[Q] Security of CM7 or other ROMs - EVO Shift 4G Q&A, Help & Troubleshooting

Hey all,
I would post this on the CM7 thread in development, however I don't have 10 posts to my name, so it's here. I also didn't see anything via searching the Q&A with security of CM7 or other ROMs. If I am wrong, or it's been posted, I apologize!
I read all of these posts on the internet about jail-breaking iDevices via SSH, and it made me wonder if a rooted phone has the same vulnerability (via SSH or other method) that could compromise my phone.
Currently, I have TWRP with CM7, and back-ups of everything, so if I do manage to catch something nasty, I have no problems with restoring. But I'd like to avoid all of that in the first place. I realize pretty much all of this can be avoided with smart internet surfing, avoiding un-trusted apps, and making sure the unknown sources setting is unchecked. Anything else?

There's the app called "look out" I think that's a great app for stopping malware from apps. Or you can go with any anti virus app on the market
Sent from my PG06100 using xda premium

Lookout is a great app, though I personallly prefer Avast as it has the ability to firewall and has a killer anti-theft service that can stay on the device even if the thief factory resets it

Pretty much just common sense, like you said.
- Uncheck "Android debugging" (ADB), "Allow mock locations" and "Unknown Sources" in Settings>Applications>Development.
- Never install Apps that didn't come from the Market (Google Play, whatever). Review the permissions before installing an app... isn't it odd that your notepad app needs internet access, account access and network-based location capabilities?
- Revoke unnecessary permissions and auto run conditions for your apps (I use Gemini App Manager for auto run).

So, I looked at Lookout (no pun intended), and it's ok. I haven't tried Avast yet, and I have Sprint, so I'm looking at it's Total Equipment Protection app as well.
Another question: how effective is the Superuser app at blocking requests for root? Does it intercept all requests or only apps? I understand that getting root via the terminal emulator on the phone needs the superuser, but using the computer to run commands through the shell doesn't (I think). So, if the Superuser app can't prevent USB debugging without permission, what are my options in case my phone gets stolen?

smmiller506 said:
So, I looked at Lookout (no pun intended), and it's ok. I haven't tried Avast yet, and I have Sprint, so I'm looking at it's Total Equipment Protection app as well.
Another question: how effective is the Superuser app at blocking requests for root? Does it intercept all requests or only apps? I understand that getting root via the terminal emulator on the phone needs the superuser, but using the computer to run commands through the shell doesn't (I think). So, if the Superuser app can't prevent USB debugging without permission, what are my options in case my phone gets stolen?
Click to expand...
Click to collapse
Superuser app will prompt you for anything thats asking for root access... When I first rooted my shift I had to grant adb shell superuser permissions...
And honestly if your phone gets stolen, it's gone... We had a user that had has phone stolen and the police nor sprint could do anything about it, even though he knew where the phone was... Here is the thread...
Sent from my PG06100 using Xparent Blue Tapatalk 2

drob311 said:
Superuser app will prompt you for anything thats asking for root access... When I first rooted my shift I had to grant adb shell superuser permissions...
And honestly if your phone gets stolen, it's gone... We had a user that had has phone stolen and the police nor sprint could do anything about it, even though he knew where the phone was... (LINK REMOVED)
Sent from my PG06100 using Xparent Blue Tapatalk 2
Click to expand...
Click to collapse
You know what, you're right about the Superuser part. So, that's good. Now I just need to lock down the recovery (TWRP).
On a side note, it is no longer illegal swap ESN/MEID info anymore, so long as you own the phones involved. I think that was passed by Congress around the same time as the whole jailbreaking thing, however with the new laws coming out soon in regards to the national database of bad phones, that may change.

fayrarri said:
Lookout is a great app, though I personallly prefer Avast as it has the ability to firewall and has a killer anti-theft service that can stay on the device even if the thief factory resets it
Click to expand...
Click to collapse
I use avast too you can select root installation. On a side note about security having root doesn't make your phone any less secure. User error makes things less secure like not checking permissions of a app before installing it.

Yeah but its not just about knowing who took your phone or where it is, the remote wipe can be helpful to remove sensitive data from the phone

fayrarri said:
Yeah but its not just about knowing who took your phone or where it is, the remote wipe can be helpful to remove sensitive data from the phone
Click to expand...
Click to collapse
I wish I knew java, I would make an app that would brick the phone if the owner activated said app from a pc... The only way to prevent a thief from stealing your info is to make the the phone completely disabled... Since you call insurance right away to report the phone stolen, they (assurion) deactivate the device and put it on the bad esn list, essentially rendering the phone useless but an app accessible from a pc to completely brick the phone, would be the ultimate "**** you" to the prick that stole your device...
Sent from my PG06100 using Xparent Blue Tapatalk 2

drob311 said:
I wish I knew java, I would make an app that would brick the phone if the owner activated said app from a pc... The only way to prevent a thief from stealing your info is to make the the phone completely disabled... Since you call insurance right away to report the phone stolen, they (assurion) deactivate the device and put it on the bad esn list, essentially rendering the phone useless but an app accessible from a pc to completely brick the phone, would be the ultimate "**** you" to the prick that stole your device...
Sent from my PG06100 using Xparent Blue Tapatalk 2
Click to expand...
Click to collapse
I would pay a good 10 bucks for that app!
Sent from my myTouch_4G_Slide using Tapatalk 2

I realized something unfortunately - the recovery and bootloader can't be locked down, which means that any apps loaded onto the phone can be easily deleted. So, that kinda makes locking the phone down to prevent data theft on a stolen device pointless.
Thoughts on locking the recovery and/or bootloader down in case of a stolen device?

Well Avast does root installation so that stays on the device even if its factory reset. And I believe there is a command that you can send the phone that makes accessing the applications menu impossible.

drob311 said:
I wish I knew java, I would make an app that would brick the phone if the owner activated said app from a pc... The only way to prevent a thief from stealing your info is to make the the phone completely disabled... Since you call insurance right away to report the phone stolen, they (assurion) deactivate the device and put it on the bad esn list, essentially rendering the phone useless but an app accessible from a pc to completely brick the phone, would be the ultimate "**** you" to the prick that stole your device...
Sent from my PG06100 using Xparent Blue Tapatalk 2
Click to expand...
Click to collapse
Knowing me I'd brick the phone and then find it two days later in my car

In regards to security you can also set a pattern for your lockscreen and it won't unlock even when you slide the keyboard open

fayrarri said:
Well Avast does root installation so that stays on the device even if its factory reset. And I believe there is a command that you can send the phone that makes accessing the applications menu impossible.
Click to expand...
Click to collapse
sparksco said:
In regards to security you can also set a pattern for your lockscreen and it won't unlock even when you slide the keyboard open
Click to expand...
Click to collapse
Again, both of these apply to when Android and the original ROM are still installed. So, if your phone gets stolen by someone who knows how to root a phone and use the recovery, he could backup all of your data, flash a new ROM through recovery and now he has a new phone with no apps, lockscreen, or Superuser app to deny permissions to root. With the backed-up data, he could sift through that and possibly find personal data.
However, the lockscreen will be successful against entry if the person doesn't know how to use the recovery. Superuser rights can't be granted if it can't pass the lockscreen. And right now, I have no permissions granted to ADB shell or Terminal Emulator.
I know some people may think, "what is this guy thinking, he's an idiot, etc..." but I am thinking of worst case scenarios in a security perspective in regard to data protection.

fayrarri said:
Knowing me I'd brick the phone and then find it two days later in my car
Click to expand...
Click to collapse
But if you activated the brick app, your phone would have already been reported stolen to assurion and put on the bad esn list, even if you find it, it can't be re-activated...
Sent from my PG06100

Lol yes I realize that, just making a joke

smmiller506 said:
Again, both of these apply to when Android and the original ROM are still installed. So, if your phone gets stolen by someone who knows how to root a phone and use the recovery, he could backup all of your data, flash a new ROM through recovery and now he has a new phone with no apps, lockscreen, or Superuser app to deny permissions to root. With the backed-up data, he could sift through that and possibly find personal data.
However, the lockscreen will be successful against entry if the person doesn't know how to use the recovery. Superuser rights can't be granted if it can't pass the lockscreen. And right now, I have no permissions granted to ADB shell or Terminal Emulator.
I know some people may think, "what is this guy thinking, he's an idiot, etc..." but I am thinking of worst case scenarios in a security perspective in regard to data protection.
Click to expand...
Click to collapse
What are the chances that the person knows how to use a rooted phone? And by the time they figure out how to use it, what rom they want to install ect, you could wipe all data on the phone using something like avast. You could even wipe the sdcard. Remember protecting your data and personal info is what's important here, not if they can use the phone because it's rooted.

sparksco said:
What are the chances that the person knows how to use a rooted phone? And by the time they figure out how to use it, what rom they want to install ect, you could wipe all data on the phone using something like avast. You could even wipe the sdcard. Remember protecting your data and personal info is what's important here, not if they can use the phone because it's rooted.
Click to expand...
Click to collapse
I completely agree with you on this one - data security is more important than anything else. Which is why I'm curious about the security of rooted phones - I enjoy the features of a rooted phone and hate the bloatware/jail-cell environment of a stock phone to give up root.
I will assume that the chances of a thief knowing how to use a rooted phone are pretty good. So, if I can lock down Android and root permissions in the OS, how can I do the same to the bootloader and/or recovery to achieve ultimate security?

Related

[Q] Hard Baking in Security?

Does anyone know if it would be possible to bake in security like Wave Secure type of thing in to custom ROMs? I've always thought Wave Secure is a bit pointless if a simple factory reset would clear it and therefore leave the phone ready for the thief or new owner to use as they see fit.
Another layer, not perfect, but still another layer that a thief or finder may not be immediately aware of would be to bake in some security features like tracing or locking in to a custom ROM so even a factory reset wouldn't remove it, possibly something in to the boot loader itself?
Has anyone thought of this?
DroidBois said:
Does anyone know if it would be possible to bake in security like Wave Secure type of thing in to custom ROMs? I've always thought Wave Secure is a bit pointless if a simple factory reset would clear it and therefore leave the phone ready for the thief or new owner to use as they see fit.
Another layer, not perfect, but still another layer that a thief or finder may not be immediately aware of would be to bake in some security features like tracing or locking in to a custom ROM so even a factory reset wouldn't remove it, possibly something in to the boot loader itself?
Has anyone thought of this?
Click to expand...
Click to collapse
People do and have bundled things into roms - often dropping them into /system/app directory, though I don't think anyones gone as deep as into the bootloader?
Though, if your phone is rooted, and your installed the app to /system/app, then a thief could in theory just flash your phone faster than if your phone WASNT rooted. They don't even need to root your phone at that point.
An interest aspect of hardening this, might be to compile your on recovery/bootloader that would require a password to get into.
I think what he's saying is to add the wave secure or similar app into the ROM so that if the thief does a quick "reset to factory settings" after lifting the phone, the security app would survive, perhaps long enough to recover it.
Most thieves would just wipe the phone (if that) to flip it and might not take the time to flash a new ROM.
The tough pay as I see it would be everyone would need their own custom ROM.
Sent from my SPH-D700 using XDA App
Xerloq said:
I think what he's saying is to add the wave secure or similar app into the ROM so that if the thief does a quick "reset to factory settings" after lifting the phone, the security app would survive, perhaps long enough to recover it.
Most thieves would just wipe the phone (if that) to flip it and might not take the time to flash a new ROM.
Click to expand...
Click to collapse
Yep, that's it. I'm assuming most thieves would not recognise a custom ROM or know what to do with it. At least buy some time to try and locate and recover the phone. Only time I'd want a front facing camera.
So what happens if they replace the SIM though? Sending SMS's is nice, but only if your number is still working with that phone. A hard baked security system would send an SMS when the SIM was changed at least.
You shouldn't make a ROM to put an apk into /system/app. You can simply push it through ADB or via terminal emulator. That will atleast survive a factory reset. I don't think many thieves actually take the time to flash a new image
So this is all we need to do? Use the ADB method? So I push through WaveSecure, that could survive a factory reset with settings intact?
Something baked in to recovery would be awesome too.
as far as I know when pushing an apk via adb into system/app then only the app itself is stored there, not the settings. the settings are gone after a system wipe. there needs to be some logic in the app to connect to a site and retrieve your settings from there... using your phone's ID or something.
RAMMANN said:
as far as I know when pushing an apk via adb into system/app then only the app itself is stored there, not the settings. the settings are gone after a system wipe. there needs to be some logic in the app to connect to a site and retrieve your settings from there... using your phone's ID or something.
Click to expand...
Click to collapse
The application itself will survive - but wouldn't all it's data, which still resides in /data/data be wiped?
So yes... the app survived... But it no longer knows who you are, or whose phone it is.
I think the just release CDMA/GSM Droid Pro may have the security you are looking for?
tbaker077 said:
I think the just release CDMA/GSM Droid Pro may have the security you are looking for?
Click to expand...
Click to collapse
It's a bit extreme to fork out another $700 on a new phone just for this. The whole point is to avoid spending money in case of theft or loss
Well part of my unspoke point is this is XDA-Developers, I sure there is a ways(one the rom comes out) to port some of those security files to other Android devices.
tbaker077 said:
Well part of my unspoke point is this is XDA-Developers, I sure there is a ways(one the rom comes out) to port some of those security files to other Android devices.
Click to expand...
Click to collapse
Didn't quite understand you, are saying it is possible to bake in some security?
I think once the Droid Pro, which has it baked in, is either rom dumped and extracted, or rooted then I think it could be possible.
tbaker077 said:
I think once the Droid Pro, which has it baked in, is either rom dumped and extracted, or rooted then I think it could be possible.
Click to expand...
Click to collapse
So something *is* possible via software, not requiring special hardware?
Once some gimboid puts in their own SIM you'd think that you can't send an SMS to control the phone although WaveSecure seems to cover that too.
I'd like something as subtle and as invisible as a good virus. Bootloader would be ideal. Theoretically then a full factory wipe wouldn't clear it.
I couldn't tel you. All I know is the Droid Pro is a 3G CDMA. GSM device with some special enterprise security features/software aimed at the BB users.
Doesn't really help us then if that's only available on the Droid Pro.. For the rest of us we still need to work out how to bake in WaveSecure or, ideally, something very subtle. If someone takes my phone I want to nail the little turd, or at least embarrass him when the phone siren goes off or he gets a loud spoken message or something.
Another point, with IMEI numbers, is this of any use if you bought your phone outright? I.e. if my phone is stolen, I can't get the IMEI blocked can I? And can IMEI numbers be changed?
This may meet your needs/requirements. It is called lookout mobile.
https://www.mylookout.com/
I know Paul at Modaco bakes wavesecure into his roms.. not sure if the data would survive a wipe but then whats the point of baking it in system if it doesn't right? Check it out:
Version R9: (requires membership)
http://android.modaco.com/content/h...-rom-for-htc-desire-online-kitchen-2-2-froyo/
R8: (Free for all)
http://android.modaco.com/content/h...for-htc-desire-with-online-kitchen-2-2-froyo/
Okay.. Just found out. This explains everything!
https://www.wavesecure.com/blog/how-to-make-wavesecure-hard-reset-proof.aspx

[Q] Trigger Factory Reset in CWM Recovery

I'm loving to try out the CM7 builds and other custom ROM, but at the same time I'm concerned with all the security risks of an unlocked bootloader and cwm recovery.
I wanted to know if there's a way to trigger a factory reset to remotely wipe the phone using the clockwork recovery. Anyone know of anything done like this?
I know there are apps out there that trigger a remote wipe by going into the stock recovery but, when that happens on CM7 for instance, the phone just goes on that Exclamation Mark screen since the stock recovery was overwritten.
Since CM7 can actually reboot to cwm recovery, would there be a way to issue a command to reboot to recovery AND perform a factory reset (or one that would bring back the stock recovery and then do the wipe).
Am I talking nonsense here? I just wanted to minimize risks with a phone theft for example, by wiping everything (I can wipe the SD card already, but am now concerned with the system itself).
Thanks!
You're just being too paranoid. Unlocking your bootloader won't affect anything.
Besides.. the chances are, if a person stoel your phone. I seriously doubt that they have any knowledge of recovery and all these other things that most users on XDA know.
If they do know, then the chances of them stealing your phone are low. I mean really, what individual with knowledge of flashing different ROMs and all these other things would have the audacity of stealing your phone? Only chance is if you lost your phone (not insulting anyone but I don't think people would have the courage to steal a phone from you if they are so knowledgeable in flashing)
And you can always go to http://market.android.com and download "Plan B" onto your phone.
https://market.android.com/details?id=com.lookout.labs.planb&feature=search_result
After you install it, Plan B will start locating your phone using cell towers and GPS, even if you didn't have GPS switched on. Your location will keep updating for 10 minutes, and you will get an email each time it is located, whether the phone is moving or standing still. You can start the process again by texting “locate” to your number from any other phone. In order to locate your phone, we send you a text via SMS, so standard message rates apply.
Click to expand...
Click to collapse
Yeah, it is somewhat paranoid but I think you can never be too safe with your information nowadays
Having an unlocked bootloader allows anyone to access your phone's data completely and while that's great for flashing ROMs, it's not a secure method.
I understand that most people don't really have the expertise going on at these forums, but I just wondered if someone had developed a security app of that sort, I would certainly buy it!
Plan B is an interesting app, but just allows you to try to locate your phone, not wipe it.
fabio008 said:
Yeah, it is somewhat paranoid but I think you can never be too safe with your information nowadays
Having an unlocked bootloader allows anyone to access your phone's data completely and while that's great for flashing ROMs, it's not a secure method.
I understand that most people don't really have the expertise going on at these forums, but I just wondered if someone had developed a security app of that sort, I would certainly buy it!
Plan B is an interesting app, but just allows you to try to locate your phone, not wipe it.
Click to expand...
Click to collapse
? I don't get the point that you're making of "unlocked bootloader" vs. "locked bootloader." It's the same thing, it just allows more freedom. Phones that aren't Nexus run on a locked bootloader and such. They're able to flash ROMs and do all that.
And Plan B is a last resort app, its not supposed to be used a security app. Thats what their primary app, Lookout is for.
Stop being paranoid, if somebody steals your phone. The chances of them knowing about recovery and doing all of that are VERY LOW.
If its something that bothers you just put a security lock on your phone and Lookout or any other related app. Report it to the police and they'll help you retrieve it.. unless thats something Brazil doesn't offer.
fabio008 said:
Yeah, it is somewhat paranoid but I think you can never be too safe with your information nowadays
Having an unlocked bootloader allows anyone to access your phone's data completely and while that's great for flashing ROMs, it's not a secure method.
I understand that most people don't really have the expertise going on at these forums, but I just wondered if someone had developed a security app of that sort, I would certainly buy it!
Plan B is an interesting app, but just allows you to try to locate your phone, not wipe it.
Click to expand...
Click to collapse
You can use Autowipe app and use a pin code to lock ur screen. Autowipe has options to wipe ur phone after 'n' number of unsuccessful attempts to unlock ur screen. You can also set options in the app, to wipe ur device when sim card is changed.
Sent from my Nexus S using XDA App
zephiK said:
? I don't get the point that you're making of "unlocked bootloader" vs. "locked bootloader." It's the same thing, it just allows more freedom. Phones that aren't Nexus run on a locked bootloader and such. They're able to flash ROMs and do all that.
And Plan B is a last resort app, its not supposed to be used a security app. Thats what their primary app, Lookout is for.
Stop being paranoid, if somebody steals your phone. The chances of them knowing about recovery and doing all of that are VERY LOW.
If its something that bothers you just put a security lock on your phone and Lookout or any other related app. Report it to the police and they'll help you retrieve it.. unless thats something Brazil doesn't offer.
Click to expand...
Click to collapse
I understand the chances of knowing about recovery are indeed very low, still, locked and unlocked bootloader have a significant difference when talking about access to your phone's data. With 2.3.3 now, there is no way to flash cwm if you have a locked bootloader (unless you completely erase your phone), while having it unlocked allows you to access everything from the modded recovery (considering you have the expertise).
It is a long stretch but I just thought it was worth discussing additional security possibilities when you're not completely "stock".
kirdroid said:
You can use Autowipe app and use a pin code to lock ur screen. Autowipe has options to wipe ur phone after 'n' number of unsuccessful attempts to unlock ur screen. You can also set options in the app, to wipe ur device when sim card is changed.
Click to expand...
Click to collapse
Yeah, I actually have a pin code and WaveSecure installed, so for the most part I think it works OK. But their wipe function is not that great, it leaves a lot of stuff behind.

[Q] Password protect the device administrators in security settings?

Phone is a Droid Incredible running the latest stable CM7 (7.0.3)
----------------------------
I recently installed seek droid and a few other applications meant to protect my phone in the event of malware download or the phone is stolen. I noticed though that if someone goes in and removes these devices from the admin group that they can just be uninstalled. I realize the lock screen is there to protect the phone but if they do get in they can very easily uninstall the programs I would be depending on to get my phone back.
Now I know someone could just wipe the device using the factory reset in clockwork mod but yeah ... anyway I am looking to see if there is a way to secure the security settings or the device administrators section with a separate password of some sort? Or maybe there is a program that will do it? I tried Seal but it only seems to do app locks and it doesn't require administrator privileges so it can just be uninstalled anyway.
Thanks for any help. I have been looking around for awhile and come up with nothing so I am not expecting much but figured this would be the place to ask.
There are such tracking apps that require root but will be installed into /system and thus even survive a factory reset.
I think you can install any app to /system through a bit tinkering.
Some allow to change the icon and app name to hide its true purpose.
In the end, if the person knows what he is doing, you can't stop him.
Thanks for the advice. I realize if they know what they are doing they can get it off somehow but would be nice to not have an obvious app sitting in the drwaer called 'seek droid' that can then just be easily uninstalled.
Thanks again.

[App Idea] Plan B for data recovery on broken stock phones.

I feel this idea could be useful for a lot of us, not on our phones since we are likely rooted but on our family members and non tech friends stock phones. Which we usually end up fixing.
My idea if it is possible would be be for a "Plan B" type app for use after a broken screen, were the completely stock phone without ADB enabled needs data extracted.
My hope is that someone could make a app that is remotely installed from play.google.com that automatically turns on ADB debugging (if possible without root)
After that most data can be extracted with "adb backup" or adb pulls.
I can't count how many times this would of helped me in the past if it existed. Any dev up for the job? I am sure it would be appreciated by people.
Guess no one was interested in this idea.
shadowofdarkness said:
Guess no one was interested in this idea.
Click to expand...
Click to collapse
I think many of us are interested but one (so far) can help.
would be a good idea.... who ever was in need for something like that will be likely to pay for that... :laugh:
I could see this being a massive security risk. Sure the app could be handy, but it would also make stealing info from a phone very very easy.
So on that note, I don't think it will ever make it through, though I am sure there are ways.
Just install something like SMSBackup+: https://play.google.com/store/apps/details?id=com.zegoggles.smssync
Set it to automatically back up to their gmail, every so often, and then when it comes time to have to do repairs, you can get all of their calling/sms stuff back, since Google automatically deals with the contact infos.
it wouldn't be a security risk since the only way to install it would be from play.google.com which no one can do without your password. also pour planning with other software is not the point of this since I have been asked to recover data from devices by people that I honestly had no clue they owned the device before they broke it.usually family I don't see on s normal occurrence.
I've always been taught to keep a back up of anything you consider important.
Either way...
There are ADB backup solutions out there, there are recovery apps in the Playstore that will scan for missing or deleted files.
If you have access to the Playstore you have access to all the already available recovery apps. Why the need for an app that will basically root and unlock the device from behind their 'lock screen'?
If you have no direct GUI access, you want an app that you run on your computer that forces the phone connected via USB, to unlock and let you access whatever you want before you restore the phone. This is a massive security problem, because anyone could download that app, and use it to break into phones.
Sound like the 'prior planning' apps, are the best way to go.
I think you are missing my point. I know that prior planning is the best but it it not always possible when dealing with people so tech illiterate that even thought they own the device they barely understand it is not a iPhone because that is what a smartphone is to them.
My intended use is for physicaly broken phones (mainly screen) where I can't control any apps with the screen or turn on ADB from settings.
You thought on the security risk is wrong since out of the ways I can think of to install it via play store on the phone is would not be used since that would mean the attacker could just go into settings and do it the normal way. sideloading is impossible since it would be redundent due to that already needing ADB on.
The intended way via the web is safe enough since the attacker would need your email, password.
Do you hate the "Plan B" app that gps tracks your lost or stolen phone that is already in the play store and gave me this idea. It shows in the store as having between half a million and a million installs. Do you think those people should of went without such a app and lost their phone since they should of just pre planned since it is better.

[Q] Data Wipe After 10 Failed Attempts

As you may know, if you are using a secured lock screen and you enter the password/code/pin incorrectly 10 times in a row, it automatically wipes all data.
As I'm "new", I can't post a link to it, but Phandroid wrote an article on this (and made a video doing it)
I'm looking for a way to disable this.
I rooted using jcase's method. Any ideas?
Dwight Caffery said:
As you may know, if you are using a secured lock screen and you enter the password/code/pin incorrectly 10 times in a row, it automatically wipes all data.
As I'm "new", I can't post a link to it, but Phandroid wrote an article on this (and made a video doing it)
I'm looking for a way to disable this.
I rooted using jcase's method. Any ideas?
Click to expand...
Click to collapse
I think you need /system write access, I am not sure it will work because you can fake write to /system but not really, so I don't think you can fix it without s-off.
here you go
http://phandroid.com/2014/03/31/htc-one-m8-security-video/
I'm just wondering what you're doing to get your passcode/pattern wrong 10x in a row...
sfreemanoh said:
I'm just wondering what you're doing to get your passcode/pattern wrong 10x in a row...
Click to expand...
Click to collapse
It's probably more of an issue with someone else playing with your phone or taking it. I know I don't find it useful at all and would only have a chance to cause problems for me.
Sent from my HTC6525LVW using xda app-developers app
Keithn said:
It's probably more of an issue with someone else playing with your phone or taking it. I know I don't find it useful at all and would only have a chance to cause problems for me.
Sent from my HTC6525LVW using xda app-developers app
Click to expand...
Click to collapse
Yeah, I guess that makes sense. Give it to your kid to play with, only to get it back all fresh and wiped... Thank god I don't have kids!
This annoyed the crap out of me. I travel constantly with my phone and if it gets wiped during travel (and losing pictures and documents), that would equal me being fired from my job. My companies exchange server enforces security, which is good. On other devices, I can simply turn off this absolutely retarded option.
I had the same problem on the HTC M7. Luckily it can be disabled with root.
Anyway, once we get a proper root, you can set the failed attempts = 0 in an system xml file and then you will be good to go.
EDIT:
Edit this file:
/system/customize/ACC/default.xml
change this:
Code:
<item type="integer" name="devicepolicy_max_fail_passwords_for_wipe">10</item>
to this
Code:
<item type="integer" name="devicepolicy_max_fail_passwords_for_wipe">0</item>
Reboot and its disabled.
MultiDev said:
This annoyed the crap out of me. I travel constantly with my phone and if it gets wiped during travel (and losing pictures and documents), that would equal me being fired from my job. My companies exchange server enforces security, which is good. On other devices, I can simply turn off this absolutely retarded option.
Click to expand...
Click to collapse
It isn't a retarded option if you're primary concern is data security. For some it's better to wipe the data clean than have it stolen by an attacker. Unfortunately the people who want this option are in the minority. There should be a toggle for everyone else who would rather keep the device from self destructing.
MultiDev said:
I had the same problem on the HTC M7. Luckily it can be disabled with root.
Anyway, once we get a proper root, you can set the failed attempts = 0 in an system xml file and then you will be good to go.
EDIT:
Edit this file:
/system/customize/ACC/default.xml
change this:
Code:
<item type="integer" name="devicepolicy_max_fail_passwords_for_wipe">10</item>
to this
Code:
<item type="integer" name="devicepolicy_max_fail_passwords_for_wipe">0</item>
Reboot and its disabled.
Click to expand...
Click to collapse
I believe this can be done with the temp root method. I was able to enable writing to the external sd card by modifying the /system/etc/permissions/platform.xml file. I'm guessing it will persist until a hard reboot. I might try to edit the default.xml later.Big fail.
l7777 said:
It isn't a retarded option if you're primary concern is data security. For some it's better to wipe the data clean than have it stolen by an attacker. Unfortunately the people who want this option are in the minority. There should be a toggle for everyone else who would rather keep the device from self destructing.
I believe this can be done with the temp root method. I was able to enable writing to the external sd card by modifying the /system/etc/permissions/platform.xml file. I'm guessing it will persist until a hard reboot. I might try to edit the default.xml later.
Click to expand...
Click to collapse
Don't defend this "feature". Its undefendable. Its a completely retarded option if you can't turn it off. You have no idea how much it worries me when I travel that I could have my device wiped due to 10 in correct entries; I am currently traveling with a company iPhone, because I am that paranoid of it wiping on me. This little "feature" has completely ruined this device for me. Completely and utterly. I would call that a retarded option.
As for data security, I enable encryption and use a strong password. I also have remote wipe options. This feature should be an optional feature, not a mandatory feature. If I'm such a minority, why does no other phone OS mandates this? Not iOS, WP8, blackberry, or even stock android. I've used many phones. Only recent HTC's have mandated this. The HTC One with original 4.2 firmware didn't mandate it.
This feature is completely retarded. Period. End of discussion. BTW, not trying to be mean-spirited or anything, but its just such a dumb move on HTC's part.
With temp root, I might be able to change it, but don't you need a reboot to complete any changes to the system xml?
EDIT:
So I attempted to change it, but the changes didn't stick. Tried a second time, but the phone crashed and rebooted on me.
MultiDev said:
Don't defend this "feature". Its undefendable. Its a completely retarded option if you can't turn it off. You have no idea how much it worries me when I travel that I could have my device wiped due to 10 in correct entries; I am currently traveling with a company iPhone, because I am that paranoid of it wiping on me. This little "feature" has completely ruined this device for me. Completely and utterly. I would call that a retarded option.
Click to expand...
Click to collapse
While the feature should be a user option, it is a good feature for those that need that type of security. As I said before, those are the minority. Most of us are happy with the security you mentioned and would rather the device did not self destruct, myself included.
FYI for anyone using a pattern, it seems you have to touch four dots before it considers it an attempt. I was able to touch any combination of 3 or less dots without lowering the counter.
MultiDev said:
EDIT:
So I attempted to change it, but the changes didn't stick. Tried a second time, but the phone crashed and rebooted on me.
Click to expand...
Click to collapse
Current state of the exploit doesn't allow any changes to /system. Anything that looks like it got changed, really didn't, and even if it seems like it's working now, will revert upon your next reboot.
Dwight Caffery said:
As you may know, if you are using a secured lock screen and you enter the password/code/pin incorrectly 10 times in a row, it automatically wipes all data.
As I'm "new", I can't post a link to it, but Phandroid wrote an article on this (and made a video doing it)
I'm looking for a way to disable this.
I rooted using jcase's method. Any ideas?
Click to expand...
Click to collapse
Same as this thread.....
http://forum.xda-developers.com/showthread.php?t=2700662
Sent from my HTC6525LVW using Tapatalk
This worries me because I have kids. I don't want them wiping my phone by accident.
replica9000 said:
This worries me because I have kids. I don't want them wiping my phone by accident.
Click to expand...
Click to collapse
It will still make you wait between attempts if you get it wrong too many times. As long as they don't get it for a long period of time and don't get bored of trying you'll probably be okay
Sent from my HTC6525LVW using xda app-developers app
This is one of my biggest annoyances with HTC's lock screen. Give me an option to just have a pattern lock. the wiping should be a check box.
why it isn't an option I just don't know. Sure it should be a feature, it shouldn't be a forced one though.
Check out the new app called "nine" its an exchange mail client. You can apply the security settings to the app rather than the phone and also set it to wipe the email account rather than the phone if you reach the max failed attempts.
The client is actually the best i've found yet for email...great interface and options with a two week trial
Gator Brah said:
Check out the new app called "nine" its an exchange mail client. You can apply the security settings to the app rather than the phone and also set it to wipe the email account rather than the phone if you reach the max failed attempts.
The client is actually the best i've found yet for email...great interface and options with a two week trial
Click to expand...
Click to collapse
That is irrelevent for this discussion, exchange can only force a screen lock. HTC has baked in the 10 failure self destruct on any screen lock whether forced by exchange or simply turned on by the user.
l7777 said:
That is irrelevent for this discussion, exchange can only force a screen lock. HTC has baked in the 10 failure self destruct on any screen lock whether forced by exchange or simply turned on by the user.
Click to expand...
Click to collapse
negative ghostrider. I've tested it personally and the exchange securities are only applied to the app itself...not the phone. The exchange account is not even a device administrator which it would need to be to set the lock screen as well as wipe the device.
Gator Brah said:
negative ghostrider. I've tested it personally and the exchange securities are only applied to the app itself...not the phone. The exchange account is not even a device administrator which it would need to be to set the lock screen as well as wipe the device.
Click to expand...
Click to collapse
Ummm, afirmative ghostrider. HTC baked in the 10 time and wipe. regardless if I push a lock screen from my exchange security policies or not, if I turn on the pattern lock or other lock screen it will wipe after 10 times.
Just because you have a specific app that doesn't allow the exchange service to be admin doesn't change the fact that the 10 time wipe IS indeed baked into the lock screen.
I must be the only paranoia type on XDA, since no one has any idea about this, this is surprising...
I run my own Exchange server, and I voluntarily turn these policies on the moment I connect my account with my Android phone (in addition to device encryption).
The policy IS also configurable if you connect via Exchange. By doing so, you delegate it as a device administrator to your phone. Check in "device administrator" settings under the security and see if there are one or more enabled, and see if you can disable the one you're annoyed with.
Seriously though it's not that terrible. I have my phone to self destruct after 5 attempts. My company issued Blackberry has it trigger after 6. The more times you get it wrong, it keeps warning you, and eventually it will actually make you do stuff like type words in to ensure you aren't fat fingering your phone in your pants to give you another unlock attempt. If your company has the audacity that they will fire you because the phone was wiped and you can't read your correspondence, show them the figurative finger and demand a company issued device.
Technically I don't own an M8 phone yet since I'm waiting for the S-OFF before I buy, but I still have a mutated version of Sense running on my Rezound...so this should match up with what you're seeing.

Categories

Resources