Related
Currently looking for a suitable Phone Tracker/Locators in case phone gets misplaced.
For those interested in your options, this sums it up well: http://www.androidpolice.com/2011/11/28/mobile-security-app-shootout-final-roundup-out-of-a-sea-of-apps-just-one-emerges-as-a-clear-winner-in-keeping-your-device-safe/
My questions is, how safe in terms of privacy are the trackers that also provide a centralized web interfaces?
Think about it, you are essentially installing an agent that allows the developer (if they so choose) to track where ever it is you are at and control your phone at anytime.
Sure YOU require a password to access your account, but surely the developer could have full access to all accounts using this software.
I used to use Tasker for remote SMS tracking, but the added features of these web integrated trackers are appealing since they also have remote picture taking, remote erase, locking, etc.
How would you weight on privacy vs feature trade off?
klau1 said:
Currently looking for a suitable Phone Tracker/Locators in case phone gets misplaced.
My questions is, how safe in terms of privacy are the trackers that also provide a centralized web interfaces?
Think about it, you are essentially installing an agent that allows the developer (if they so choose) to track where ever it is you are at and control your phone at anytime.
Sure YOU require a password to access your account, but surely the developer could have full access to all accounts using this software.
How would you weight on privacy vs feature trade off?
Click to expand...
Click to collapse
In my opinion it's really a matter of trust. First and foremost, do some research on the developer and app you're considering, look at the feedback, reputation, etc. then make a decision on how safe you feel about the service. It's similar to deciding if you feel safe signing up with a company like LIfeLock. In order for them to protect your sensitive data, you must freely give them all of your sensitive data. How safe would you feel about that? Would you trust them enough not to be malicious?
But then again, aren't you putting the same amount of trust and taking the same risks with the developer of ANY app you install on your phone?
As far as the apps themselves, I have used Find My Droid, the one Best Buy offers, and I can't remember the name of the third one and I found that all three are not as useful as I originally thought.
1. The gps feature was nice but did not pinpoint an exact address, just a general area. How useful is that?
2. I did a "stolen phone" test with the apps and it took them all between 5 and 15 minutes to lockdown the phone and one just plain failed.
3. The remote picture taking feature didn't work and if you plan on using an ICS rom, since the front facing camera doesn't work, the picture taking feature doesn't do much good.
4. The apps are useless if a perp pulls the battery which renders the gps completely useless.
So in summary, I personally wouldn't use one of those phone tracker apps. If you misplace your phone, just call it from someone else's and if you accidently left your phone at a bar or someplace public, call your provider for a replacement because you probably won't see that old one ever again.
(Prospective TF700 buyer here.)
So since the device is WiFi only for most of us, no apps that provide post-theft security via receiving an SMS message are applicable.
I can't think of any way to get the tablet back or find its location post-theft. It would be nice if there was a security app that could act of receiving a specific e-mail instead of SMS.
Aside from post-theft action, before theft I know we can use a password to secure the contents of the tablet. But is the built in screen lock via password the best means to secure it?
I just wanted to foster some discussion and ideas around this topic. Since it's much harder than with a phone. Feel free to chime in with whatever is on your mind related to this subject.
Darnell_Chat_TN said:
(Prospective TF700 buyer here.)
So since the device is WiFi only for most of us, no apps that provide post-theft security via receiving an SMS message are applicable.
I can't think of any way to get the tablet back or find its location post-theft. It would be nice if there was a security app that could act of receiving a specific e-mail instead of SMS.
Aside from post-theft action, before theft I know we can use a password to secure the contents of the tablet. But is the built in screen lock via password the best means to secure it?
I just wanted to foster some discussion and ideas around this topic. Since it's much harder than with a phone. Feel free to chime in with whatever is on your mind related to this subject.
Click to expand...
Click to collapse
This is a valuable way for this kind of thinks and imo it's better than any app.But also keep in mind that even so if you lost your device it will not be easy to get it back,but atleast you could destroy your personal data.Oh,and even if it was a 3G model,the first thing a thief will do is shutting down the device and throw out the SIM.
Pretoriano80 said:
This is a valuable way for this kind of thinks and imo it's better than any app.But also keep in mind that even so if you lost your device it will not be easy to get it back,but atleast you could destroy your personal data.Oh,and even if it was a 3G model,the first thing a thief will do is shutting down the device and throw out the SIM.
Click to expand...
Click to collapse
Thanks.
Far as what the thief will do depends on their intelligence . The one who took my wife's phone kept the SIM in to use our plan as their own.
There are several antivirus apps available that provide remote wiping (abd/or locking) functionality and such, although I do not know if they can turn on WiFi and report the device's location in the process.
I guess Asus Device Tracker will have to do for me.
I do share some of the concerns of the OP in that other thread, but for me it beats nothing.
Device encryption. Takes awhile to do but the device will be useless without the pin. I have been meaning to turn it on, I just never have my charger handy when I think of doing it. Maybe tonight...
Unfortunately Android device encryption slows down the device (which isn't the fastest anyway in our case) and drains battery faster. It cannot be undone without the full wipe, too. It is nothing like TrueCrypt in these respects.
Edit: It seems it can give you some problems with rooting, ROMs and others, too, which makes it a wildcard, although I'd love to use it. Apart from that, it's far from perfect security, as enabling debugging mode will still allow adb access without PIN verification if the device is powered and after the pre-boot PIN verification (which it probably will be when stolen).
WhisperCore looks interesting, but it says Temporarily Unavailable where the download link should be present.
MartyHulskemper said:
There are several antivirus apps available that provide remote wiping (abd/or locking) functionality and such, although I do not know if they can turn on WiFi and report the device's location in the process.
Click to expand...
Click to collapse
Most work via SMS.
You might be interested in another aspect of Device Tracker: http://forum.xda-developers.com/showpost.php?p=30305551&postcount=21
d14b0ll0s said:
You might be interested in another aspect of Device Tracker: http://forum.xda-developers.com/showpost.php?p=30305551&postcount=21
Click to expand...
Click to collapse
So nevermind using Asus Device Tracker given that news .
And device encryption just has too many negative side effects for me personally.
So there's no decent 3rd party app and we can't trust Asus any further than we can throw one of their techs.
It seems the only security for me at this time is encrypting the most sensitive data via an app just for those pieces of data and general physical security.
d14b0ll0s said:
Unfortunately Android device encryption slows down the device (which isn't the fastest anyway in our case) and drains battery faster. It cannot be undone without the full wipe, too. It is nothing like TrueCrypt in these respects.
Edit: It seems it can give you some problems with rooting, ROMs and others, too, which makes it a wildcard, although I'd love to use it. Apart from that, it's far from perfect security, as enabling debugging mode will still allow adb access without PIN verification if the device is powered and after the pre-boot PIN verification (which it probably will be when stolen).
WhisperCore looks interesting, but it says Temporarily Unavailable where the download link should be present.
Click to expand...
Click to collapse
I'd be weary of device encryption if you plan on doing anything to the tablet other than keeping it fully stock. I'm not even sure how OTA updates are handled. Granted the situation is a bit different (and totally my fault) but I encrypted my HD on my laptop (TrueCrypt) which was awesome at first. I didn't see a noticeable depreciation in speed and felt a lot more comfortable . I decided to try a dev build of Win8 one day, so I partitioned my drive and installed through the Win8 setup process. Short version is that my encrypted partition fot trashed and I lost all of my data that wasn't backed up yet.
So yea, be careful when you encrypt.
[OT] Actually, according to TrueCrypt, Windows installer should only change your bootloader and rescue boot from a removable memory should do the trick with recovering TrueCrypt MBA. Did it wipe your data or just the boot record?
---------- Post added at 09:43 PM ---------- Previous post was at 09:38 PM ----------
Darnell_Chat_TN said:
So nevermind using Asus Device Tracker given that news .
And device encryption just has too many negative side effects for me personally.
So there's no decent 3rd party app and we can't trust Asus any further than we can throw one of their techs.
It seems the only security for me at this time is encrypting the most sensitive data via an app just for those pieces of data and general physical security.
Click to expand...
Click to collapse
I think partial encryption is fine, but of course can be compromised easier when not everything is encrypted.
As to third-party apps, I believe there's a lot of these, but after this ASUS example I'm not sure I want to use any of them.
In case you still want sth like that, just have a look at Google Play: https://play.google.com/store/search?q=anti+theft&c=apps
I'm not sure what it actually did at the end of the day (can't remember). I THINK it would only boot to the Win8 partition and while the other partition was there I couldn't access it from anything (I vaguely recall the partition showing up saying that it was 0% full). I tried to restore the MBR and I ran a few different analysis tools to see if I could recover files.
After a few days I decided that it wasn't worth it. It as almost a year ago and most of my stuff was backed up, I really only lost some music and some pictures. I decided to cut my losses, reformat everything, and reinstall Windows7.
d14b0ll0s said:
...
As to third-party apps, I believe there's a lot of these, but after this ASUS example I'm not sure I want to use any of them.
In case you still want sth like that, just have a look at Google Play: https://play.google.com/store/search?q=anti+theft&c=apps
Click to expand...
Click to collapse
Some of these actually look pretty good to me . It would be nice if they made them to work with your own personal machine and not their servers, but they obviously need to use a model that makes them money :laugh: .
Unlike Asus, 3rd party app makers don't hold the device warranty in their hands. They survive off me willing to use and trust their services.
When you're rooted then I recommend Cerberus I use on both my phone and the tablet. I had luckily never the chance to use it in a real situation but from my testing I can tell that it works really good.
It has a trial version so you can test it before buying.
Sent from my Galaxy Nexus using xda premium
avast! is the answer
Seems as if avast! Mobile Security can do everything the Asus Device Tracker can do. And even more, since it also has a virus scanner, firewall, network meter, SMS/call blocker and more other features than I care to remember. And it's FREE. All that and no worries of losing warranty.
avast! can lock the device tight via a web site, wipe it and more. And it can be configured to not be easily removed. So it's the answer to me.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Hello, my name is Keith and I'm interested in sharing tips with the community to protect you from losing your device to thieves or other attackers. I'm sure many on xda-developers have heard of stolen device recovery apps like Android Lost and Cerberus, this guide will involve these, but also walk you through avoiding mistakes that can result in you never getting your phone back from an attacker. While the two apps I mentioned are very powerful, it's not as easy as installing an app to insure you get your phone back the way you left it. I'll also include other methods of recovery for a plan B approach.
So lets begin!
REQUIREMENTS
A phone or tablet duh! (data plans are a plus, but not necessary to use this guide)
Root access helps quite a bit!
Knowledge involving recoveries like CWM or TWRP.
A secure launcher. By secure I mean one that can't uninstall apps outside of the settings menu (ADW Ex just fixed this!)
NO PIN ON LOCKSCREEN (explained)
Step 1:
Download Android Lost (no sms add-on for wifi-only tablets) OR Cerberus!
These two apps are for theft recovery. They allow you to do things like:
-Locate & Track GPS
-Lock Device (and unlock device if you're deadset on having a lock, not ideal for recovery)
-Sound Alarms
-Wipe Internal/External Storage
-Recover Call Logs
-Recover SMS Logs
-Popup messages on device(great for trolling thieves)
-Call Forwarding
-Device information (battery left, network status, etc)
-Capture Photos (get a mugshot for the police)
-Record Sound (Cerberus only)
Which should you choose and how are they different? Well a lot of people like Android Lost, it's free (as in beer) and can even be installed and utilized from your google account after your device is stolen. It's a little more wifi-only tablet friendly. Android Lost has a unique feature that lets it hide SMS commands sent to the phone from Android Lost so you don't alert the attacker.
That said I personally use Cerberus. It's a lot less suspicious looking, a little less known, and is easily flashed to your ROM's /system/app folder (even with the option of disguising itself as framework). Cerberus however, is not free, it has a small fee of $3-5 which protects up to 5 devices. I like that Cerberus is a little more featured with sound recording, and it can run as a device administrator (I don't think Android Lost does this).
Step 2:
After you've chosen a security application, the time comes to protect that application. You may have seen me mention above that it's recommended you don't put a lock screen on your device. Let me take a second to explain why. Google. The first page of results on google for "how to bypass lockscreen" has the potential to foil everything. It can lead to your attacker learning how to easily preform a hard reset, and for the sake of recovering your phone this is not optimal. My brother has stolen a few iphones, and not once has a lock ever stopped him (he's a mechanic not a computer guy).
I like to take an open door approach to security. Leave your door unlocked, but nail everything valuable inside to the floor. Now leaving your device open to everyone requires you to stop and think about what YOU need to protect. To start you must download an app locker. There are tons of these out there, some OEMs even ship devices with them these days. The one I am using in this guide is UAG, or Ultimate App Guard - check out UAG Helper as well to potentially protect UAG from deletion.
There are many apps and services you can lock in a variety of ways ranging from pins to patterns to passwords. Here are the basic things you should lock.
- Settings
- Root File Explorers (or even your stock explorer if you've got photos you're not keen of others seeing)
- Gmail (especially if it's the account you're registered for android lost/cerberus with)
- App Markets (so they can't install more apps like root file explorers or rack up charges to your account)
- Package Installer (so the attacker can't install third party apps like root browsers, uncheck 3rd party installs in settings when you don't need it anyway)
- ADB Toggle (uncheck adb in settings, download adb toggle to quickly toggle on and off as needed, even locked it's still quicker)
- Titanium Backup
- Rom Toolbox
- SD Maid and similar apps that can delete files
Now this isn't all you should lock, just the essentials. Try not to lock too much else or else the attacker will have motive to use google to figure out how to hard reset. Let them play angry birds, let them check facebook (don't remember passwords for important stuff), let them play with your toys basically.
If you are on a wifi only tablet, then locking settings will present an issue - they can't connect to networks for Android Lost or Cerberus. There are two things you can do about it.
- Download Wifi Manager and place it in a location the attacker will see it (I put it under the system app drawer in ADW)
- Preload as many wifi hotspots as you can think of (starbucks, mcdonalds, libraries, etc).
It is highly unlikely the attacker will not want to connect to the internet on your device, even it's only over wifi. So even if you have a data plan consider doing the above in case they decide it's not safe to use your phone service.
Step 3:
Other Security Threats to consider
Launchers
Many launchers seek to be powerful and give you quick control over every little detail. Unfortunately that means some of them allow uninstalls. Recently I reported an uninstall vulnerability in ADW Ex to it's developer, and he's patched it with a lock pin which specifically addresses this issue. So for example, in ADW Ex to uninstall anything or access important launcher settings the attacker would need to know your launcher's lock pin. I am unsure of the situation on other launchers, but always check and report it to the developer if it's vulnerable! Do not overlook this and underestimate the attackers ability to notice this stuff, it could cost you your phone.
Recovery
If you have your Anti-theft application flashed to your ROM this isn't SUPER important. But you're still vulnerable to those who flash over your ROM. Don't forget your backups either! Having an insecure backup sitting on your sd card can cost you your device. If this vulnerability bothers you, try resetting your recovery to stock, and use Mobile ODIN or NVFLASH. Very few attackers (if any?) will be connecting in APX mode over usb to flash a blob over NvFlash lol.
WARNING FOR CM10/AOKP USERS: Remove the reboot menus!! Reboot into recovery in the reboot options when the power is pushed couldn't make it more obvious to an attacker!
Terminals
It only takes a few commands in android for an attacker to delete a few important links in your security chain. You may want to consider locking your terminal if you're still paranoid.
Plan B approaches
Your Carrier
If you own a smartphone under Sprint, Verizon, or AT&T - don't ever let their sales reps tell you your carrier can't find your phone. They have no problem when it comes selling this information to law enforcement. Granted an attacker may remove the sim card, go into airplane mode, or a sales rep may not have that kind of access, it's still a possibility for them to access your phone's GPS or use tower triangulation. Unfortunately in this case, some carriers like T-Mobile don't collect this kind of data, great for privacy - not as much for security.
EXIF Data
I've talked to the developers of cerberus briefly about implementing features to enable geotagging on photos remotely, but something like this hasn't been implemented yet. However a reasonable amount of device identifying information is still stored in EXIF data of photos taken from your device. Websites like stolencamerafinder allow you to upload photos you've taken on your device and search the internet for photos with exif data containing your devices serial number. It also allows you to enter your serial number and search for that alone. This can potentially find an attacker's facebook profile with that beautiful mirror photo taken with your phone. Once you have a name, websites like spokeo or reverse whitepages lookups can help you find addresses to report to authorities.
Be sure to check your serial number beforehand so you can figure out if this method is reliable for your device.
SSH
Here's a classic recovery video I'll end this with, done largely over ssh.
Thanks for information
Sent from my WT19i using xda app-developers app
holy cow great info!!! i am one of those who just installed 'android lost' and was good to go. lots of things to consider in addition to that..the 'hard reset' being the most troublesome.
i like the trojan horse approach..just let them in but lock down anything important.
pa33vel said:
Thanks for information
Sent from my WT19i using xda app-developers app
Click to expand...
Click to collapse
nyvram1 said:
holy cow great info!!! i am one of those who just installed 'android lost' and was good to go. lots of things to consider in addition to that..the 'hard reset' being the most troublesome.
i like the trojan horse approach..just let them in but lock down anything important.
Click to expand...
Click to collapse
thank you both for posting. glad this could be of use to others.
I actually wrote this just as my buddy got his brand new galaxy note 2 stolen from starbucks. Tried to walk him through recovery but his phone wasn't prepared beforehand. He had some battery apps installed that completely screwed his chances of recovery.
Nice guide but pretty much every thief will take the battery out, throw out the sim and either sell it to the local phone guy or hard reset it themselves.
This guide will only work on people who happen to find a lost phone or those really stupid thieves who have no idea what their doing.
Sent from my GT-I9000 using xda premium
NIMBAH said:
Nice guide but pretty much every thief will take the battery out, throw out the sim and either sell it to the local phone guy or hard reset it themselves.
This guide will only work on people who happen to find a lost phone or those really stupid thieves who have no idea what their doing.
Sent from my GT-I9000 using xda premium
Click to expand...
Click to collapse
how will they hard reset a stolen phone without a recovery or adb? furthermore - cerberus is flashed to /system, so a reset alone won't work.
the moment the person they're selling it to tests out the wifi it's over.
How good is the avast anti theft thing.?
pa33vel said:
Thanks for information
Sent from my WT19i using xda app-developers app
Click to expand...
Click to collapse
Lifehacker7 said:
How good is the avast anti theft thing.?
Click to expand...
Click to collapse
I just checked it out it looks like it would get the job done. It's missing some features cerberus / android lost have, has one or two unique features I saw - the one I noticed is it sends you an email when you battery is low and as much geographic data as it can acquire. This may be annoying though because your battery gets low quite often.
Seems a litte bloated in some areas, I'm generally against virus scanners on android because as long as you're getting your apps from reputable sources and they're not requesting odd permissions you're really just vulnerable to zero day exploits that this software won't be programmed to detect. If you're a person that pirates apps, loads JavaScript in random emails sent to you, or downloads very obscure apps - this may be more useful.
Shame that we have to sacrifice battery for security apps.
ickkii said:
how will they hard reset a stolen phone without a recovery or adb? furthermore - cerberus is flashed to /system, so a reset alone won't work.
the moment the person they're selling it to tests out the wifi it's over.
Click to expand...
Click to collapse
How would you remove the recovery? I don't know how it is where you are but over here they can simply flash everything back to normal with JTAG. Most phones get shipped over seas anyway so yeah.
Oh and Samsung phones you can just flash back to stock in download mode. Sony I'm pretty sure you flash back to stock in flash mode as well.
Sent from my Sony Tablet S using xda premium
NIMBAH said:
How would you remove the recovery? I don't know how it is where you are but over here they can simply flash everything back to normal with JTAG. Most phones get shipped over seas anyway so yeah.
Oh and Samsung phones you can just flash back to stock in download mode. Sony I'm pretty sure you flash back to stock in flash mode as well.
Sent from my Sony Tablet S using xda premium
Click to expand...
Click to collapse
it varies by device, most easy thing to do is flash stock. I'd love to see a day where cwm or twrp implement a recovery pin. TWRP can pull up a keyboard, and it could be done with a volume rocker, so I'm not sure why they don't implement some kind of security feature to it.
You could always break your volume rocker :laugh:
crashlen0 said:
Shame that we have to sacrifice battery for security apps.
Click to expand...
Click to collapse
not in every case, just don't set your antenna rules too strict. My friend set it to only grant access when his bluetooth headset is connected, bad results for him.
Very useful tutorial. I'd give you more stars if I could. You’ve obviously studied this carefully. I also appreciate your taking the time to provide comments on avast.. .those comments were useful.
I’m just trying to think through the pro’s and con’s of the approach recommended in the guide. (open the front door but nail everything down inside).
The big con for me
It will take time to enter a pin/pattern/password for every sensitive application (gmail, settings, playstore, file manager, many more), rather then just one when I unlock my screen. It means I have to dramatically alter the way I use my phone every single day.
So I want to understand the benefit, the “why” a little better:
If someone steals my phone which is screen-locked and USB debuggin off (*), then the only way for them to get in is to do some kind of factory reset? Doesn’t that process remove all the sensitive information from the phone? i.e. they're not going to be able to get into gmail once they break in? . I did spend awhile googling as you mentioned methods breaking into the phone, but these answers weren't clear to me.
Where I'm coming from (My uninformed opinion fwiw): I’d like to get my phone back, but protecting my sensitive data is also important. So I'd like to understand if the likely break-in method an attacker will take facing a locked phone at least protects my sensitive data:
if it does block access to sensitive data, then it's not a total loss to allow them to do it (I've lost my phone but not my identify)
if it does not block access to sensitive data, then I'm much more interested in locking down the individual apps like gmail etc.
* By the way, I did see while googling they can get past locked phone without factory reset if you have USB debugging on. That would be a big deal since they could get to gmail etc if you rely soley on lock screen and have USB debugging on. I'm definitely turning it off and only on when I need it.
Thanks
Very useful
Thanks for information
electricpete1 said:
Very useful tutorial. I'd give you more stars if I could. You’ve obviously studied this carefully. I also appreciate your taking the time to provide comments on avast.. .those comments were useful.
I’m just trying to think through the pro’s and con’s of the approach recommended in the guide. (open the front door but nail everything down inside).
The big con for me
It will take time to enter a pin/pattern/password for every sensitive application (gmail, settings, playstore, file manager, many more), rather then just one when I unlock my screen. It means I have to dramatically alter the way I use my phone every single day.
So I want to understand the benefit, the “why” a little better:
If someone steals my phone which is screen-locked and USB debuggin off (*), then the only way for them to get in is to do some kind of factory reset? Doesn’t that process remove all the sensitive information from the phone? i.e. they're not going to be able to get into gmail once they break in? . I did spend awhile googling as you mentioned methods breaking into the phone, but these answers weren't clear to me.
Where I'm coming from (My uninformed opinion fwiw): I’d like to get my phone back, but protecting my sensitive data is also important. So I'd like to understand if the likely break-in method an attacker will take facing a locked phone at least protects my sensitive data:
if it does block access to sensitive data, then it's not a total loss to allow them to do it (I've lost my phone but not my identify)
if it does not block access to sensitive data, then I'm much more interested in locking down the individual apps like gmail etc.
* By the way, I did see while googling they can get past locked phone without factory reset if you have USB debugging on. That would be a big deal since they could get to gmail etc if you rely soley on lock screen and have USB debugging on. I'm definitely turning it off and only on when I need it.
Click to expand...
Click to collapse
Sorry I wasn't quicker to respond - But UAG has a setting that makes it to where you must only enter it once until you power the screen off and it applies it to all locked apps. UAG isn't working for the time being on my current rom, I don't know if it's the same for others but I've notifed the developer regardless.
I'm a forensics student and can tell you that a reset alone won't wipe all the slack byte data off of the device, but fortunately this is an area of security that malicious hackers haven't quite caught up too. Mainly Military and Law Enforcement possess the tools and skillsets to do this on mobile devices because a lot of the software created to image your device and recover deleted data isn't liscensed to the general public. Solid State drives have put a few penetration testers out of business because it is notoriously difficult for forensic analysis. I can assure you that from this angle your common theif will not be stealing your identity - if you're a big shot with the CIA as an enemy, no so much. Account hijackings occur far more commonly through bad recovery questions, poor network security, or coming in contact with maliscious software.
However you should be prepared to immediately change your passwords to important accounts whenever any of your computers are compromised. Diceware is actually a pretty neat app for creating passwords with lots of entropy that makes cracking them more difficult. I've heard of a few gmail accounts being stolen lately that could have been avoided with two step authentication, so hiding google authenticater can be beneficial.
If a factory reset happens your user app data will be deleted apart from what is saved to internal storage and your sd card. What will remain is the device recovery backup that was saved to /system/apps so the option remains for you to remote wipe if you can contact the device. With avast I noticed the backup I created was in my app drawer, this worries me some because it may not be saving to the system folder - but cerberus does this for sure.
First of - I'm just an everyday user of Android device, never interested in hacking or any other "advanced" use of computers and likes. My greatest achievements so far are jailbreaking Iphone, rooting an Android phone and installing stock ROM on it. You can call me a noob. However - I like to improve things I use and I also value my privacy. That's why I installed a software that locks access to certain apps on my phone. I recently found this app actually made an opposite - it made my device vulnerable to identity theft and potential financial loss. I wouldn't really bother telling my story if developers didn't delete my one-star-rating with a brief description of the problem right after I posted it in Play store.
So, to the point. I installed CM Security and app lock app (nearly 14 millions of users and 4,7 rating) and locked some of the "sensitive" apps with it. One evening I was bored enough to try and play "a hacker" who "found my phone" and see what such person could do. Considering "a hacker" somehow managed to unlock the device he'd now encounter my second line of the defense - the mighty app locker. And now, in a few short steps I'll show you how much damage you can do with it:
1. First it obviously asks you for an unlocking password/pattern, but -as you don't know it - you hit in-app menu button and choose "forgot password?" option.
2. It asks you to log in to your Google account in order to reset the password (YES, you can access Google password recovery from inside the app, so even if you lock your device's Settings, your mail client and so on, you can still access the most vulnerable option of your account from "security" app).
3. As you don't know a Google password you hit the "forgot password" link that starts Google password reset process.
4. It will ask you for the "last password you remember", but you can just say you don't know it and then it gives you an option to get a verification code by SMS - chances are it will be sent to the device you're just holding in your hands. And these chances are big.
5. After you get a verification code you're in. You can now set a new Google account password and reset app locker password/pattern.
It's that easy. You not only unlocked an app locker but also got access to Google account which gives you pretty much endless possibilities, including purchase of some apps in the Play Store as it stores your card details and you only need an account password to authenticate the purchase. You can also try to restore Ebay or Paypal passwords or even try to get directly into bank accounts via banking apps. Sky is the limit.
I already deleted CM "security" app and looked for some replacement. I wasn't really surprised it's kind of a standard that when you install them, security apps ask you to give your Google account details just in case you need to recover your password in a future. And they often make you think that giving these details is an integral part of installation process, a must-do that is necessary for an app to install and work. Some apps, like CM "security" don't even ask - they just use your Google account details and don't give you a chance to give up such option.
After all - here's some advice I can give:
1. Don't install any security software that connects to your Google account and gives "password reset" options;
2. Don't give Google your mobile number, even if it seems convinient;
3. Don't use your Google account address as your contact information in "owner info" option of your device.
If you have any other suggestions that may improve security, please share.
Cheers
Question is why you didn't lock your device in the first place.
I think you are misappling this feature 's benefit/use. It is not there, IMO, to secure your phone from an advesary that has even brief access to your phone.
That is what a combination of a lock screen pwd,short for convenience, and full encryption using a separate and longer pwd of high entropy/randomness is for. Even with that its important to understand how it works and its limitations. Such as it does not encrypt.the ext sd card data. So if you put apps or privledged data there you either should not or using other means to encrypt it. One such way would be to use truecrypt to encrypt it using a pc, being the easiest and then use one of the apks that gives suports accessing those types of partitions/files.
The function you are speaking of is ther to prevent people you have a large degree of trust in such as a family member or close.friend possibly that you may allow to use your phone but do not want them to be able to access private data. Think of a parent allowing their child to use the phone to play a game but does not want them scewing up email or going into their bank app and randoming clicking around etc...
I hope you get the idea. Its not there to prevent someone that means to do you direct intentional harm.
I also want to point out my comments are only directed at the most basic level and only deal with physical secure of data on the phone and not the phone itself nor from remote access or privacy.
Also want to point out that a screen lock pwd is nothing but a inconvenience at best to someone wanting access to your data. A quick reboot into recovery and a bkup to a sd card will get them all your data and any weakly secured credentials there in. Its only one part of physical security, of which, is only itself one part in over all data security, which itself, is only a part of data privacy. Its a large house of cards and removing one or putting one little piece in just slightly the wrong place and collapse the whole house.
Its hard to do just the small piece of each of these parts correctly and exrremely hard to.combine all the small and large parts together for a total protection scheme. It takes considerable research and learning to do these things especially if your goals are for higher levles of security and privacy.
As an example someone that really wants their phone data ue on android to be private from commerical.data collection which via proxy means all gov access to said data would never install goggle play store or any google app on their device. That is just one glaring example of many.
http://ad.cmcm.com/en/?f=home-en-top
Cheetah Mobile is spyware. watch the video on their website
I would suggest using the built-in encryption on Android. I don't use it myself, but have the Avira app installed. I like their PC software, and gave it a try.
It can be used to track a lost phone or lock it remotely. Since I have rooted my Huawei G300 it complains a bit, but still scans all apps being installed.
bigeasy911 said:
I think you are misappling this feature 's benefit/use. It is not there, IMO, to secure your phone from an advesary that has even brief access to your phone.
Click to expand...
Click to collapse
Fact is still that this app claims it provides certain security, yet it doesn't. Not everyone will realize this. So it's always good that people keep pointing this out.
Nearly a year gone since I posted this and now I returned to "AppLockers" during my mobile security research. This is such a bad thing I can't believe apps of this kind are accepted by PlayStore and not banned eternally as the most fake security solution that ever existed. What surprised me even more, "serious" companies, eg. Norton are also in this business... anyway
I checked this one first - Best App Lock - it's "best", right? And it's got 4.5 stars rating with 1,000,000 - 5,000,000 downloads.
I set it up, set the PIN, locked test app - everything seems fine.. as long as you don't go to Settings > Apps and don't force stop Best App Lock, because then - your protection is gone. But OK, you can also lock Settings and prevent such tricks and it works... as long as you don't use Activity Launcher to call App Lock's pin reset activity... Yes, you can reset the PIN without even opening the app itself.
Now, Best App Lock was clearly made by some amateur, so let's see what pros got for us, the big ones. I checked mentioned Norton App Lock, with 4.6 rating and surprisingly not as popular, with "only" 500,000 - 1,000,000 downloads. It's a bit better, it only contains one activity, so you can't bypass it easily, because the app itself is protected with a pattern, but here's another trick - reboot device in Safe Mode and you can disable Norton's permission to draw over other apps to make it helpless as a baby. Or you can just uninstall it in SM. I didn't check anything else, because what more you can do to prevent such workaround, than Norton already did?
If someone is aware of a way to disable power menu, or at least the ability to disable Safe Mode on unrooted Android please share. Until then I call all the App Lock apps the biggest scam in mobile security.
minimale_ldz said:
Nearly a year gone since I posted this and now I returned to "AppLockers" during my mobile security research. This is such a bad thing I can't believe apps of this kind are accepted by PlayStore and not banned eternally as the most fake security solution that ever existed. What surprised me even more, "serious" companies, eg. Norton are also in this business... anyway
I checked this one first - Best App Lock - it's "best", right? And it's got 4.5 stars rating with 1,000,000 - 5,000,000 downloads.
I set it up, set the PIN, locked test app - everything seems fine.. as long as you don't go to Settings > Apps and don't force stop Best App Lock, because then - your protection is gone. But OK, you can also lock Settings and prevent such tricks and it works... as long as you don't use Activity Launcher to call App Lock's pin reset activity... Yes, you can reset the PIN without even opening the app itself.
Now, Best App Lock was clearly made by some amateur, so let's see what pros got for us, the big ones. I checked mentioned Norton App Lock, with 4.6 rating and surprisingly not as popular, with "only" 500,000 - 1,000,000 downloads. It's a bit better, it only contains one activity, so you can't bypass it easily, because the app itself is protected with a pattern, but here's another trick - reboot device in Safe Mode and you can disable Norton's permission to draw over other apps to make it helpless as a baby. Or you can just uninstall it in SM. I didn't check anything else, because what more you can do to prevent such workaround, than Norton already did?
If someone is aware of a way to disable power menu, or at least the ability to disable Safe Mode on unrooted Android please share. Until then I call all the App Lock apps the biggest scam in mobile security.
Click to expand...
Click to collapse
The first step to real security is removing all Googleapps and Google account. There is no other way around this. Next, don't install any app that is not open source. Also, don't use any recovery. And finally, either epoxy your entire usb port, if you have let's say a magnetic charging port or cut all usb port pins except for 2 for charging. In addition, you should open the phone and epoxy usb port and contacts from inside, so that it can't be replaced. Or even better: epoxy your entire motherboard. That would take care of UART socket or any other way of entering CPU/GPU/RAM from inside. Encrypt your phone. After that, your phone couldn't be penetrated (other than through the air/baseband, which is a whole different level of sophistication). If someone targets you over the baseband, throw your phone and run for your freedom...
Seriously, in the above scenario, no one can have access to your data: no fastboot, no adb, no recovery. They wouldn't be able to replace kernel, recovery, system or use any OEM official flashing method... . I welcome any suggestion to hack such a device...
minimale_ldz said:
Nearly a year gone since I posted this and now I returned to "AppLockers" during my mobile security research. This is such a bad thing I can't believe apps of this kind are accepted by PlayStore and not banned eternally as the most fake security solution that ever existed. What surprised me even more, "serious" companies, eg. Norton are also in this business... anyway
I checked this one first - Best App Lock - it's "best", right? And it's got 4.5 stars rating with 1,000,000 - 5,000,000 downloads.
I set it up, set the PIN, locked test app - everything seems fine.. as long as you don't go to Settings > Apps and don't force stop Best App Lock, because then - your protection is gone. But OK, you can also lock Settings and prevent such tricks and it works... as long as you don't use Activity Launcher to call App Lock's pin reset activity... Yes, you can reset the PIN without even opening the app itself.
Now, Best App Lock was clearly made by some amateur, so let's see what pros got for us, the big ones. I checked mentioned Norton App Lock, with 4.6 rating and surprisingly not as popular, with "only" 500,000 - 1,000,000 downloads. It's a bit better, it only contains one activity, so you can't bypass it easily, because the app itself is protected with a pattern, but here's another trick - reboot device in Safe Mode and you can disable Norton's permission to draw over other apps to make it helpless as a baby. Or you can just uninstall it in SM. I didn't check anything else, because what more you can do to prevent such workaround, than Norton already did?
If someone is aware of a way to disable power menu, or at least the ability to disable Safe Mode on unrooted Android please share. Until then I call all the App Lock apps the biggest scam in mobile security.
Click to expand...
Click to collapse
Reviews or star ratings are not always very reliable, just use as a rough guide .... (In my opinion SOME of those Chinese apps seem to be amongst the worst offenders)
https://techcrunch.com/2014/05/27/f...unes-but-google-play-has-the-worst-offenders/
optimumpro said:
The first step to real security is removing all Googleapps and Google account. There is no other way around this. Next, don't install any app that is not open source. Also, don't use any recovery. And finally, either epoxy your entire usb port, if you have let's say a magnetic charging port or cut all usb port pins except for 2 for charging. In addition, you should open the phone and epoxy usb port and contacts from inside, so that it can't be replaced. Or even better: epoxy your entire motherboard. That would take care of UART socket or any other way of entering CPU/GPU/RAM from inside. Encrypt your phone. After that, your phone couldn't be penetrated (other than through the air/baseband, which is a whole different level of sophistication). If someone targets you over the baseband, throw your phone and run for your freedom...
Seriously, in the above scenario, no one can have access to your data: no fastboot, no adb, no recovery. They wouldn't be able to replace kernel, recovery, system or use any OEM official flashing method... . I welcome any suggestion to hack such a device...
Click to expand...
Click to collapse
Well you forgot SD card, unless you encrypt that as well, which for a user who uses the card for transferring files across different devices is not such a bright idea.
using epoxy could slow down the hack, and seriously give more trouble to the user than the hacker.
that being said your idea of securing the data is somewhat clear but really a secured device? cause epoxy can be penetrated as well, lock screen can also be bypassed, even without Google and a recovery.
it might take more time than hacking an average device, but still it can be done and most probably the hacker would be the same owner. cause he forgot the damn password and is looking to get back the data.
the more we try to secure, the more we make our lives tough.
billysam said:
Well you forgot SD card, unless you encrypt that as well, which for a user who uses the card for transferring files across different devices is not such a bright idea.
using epoxy could slow down the hack, and seriously give more trouble to the user than the hacker.
that being said your idea of securing the data is somewhat clear but really a secured device? cause epoxy can be penetrated as well, lock screen can also be bypassed, even without Google and a recovery.
it might take more time than hacking an average device, but still it can be done and most probably the hacker would be the same owner. cause he forgot the d
amn password and is looking to get back the data.
the more we try to secure, the more we make our lives tough.
Click to expand...
Click to collapse
Epoxy: Knowing how small and fragile phone motherboards are, I think you will most likely damage the board while trying to penetrate epoxy... Maybe you shouldn't epoxy the usb port on the ouside, but cut the data pins and epoxy on the inside to not give a hint to an attacker. Anyway, I wish an attacker fun time trying to remove epoxy...
The point of encryption is to protect data when the phone is off. So, it makes sense that for someone without a password, the phone turns into a brick. And if you tend to forget the password, then write it down somewhere other than the phone...
Mobile security is a myth. At best it is a door knit lock. Will keep honest People honest but won't stop someone from. Really trying and doing it.
I see lots of talk from people about security and yet these same people use Facebook which has enough holes in it that anyone could hack someone else pc. I use it all the time to mess with people. The looks on their faces are priceless.
Hi there!
Last years I always had xposed framework on my phone. And what I loved most >>> xprivacy.
Like this I had the impression I could control what was happening on my phone ... not allowing apps to spy on me or read data that they do not need.
So I came here to root my new Honor V10 and hoped to find here again my beloved xprivacy. But now I had to find out that xprivacy is not getting developed anymore and there is nothing available that would do the same job.
So I am asking myself if developers do not care anymore about privacy. Are you all not interested in having privacy? Did you give up on it?
I wonder why I need root now if not for privacy. Adblocking ... ok, but I am surprised that there is no development in the area of data control and privacy.
mark_at said:
Hi there!
Last years I always had xposed framework on my phone. And what I loved most >>> xprivacy.
Like this I had the impression I could control what was happening on my phone ... not allowing apps to spy on me or read data that they do not need.
So I came here to root my new Honor V10 and hoped to find here again my beloved xprivacy. But now I had to find out that xprivacy is not getting developed anymore and there is nothing available that would do the same job.
So I am asking myself if developers do not care anymore about privacy. Are you all not interested in having privacy? Did you give up on it?
I wonder why I need root now if not for privacy. Adblocking ... ok, but I am surprised that there is no development in the area of data control and privacy.
Click to expand...
Click to collapse
You can search for XPrivacyLua.
Thank you.
I will try it as soon as Xposed is working on my Honor V10.
But the question for me was also about privacy in general. I am surprised that so few people and developers care or worry about privacy.
For me this is the MAIN reason to root ... to have more control about my data.
It isn't that we don't care about privacy. It's just that Android itself has never really been privacy focused, and the APIs it already provides get the job done. XPrivacy just allows more control over what is already there.
My honest opinion? If you want privacy then use Lineage and stray away from GApps. Privacy Guard is very flexible, and automates Androids permission scheme for you. GApps on the other hand? Well, Google at its heart is an ad company. The choices they make and data they submit behind your back gets done rather you change some small permission or not. GMS has its ways. And even without them, it comes down to how much you can really trust the concept of not having your data submitted. Does a tiny little switch that says it makes your phone more secure really provide enough to convince you that it is?
I guess what I'm saying here is privacy is an illusion. You might as well enjoy the ride . I mean, according to the NSA I'm being spied on by China right now. Part of me cares, but the other part tells me that I've been spied on by more than just them. Enjoy the show Bejing
Well, I am used to Xprivacy where I am able to allow or not allow different "rights" to all the apps that I have installed.
If you see one time only what is happening in the background (activity log) and what apps are trying to check on your phone, then you would for sure be a big fan of Xprivacy very fast.
And even if I do not allow half of the things, the apps mostly work without problems.
And I tried LineageOS on my phone, but I prefer the original ROM, I did not see any advantage for myself.