Securing android. - Verizon HTC One (M8)

With the recent release of Sunshine 3.0 I was finally able to liberate my verizon m8. However with this new found freedom I also find myself worrying about the new found responsibility that comes with a rooted phone running CM12 with an unlocked bootloader.
My question is this:
How do i keep my phone as secure as possible?
I have been told that re-locking my bootloader will break my phone because of the signing process (Verizon is evil) and that encrypting the phone is futile because of root.. What can I do to protect my phone and how hard is it for someone to circumvent any security measures I can come up with?
P.S. This paranoia was prompted by a friend sending me this video.

Related

[Q] Can I root my device if I have the latest OTA update?

HTC One M8 on Verizon. Android version 5.0.1. I did a lot of research yesterday, and could not find any working solution to root the phone. It's hard to find anything on Google because generally the information will be outdated (from last year or the year before). So can someone fill me in on what exactly I'd need to do? This is my first smartphone and I've never rooted an Android device before.
ziddy5 said:
HTC One M8 on Verizon. Android version 5.0.1. I did a lot of research yesterday, and could not find any working solution to root the phone. It's hard to find anything on Google because generally the information will be outdated (from last year or the year before). So can someone fill me in on what exactly I'd need to do? This is my first smartphone and I've never rooted an Android device before.
Click to expand...
Click to collapse
Assuming you are still S-On and locked then you are stuck without root for now.
BladeRunner said:
Assuming you are still S-On and locked then you are stuck without root for now.
Click to expand...
Click to collapse
This is what I was afraid of. How can I keep track of when there is an update to the situation?
ziddy5 said:
This is what I was afraid of. How can I keep track of when there is an update to the situation?
Click to expand...
Click to collapse
keep checking these forums and/or follow @teamandIRC on twitter
Rooting the already updated HTC One M8
It's going to be difficult. I've been scouring the webs for weeks looking for the answer to that one. The Sunshine S-off didn't work for me. The only way I can find right now to do this requires finding somone that has purchaced the elusive "HTC java card" sometimes called the HTC S-off card. They can s-off your phone in a heartbeat. Wish I had one, I just can't see forking over 375.00 to get one.
So if your S-off there is a root method available ? I haven't found it if there is.
I'm running 5.0.1 Verizon S-off
Thanks in advance
jjmstang said:
So if your S-off there is a root method available ? I haven't found it if there is.
I'm running 5.0.1 Verizon S-off
Thanks in advance
Click to expand...
Click to collapse
If you're already s-off then just install twrp and flash, reboot recovery and it should ask you if you want to install root
BladeRunner said:
If you're already s-off then just install twrp and flash, reboot recovery and it should ask you if you want to install root
Click to expand...
Click to collapse
It seems you have to be rooted to install TWRP........at least what found
You only have to be rooted to install it with their app. If you are s-off you can download it from their site and flash it with fastboot.
mpappas87 said:
You only have to be rooted to install it with their app. If you are s-off you can download it from their site and flash it with fastboot.
Click to expand...
Click to collapse
I followed this method and I have re-gained root
http://forum.xda-developers.com/ver...ow-to-root-ota-pc-s-off-t3048604#post59750567
Now I'm going to try and flash the Dragon ROM with Sense 7
Thanks again for the help
same boat ; old filmware?
just received this HTC One M8 thru verizon, lollipop 5.0.1 after day 2 OTA update. I've been rooting every device i've owned since 08. Busy with daily tasks I haven't had a chance to sit and try unlocking bootloader until this weekend. I hit a wall when HTCdev returned an error after entering the identifier token \(^~^)/ . I did some reading, couldn't find anything.
I'm coming from a xt912 I've pretty much squeezed all I can get out of it since I got that brand new. I put CM12 on that just recently this HTC makes that the moto seem primitive. After bricking that (moto)spyder a few times flashing bad zips or doing things out of sequence I've put it thru the ringer and used RSDlite to just start from scratch. I have also found these device can put up with a lot and still bounce back. Geeze, I have three years of continuous text and data backed up on SD, lol . Something I haven't tried and wonder, does anyone know, is there any old VZW filmware for this M8 maybe 4.4.2 and try un locking from that point or Does the token id stay the same no matter what filmware?
Htcdev won't work on our phone because it's blocked by Verizon. Also, it's not possible to downgrade firmware or the OS without having s-off. At this time there's no way to get s-off on lollipop so you're pretty much stuck where you're at until an exploit is found by someone. Sunshine works for anything up to 4.4.4 but it won't work on a Verizon phone that's running 5.0.1. About all you can do right now is wait to see if Jcase and Beaups come up with a way to make it work on a Verizon phone too. I know that's not what you want to hear but that's how it is at the moment.
benjdevel said:
I've been rooting every device i've owned since 08. weekend. I hit a wall
Click to expand...
Click to collapse
Okay, glad I didn't spend too much time trying to figure this out, never rooted a device before
Gotcha . ...Stupid vzw ? I glanced at a procedure to unlock SIM. Have no idea if that would help anything. Havent tried it. Ill have to keep a watch out for something. Really compaired to that spider this thing is like a ferrari. Not too much bloatware. Lollipop rocks and knowing Im up to date for the most part calms me a little. I still dont like the idea of not having complete control of my device. I've already received a few notification marketing related from verizon that i could not close unless i looked at it. I did notice control over saving things to my ext sd i do like. I am a student just getting into the ist world.wish there was something i could help with. 5 classes is killing me at the moment though. I did also try to install an imsi catcher apk updates version and it seemed like it ran fine. I could of swore that app needed root access. I could be wrong with the newest version though.
Joint Java Card?
Same boat (Verizon, htc one m8) . . . For some reason I was thinking Lollipop was the update which was still able to be handled by Weaksauce 2. So I accepted the OTA, without thinking. -hadn't gotten around to s-off, etc., before this time around.
So, in some 2013 posts, I saw that some people had tried to pool resources and share a Java Card, etc. But sending phones to a "card keeper", is expensive, and unsafe (besides having to live without your phone for a few days.). jcase, on their company's IRC support channel, indicates that the card is more than just a simple microSD card, which one might be able to dd a filesystem image from (i.e. copy it for distribution). That's entirely possible, since all SD cards have micro-controllers for dealing with failed sectors, etc (check out "Bunnie's Blog"). Basically, the controller could make it tough/impossible to access part of the card, and can take care of decrimenting credits, encryption, signing, etc. Even if it were a basic SD card, the use of signed binaries, and external license/resource server, etc. could still make it tough . . . -although the card I found states it needs no internet connection. It would be much cheaper to send the card, rather than phones. But how to coordinate and pool the cost seems like it could be a pain?
So here's what I'm thinking about:
Someone (me?) could purchase a legit, new htc Java Card. After I use my 2 or 3 credits to s-off/unlock my phone, I could put the card on, say, ebay for maybe $5 less than what I bought it for. Then, another person could use some credits, then sell it again, for a little cheaper, etc. If we want to keep it "in-house", we could just send to each other and pay with PayPal or Google Wallet. But, with e-bay, one could just copy/build on the ad the first person started. Take a picture of your phone's screen, when the remaining credits are shown, and put it on the ad. With 2000 credits, my conservative estimate is that it could cost less than 72 cents, for each unlock. The $5 incremental discount might be close enough to cover re-shipping costs.
The Sunshine guys have, for free, helped many of us over the years. So I was planning to purchase their solution, if it worked for this situation. But their download page states that "Verizon 5.0.x users will have to wait until we update.". They indicate they could get us supported soon, but they also indicate that Lollipop is much more secure, with SELinux updated and better enforced., etc. So I am a little concerned about when that will actually happen. I see they've been posting updates for Motorola, and making sure people are able to pay them via PayPal, etc. But nothing yet for Verizon 5.0.x.
Does anyone know/recall how long after the last android update, someone came up with a root exploit? I'm just trying to get a rough guesstimate about the minimum time people will have to wait this time. -then add time because Lollipop is apparently significantly more secure. I guess I don't completely mind that my phone might be secure enough to not make it tougher for someone to get into the deepest parts of it, without specialized hardware (Java Card), if I were to lose it.
But, really, what Verizon and htc and others have done to these devices . . . They are, essentially, specialized computers. It would be like if Dell or another computer manufacturer sold you a computer, without allowing you access to your administrator account (and no clear/easy way to boot from another drive, to recover/fix things, etc.). That's crap.
I dunno. What do people think? I suppose I could just try it, and see.
Are new devices updated already? If I were to get a phone from verizon today will it already have the Lollipop update or would I get a still root-able device that I can deny the update?
libredroid said:
But, really, what Verizon and htc and others have done to these devices . . . They are, essentially, specialized computers. It would be like if Dell or another computer manufacturer sold you a computer, without allowing you access to your administrator account (and no clear/easy way to boot from another drive, to recover/fix things, etc.). That's crap.
I dunno. What do people think? I suppose I could just try it, and see.
Click to expand...
Click to collapse
I like the idea of that Java card:good: and I completely agree with you on how wrong it is restricting administrative rights, especially considering these things are comparable to a new computer.
dimsumx said:
Are new devices updated already? If I were to get a phone from verizon today will it already have the Lollipop update or would I get a still root-able device that I can deny the update?
Click to expand...
Click to collapse
No guarantees either way.
What is the status on SunShine for our device?
I got the Java Card.
@vazersecurity: still "Verizon 5.0.x users will have to wait until we update.", as of today.
I got the card, as previously proposed, and was able to get S-Off on my USA-Verizon HTC One M8 with the Lollipop OTA.
I needed to download and place two files in the root of the card (now done).
I then (CID changed) was able to use htcdev.com to unlock my bootloader, and ultimately gain root. I'm now happily running a current Cyanogenmod ROM. To regain some functionality from my camera, etc., I installed the htc camera, HTC Gallery, and Zoe apps from the Play store.
So I've already created a listing for the card on eBay. I assume the forum rules won't allow me to post the link. But I, honestly, always intended to use that as a way to make it more convenient to share with a community of people who wish to join in. -not to try and make any money off the card. Again, rather than have people ship phones to one person (with the shipping cost, and being without their phone), if figured it would be cheaper, and less disruptive, to ship the actual card. So, you'd purchase the card from the previous user, then re-list it for a bit less than what you paid for it. With the starting cost and credits, S-Off is about 30 cents, each. As the card credits get used up, it gets cheaper. Maybe each person would end up paying a few dollars for S-Off, when you factor in the shipping.
Maybe a moderator could chime in about whether it might be OK to post a link to this "community-intended" listing. -or suggest a better contribution/distribution method.
Also, since many users in our situations have been out of luck regarding S-Off, for a few months now, might a moderator or someone suggest/implement a way to post/place this information more prominently, in the forums?
Thanks.

Should I Unlock my Bootloader?

I don't know how this'll go.......
So all my past android phones I have rooted + installed recoveries and what not. Originally I did this because I heard of a way to increase the battery life of my HTC Incredible via rooting. Afterwards I found myself rooting my Inc2, DNA, Inc4G, and my One M8. This time I did it so I can get the latest versions of Android/HTC Sense (until Google finally made a good looking UI w. 5.0).
Today (technically yesterday at this point) I bought the Pixel in hopes of finally being able to receive consistent android updates. That being said, the idea of being able to get consistent and relatively quick android updates was the whole point of me unlocking + rooting my phone.
I guess the question remains: Should I continue running unlocked with the Pixel, or will the updates from Google be enough?
dkris2020 said:
I guess the question remains: Should I continue running unlocked with the Pixel, or will the updates from Google be enough?
Click to expand...
Click to collapse
I like custom recoveries like TWRP because you can make nandroid backups. The downside of unlocking your bootloader is that Android Pay won't work and if someone gets ahold of your phone, like a thief, if the phone is unlocked then they can flash it and it will circumvent any protection on the device.
I like root because you can use apps that require root, like some Ad blockers and Titanium Backup, and because I can remove system apps I don't want on my phone.
It all depends on what you want to do with your phone.
Unless someone has a reason for unlocking the device, generally I don't see the point. There are some things that I want to do with my phone, which are easier to do unlocked, so personally I specifically wanted an unlockable phone. Depending on how much you've read about the Pixel, here are some things you may or may not know.
- Unlocking the device will wipe it, so if you decide later that you want to unlock it will wipe the phone.
- An unlocked stock device can still use the standard OTA updates.
- Some SuperSU users may be able to unroot and then use the standard OTA updates, and some rooted users have reported their phones automatically updating.
- After I started using root my phone fails to install the OTA updates, so I'd guess one of the checked areas on my phone has changed due to the root apps I've used.
- If the OTA notification shows up and the update will not install, with the stock ROM it's possible to burn through a lot of cellular data. When I didn't update my phone this month, it used about 1 GB before I shut off cellular data.
- Items like a computer, TWRP, or FlashFire are the sorts of alternate update routes for the stock ROM if a rooted phone cannot use the standard OTA.
alluringreality said:
some rooted users have reported their phones automatically updating..
Click to expand...
Click to collapse
Isn't there a way to disable the automatic updates?
LoliSmith said:
Isn't there a way to disable the automatic updates?
Click to expand...
Click to collapse
You can disable them in developer options. I've had my phone since early November (turned off system updates the day I got it) and have never been notified that an update is available. However, some have reported that they had system updates disabled in developer options and they still get notified an update is available. It seems to be hit and miss so I can't say for sure it would work for you or not.
Just addressing OPs concerns, unlocking your phone shouldn't have any impact on updates from Google. You can still get them, OTA or otherwise.
The only downside I'd say, are warranty related (unlocking the bootloader will void the warranty on Verizon models), and security. Google has pretty much decided that having an unlocked bootloader is not secure enough for Android pay, so you'll be without that (However, you can still use loaded gift cards/loyalty program cards. It's just credit/debit cards that won't work).
robocuff said:
You can disable them in developer options. I've had my phone since early November (turned off system updates the day I got it) and have never been notified that an update is available. However, some have reported that they had system updates disabled in developer options and they still get notified an update is available. It seems to be hit and miss so I can't say for sure it would work for you or not.
Click to expand...
Click to collapse
On my motorola phones, there was an app that you could freeze using titanium back up. I wonder if there is anything like that with the pixel?
---------- Post added at 12:28 PM ---------- Previous post was at 12:23 PM ----------
Soccerdude588 said:
The only downside I'd say, are warranty related (unlocking the bootloader will void the warranty on Verizon models),
Click to expand...
Click to collapse
First, that assumes that Google has a record of you unlocking your bootloader, which they may since jcase is saying that the phones have to communicate with the Google servers to unlock the bootloader.
Second, there is a federal law on this and the way it works in this situation is that if unlocking your bootloader is not related to the warranty claim, Google can't deny your claim. For instance, if the charging port fails that is entirely a hardware issue unrelated to unlocking your bootloader. Google must honor the warranty for that.
If you were to brick your device flashing, that would be different but Google would have to have some proof that you not only unlocked your bootloader but that it was the unlocked bootloader that resulted in a bricked phone.
robocuff said:
I've had my phone since early November (turned off system updates the day I got it) and have never been notified that an update is available.
Click to expand...
Click to collapse
Are you manually updating your device, or are you running months behind the current release? The reason I ask is that the OTA notices on my phone have been delayed my days or weeks from the initial release, but I think they have showed up eventually when I've stayed on a prior version and the developer option has been shut off.
LoliSmith said:
On my motorola phones, there was an app that you could freeze using titanium back up. I wonder if there is anything like that with the pixel?
Click to expand...
Click to collapse
I was hoping the following link might work similar to the Razr updater, but unfortunately the change kept my phone awake and didn't allow deep sleep both times I tried it. The update notification can be shut off by long pressing it, which I think shows up as a notification block. Due to the cellular data drain, my current plan is to try FlashFire for updates, and if that doesn't work well I'll probably try a ROM to avoid OTA updates.
https://www.androidexplained.com/pixel-hide-ota-notification/
alluringreality said:
Are you manually updating your device, or are you running months behind the current release? The reason I ask is that the OTA notices on my phone have been delayed my days or weeks from the initial release, but I think they have showed up eventually when I've stayed on a prior version and the developer option has been shut off.
Click to expand...
Click to collapse
I've been manually updating it. Usually within a week or so of the release. However, I skipped the January update all together and never got a notification about it. Maybe I got lucky. Don't know.
Thanks for the input guys.
So a lot of the stuff you guys are saying are things that I have had prior experience with so the actual process of unlocking I have no issues with. If unlocking the Pixel is anything like the Moto X Pure (which it should cause Google) it shouldn't be too much of a hassle.
That said I am with Verizon and I can say that in all of my years of owning rooted/unlocked HTC phones I only ever needed to use my warranty for hardware based claims. Like I said the main reason I unlocked/rooted was to get updated ROMs that Verizon/HTC wouldn't push out to the phone. I think I'll more than likely unlock it but I probably won't root unless I need to.
That's pretty much where I am. I did root, but a recent OTA update that I accidentally took unrooted me. Keeping the bootloader unlocked at least leaves that option available.

Solution for rooting the U11 without unlocking bootloader (warranty void)?

Hi guys,
I am really interested in the U11 but unlike for the US, HTC Singapore is stupid about its warranty policy and confirmed the warranty will be void if the bootloader is unlocked. So before I decide to move to another manufacturer, I just wanted to make sure there is no workaround to keep the warranty.
On my last HTC (One M8 Dual Sim), the USB connector and digitizer both had to be replaced within less than 12 months hence I would really like to be able to rely on the warranty for this kind of issues.
Are you aware of an existing solution or someone who may be working on a solution that could allow us to root the U11 without unlocking the bootloader?
Alternatively, I read that "Magisk" can possibly change the bootloader state, what does that mean exactly? Could we possibly unlock it then switch it back to normal without showing the "Re-locked" status?
Thanks
I would really like somethimg like that as well - unability to root without warranty void drives me nuts.
cross-thread:
LuH said:
I got the same response from HTC Czech Republic: unlocking the bootloader would instantly void my warranty, plus they said that warranty-keeping bootloader unlock is possible only in that one special case for US customers, the rest of the world voids their warranty by doing so :/
Rant on the side: I truly despise not being allowed to get root privileges without voiding the warranty - it is MY device, yet I can't control the system. I want to do MY own backups, control (or inspect) the data apps save to MY phone, and control the configuration of MY system. I really hate being locked out from even such basic configurations as the hosts file is - I'm effectively barred from some aspects of web development so that advertisements can be shoved down my throat
Click to expand...
Click to collapse
Same here, from SG. Anyone knows of any method to unlock bootloader without going through HTCDEV?
The short answer is no.
is there a longer answer that would give at least a little hope? On Moto Droid 4 root and some limited flashing possibility were acquired by exploiting a built-in app vulnerability, even though the bootloader was impossible to unlock. Is this really impossible here? And if so, why?
no Way?

Your 986u $125 bl unlock experience

Have there been many failures?
How do you feel about the process?/How did it go?
Any pitfalls I should be aware of? Warranty issues, easy to brick the phone afterwards, etc?
Does it matter what software im on? I'm on the original shipped OS and it's threatening me with a forced update. Yes I turned off the updates in settings and developer options, no avail.
I am a Fi user and just came from a 3 generations of Nexus/Pixels, my last Sam phone was an S4 on Verizon. Root is life.
Thanks
I also came from pixels (and oneplus) been unlocked since the beginning of December, also Fi. No issues whatsoever. The people doing the unlock are cool and to my knowledge the only device lost to the process was one of the peoples who is doing the unlocks, after he tried to relock the bootloader. And that leads to, once unlocked don't relock. You get one shot. 10/10 would do it again
I'm soo ready also to get the boot loader unlocked. one question I have will bank account apps still work, will the battery charge 100‰.
Jack143 said:
I'm soo ready also to get the boot loader unlocked. one question I have will bank account apps still work, will the battery charge 100‰.
Click to expand...
Click to collapse
yes and yes. at least mine do.
Another question I have that is more specific, I'm wanting to get a good call blocking app that will block calls at the root system. which will cause the caller end not to ring when their number is blocked. I purchased root sms manager but I don't have root yet. Have anyone tried the app on a rooted note and it blocks the caller from getting a ring? Hope someone can check.

Question Unlocked bootloader data security

If I lose my phone or it gets stolen how secure is my pin protected data with an unlocked bootloader as opposed to a locked bootloader?
Pretty sure you have to wipe all to get rid of a pin, so I would say it is almost the same.
Connorsdad said:
If I lose my phone or it gets stolen how secure is my pin protected data with an unlocked bootloader as opposed to a locked bootloader?
Click to expand...
Click to collapse
There are two schools of thought on locked vs. unlocked bootloader security (both which I quote below) that I saw discussed a while back on the subject. It may not directly speak on pin protecting your data -- they discuss some on how your device is encrypted behind your pin so even if stolen, it should still be secure (enough) -- but at the very least there are ways around EFS so your device might still be of some use and/or, maybe given enough time you never know what can happen; which is discussed a bit in the quote & discussion (in the thread they do it in) below...
You could click on either posts (they are made in the same thread) to follow the discussion more (they go on for a bit, but not to too much more of a degree)...
96carboard said:
Everything will work perfectly with an unlocked bootloader. It will just give you an annoying warning screen briefly when powering on.
If you want to know about security risks, they're fairly small, and ONLY apply if your phone is handled physically by someone untrusted for an extended period of time, in which the only thing they could actually do is install a modified boot image. Under those circumstances, the device security has to be assumed compromised whether the bootloader is unlocked or not.
An unlocked bootloader will NOT allow a 3rd party to access data on the device, since it is encrypted and requires your security code to unlock.
Now, you can actually tell if they've rebooted the device, which they would HAVE to do in order to install a different boot image; the unlock screen (which they are NOT able to modify without resulting in boot failure) will tell you!
And I absolutely disagree that it is shortsighted to advise immediate unlocking. Nothing of real benefit comes from having a locked bootloader. Any sense of security you gain from it is smoke and mirrors. It can only be tampered with if someone has physical access, and if somebody has physical access, it has to be assumed compromised regardless of whether it is unlocked or not. If anything, your security is improved because it is now on your mind that it could potentially be tampered with, and you are reminded of it with the id10t warning every time it reboots.
Click to expand...
Click to collapse
bobby janow said:
Everything will not work perfectly. Let's be honest here. Look it up, some banking apps work mine doesn't. Pay will work one day and not the next. And if your bank finds out your account was hacked and your phone is unlocked and/or bypasses bank security protocols who will pay for the missing funds when they find out?
A missing device can be booted into a custom recovery and adb commands will be available to take everything on your device bypassing any security you have. With a locked bootloader that is not possible. So if you know your phone can be compromised you feel more secure? That is ludicrous and really doesn't make sense. I mean talk about smoke and mirrors.
Now that being said there are a lot of folks in your camp that say you're living a pipe dream if you think the phone is more easily hacked or info stolen. I understand that argument entirely and it's possibly correct to a certain degree. But to summarily say immediately unlock your bootloader if you don't plan on rooting because.. well just in case, is really disingenuous to a great many individuals. At the very least look up some articles on why to keep your bootloader locked, especially for someone that hasn't done it in some time, if ever. The beauty of Android is the possibility if you so desire. Just be conscience of the advice you give. Many years ago Chainfire said in his blog that if you have an unlocked bootloader and have financial apps on your device you're asking for trouble and you might want to rethink that. (not in so many words) That weekend I locked my bootloader and never looked back. I haven't missed anything.. well other than flashing MVK kernel for my 6a. ;-) But then I'd need root and that brings a host of other issues.
Click to expand...
Click to collapse

Categories

Resources