MAC check would almost certainly keep you safe.
It's interesting stumbling across this thread after having just seen a podcast episode about Android hacking. If anyone is interested, check out Hak5. One of their recent episodes is about Android hacking via ADB, specifically something called P2PADB that was created for quick device-to-device ADB access. It was fairly amazing the things this person could do to a phone that has USB Debugging enabled.
Cilraaz said:
The MAC check would almost certainly keep you safe.
It's interesting stumbling across this thread after having just seen a podcast episode about Android hacking. If anyone is interested, check out Hak5. One of their recent episodes is about Android hacking via ADB, specifically something called P2PADB that was created for quick device-to-device ADB access. It was fairly amazing the things this person could do to a phone that has USB Debugging enabled.
Click to expand...
Click to collapse
Watching the video right now. Personally, I find it a gaping security hole that the ADB interface is accessible through a locked lockscreen.
For anyone interested in the vid: the ADB part starts at 7:00.
Edit: amazing video. It really proves what a knowledgeable thief can do when you have USB debugging enabled, especially when combined with root access (don't we all?). I'm going to add the video to my post. Thanks for the info Cilraaz!
Somehow my password pattern is suddenly not detectable and it shows as wrong password. As there is no more option in lollipop for "forgot password" and using the gmail account to log in. How do I reset the password on a HTC M8 without doing a reset? I've tried logging into the google account, and I can use the "find" option in the device manager to locate the device, but if i press the "lock" button and try to enter a new password, for a split second it says "We have sent a lock request to the device", but then it says "Since Google has verified that a screen lock is already set, the password you entered won't be needed." Wtf is going on? I am stuck with a pattern locked phone of whose password i know but the phone doesnt detect it anymore. Is there another way to reset the password?
No replies?
Well.......
Let me start by saying that this is a delicate matter, what if the device is stolen and somebody wants to get the info or device to work without wiping it. I know that this is probably not your intention and that it is hard to prove otherwise. But the possibility could be there in the worst case scenario !
Now don't get the above personal, it's written from another point of view, as i am running HTC phones for the past 6 years and never encountered this all of a sudden at any point. So from my point of view i find it difficult to believe.
To get to your point ...... not sure if it can be done otherwise but to reset the device. Depends if it's rooted or not for instance ?
Cheers
No reply ?
According to the story, looks like either : 3rd party apps are interfering (can also be malware/virus) OR someone physically got hold of the device and changed the password(perhaps he thinks its his own)
Try restarting the device while holding the volume up button only, android will go into safe mode and disable all 3rd party apps. If the password still doesn't work, then you have 2 options:
1) if S-ON : factory reset and lose all user data
2) if S-OFF or bootloader unlocked: remove password (this is the most details I can give without being an accomplice)
Greetings dellow xda dev's, I am currently running a Tmobile galaxy note 3, with the newest stock odexed FOL1 firmware, rooted, running twrp 2.8.5.0, I hav been installing apps and setting things up all day as a recent problem has forced me to factory reset my phone. Due to the way I use tasker to lock my phone (using secure settings to set a password) and restoring the old tasker profiles, my password appears to have been corrupted in some form or another as I have entered it a bunch of times and it won't unlock, claiming that the password is wrong. I have spent most of the evening looking at exploits and bypasses but none seem to work with my phone, there is no password.key file in the data/system folder, and deleting the gesture.key doesn't help. Using android device manager I can send a message to my phone and 'lock' it, but there is no unlock option anywhere on the screen; until I hit the home button and it simply sends me back to the normal lockscreen, and whatever new password I punched in with the manager doesn't work. I have tried several flashable zip files (lockscreen security bypass and pattern password disable), I have also tried everything mentioned in :http://forum.xda-developers.com/showthread.php?t=2620456 that article, as well as poking around in adb and in twrp's file manager, as well as some old lockscreen vulnerabilities (sadly copy and paste do not appear on the emergency dialer or the password field).
I am rather desperate to get my phone unlocked without a factory reset, as I just barely recovered from one recently, and need my phone for work tomorrow morning. I do have some tasker and autoremote profiles running that will tell my phone to setoff an alarm through tasker, and that will alert my phone to when my tablets battery life is low, but I don't know if either of those will help. I do not have any trusted bluetooth devices that can unlock the phone, nor do I ever seem to find a password reset/forgot your password option after typing in my password.
Any help or guidance would be greatly appreciated and tried come morning before work.
Guys,
I done goofed.
Allowed the young one to play with the tablet, lo and behold, the fingerprint scanner was "gone" and the tablet was requesting the alternate password, which I'm ashamed to say I have no Idea what it is.
I've tried to access the tablet with Android Device Manager, which gives me 3 options, RING - BLOCK - ERASE
After researching, I read that clicking on block and setting up a password there would work, but it doesn't. It just gives me a message saying that "Since google has verified that a screen lock is already set, the password that you entered won’t be needed"
There's no samsung account set.
While I know I could do a factory reset, It would be sad to lose some of the photos and files on the device.
Crazy ideas to help this fool here?
cheers,
Dan
factory reset wont delete your photos and files. it just delete system related data/install apps. unless you format your internal drive.
Hmm I thought that could be the case, but the only way I can do as reset now is going into that special mode by pressing power, home, volume buttons when the tablet is off right?
Won't the option I find there more drastic that a regular factory reset?
I haven't tried yet because I was hopeful for another solution :/
No other option available, would be terrible if there was (security bug!) Just do a factory reset in recovery mode, never got my personal files deleted that way, even Bluetooth downloads and old app folders stayed there
My father in law died last weekend and we don't know the pincode of his stock Nexus 5X. We can access his Google account and we know the pincode of his sim card. I hope someone can help us out to get access to his phone. Things we've tried:
- The vingerprint reader was setup but we've tried a lot of possible pins. We've tried his vinger yesterday but because of the attempts the pin is also required now.
- With a pattern lock you'll get a possibility to unlock through the Google account password after some attempts but his phone was secured with a vingerprint and/or pincode. Only the delay between attempts get increased, currently 16 minutes between them.
- The lock option from https://www.google.com/android/devicemanager, but because there is already a pin lock it doesn't work. The pin doesn't change.
- I've tried to access the phone through ADB, booted into the recovery but "adb devices" doesn't see the phone. When I choose to "install update through adb" I see the devices with "adb devices" but I can't use "adb shell", only sideloading works.
- Installing a custom recovery could work but the bootloader is locked, when I unlock it a full wipe will be performed so we still can't access the data.
- From the Play store in the browser on my Mac I've installed the androidlost.com app on the phone, but the app needs to be opened once before it can be used.
- A rubber ducky could help us out, but I don't have one and the time between attempts get increased and increased... it would take weeks, months or years to unlock.
What other possibilities do I have?
First sorry for your lost!
Second, i don´t know for sure, but maybe get the phone to the store where you bought it and explain the situation, maybe they will give a correct advice or like you said the phone is registed in google ( device manager) maybe if you contact them they will help you with that ( the problem is they probably will take a long time to reply or don´t reply at all) or wait for a more expert user than me here in xda,
again, sorry for your lost and hope you solve this problem,
cheers
If the phone was rooted with a recovery installed, YES, you could delete the passcode files and get into it, without root/recovery, you cannot get into it without the password, that is the point of encryption and passwords and all that jazz.... Yes there is probably a way for some high level hacker to do it but good luck finding that.... If you just want to be able to USE the phone, do a factory reset from recovery....