Regarding security & bootloader... - Xiaomi Mi Mix 3 Questions & Answers

There are many sites selling Mix 3's some Chinese, some Global, some with locked bootloaders, and some with unlocked bootloaders, this thread is to help people "protect" the devices they have bought (or will buy).
It's through my understanding that the most "secure" way of protecting your phone & data from thief's is to have your bootloader locked, with no custom recovery, encryption on & usb debugging disabled right?
This is because with a unlocked bootloader, the thief has the ability to boot into TWRP (for example) & simply wipe your pin/password/lock off the phone completely, then just boot it up, factory reset it & sell it.
I know there is methods such as putting the phone in cold temperatures so you can retrieve the encryption keys from the RAM, but assuming the thief is just basic & what's to make some quick money off your phone...So...
What's the best way & most recommended thing to do with Xiaomi devices specifically, locked/unlocked, encrypted/not-encrypted, does it matter?, If not, why not?
Any help is appreciated! The more in-depth the better.

Even with a locked bootloader a thief can hold VolUp while booting, wipe phone and sell it. Wiping is possible in any case and thats not even the issue a stolen Phone is gone.
The issue are your data which can be stolen too when you have a unlocked bootloader. Simply boot to twrp connect usb and copy everything. But you can prevent that with encryption and enable "requires pattern to start". That way if your phone gets stolen the thief can still Install/use Twrp but he needs to enter a pattern to decrypt the storage. If he doesnt, twrp wont be able to read the partition and your data is safe. He can still wipe the Phone and sell it but you cant prevent that. I don't know if the pattern generates the encryption keys or retrieves them from somewhere but i'd assume it generates them, probably together with some device specific values, else that would be a flaw in my book. If someone could enlighten me here that'd be nice.
If your bootloader is locked he also can't access your data. Since stock recovers doesn't allow/support Usb-filetransfer. So a lockpattern is all you need there. Encryption shouldnt really matter against the normal thief.
I am going this way: Unlocked bootloader to get rid of Miui, Twrp to have a proper recovery menu, and encryption+pattern to save my data. Disable USB-Developer Options to prevent adb shenanigans.
But on the hand if you wan't to get really panariod a locked bootloader would be better since you still can read the system image from the phone from twrp, this means, and this is a easy way to do it, you could read it copy it to the pc and simply brutefroce the lockpattern. If you have the partitions you can simply try 3 patterns either it works or the phone locks itself up because you did 3 wrong. If it locks up you simply write the partitions back and try again. If you can do 3 in 30 seconds you are done in 45 days since there are only 390.000 different patterns on a 3x3 grid (which is what most people use since some Roms don't even allow for 4x4 or 5x5) but if you emulate it and can do 3 in 15 seconds you are down to 23 days. If you run it in 20 emulators you are done in 1 day. (That would be an awesome weekend project.) In emulation you could really optimize this since you can cut everything out what isn't needed for the attempt to encrypt the partition. you dont even need the screen to load, simply send the decryption module whatever the last module in the Numbers-from-touches-chain would have sent, everything that is loaded before the attempt to decrypt must be unencrypted therefore can be messed with, probably it's even universal across phones since that's a stock android thing. If it tries to write used attempts, save whatever what gets overwritten beforehand, let it write its thing, kill the process, revert changes and try again with the next set. Maybe you get it down to 3s or 4s for 3 attempts and boom you are at 6 hours to encrypt any android phone, no matter which version, with an unlocked bootloader which uses a 3x3 pattern. But your data would be really valueable to someone if they did this. You can't do that with a locked bootloader since you can't read the partitions or you could just use the 5x5 pattern, which you cant do on MIUI (i just tried and havent found where you could change it). But probably i have a giant oversight in there so this probably woudn't work
________________________________________________
On the other hand if you want to recover your phone you should make it as easy as possible to get the thief into your phone since you dont want them to run it off and wipe it. I DONT RECOMMEND THIS. But you could make a 2nd user who has no lock pattern on it. Concider your Data public at this point but while they are busy looking at your selfies you could use a app like prey to track the phone. But since Data are more important than a phone i'd never do or recommend that.

Or you could just buy a tin foil hat.

~phoeny~ said:
Even with a locked bootloader a thief can hold VolUp while booting, wipe phone and sell it. Wiping is possible in any case and thats not even the issue a stolen Phone is gone.
The issue are your data which can be stolen too when you have a unlocked bootloader. Simply boot to twrp connect usb and copy everything. But you can prevent that with encryption and enable "requires pattern to start". That way if your phone gets stolen the thief can still Install/use Twrp but he needs to enter a pattern to decrypt the storage. If he doesnt, twrp wont be able to read the partition and your data is safe. He can still wipe the Phone and sell it but you cant prevent that. I don't know if the pattern generates the encryption keys or retrieves them from somewhere but i'd assume it generates them, probably together with some device specific values, else that would be a flaw in my book. If someone could enlighten me here that'd be nice.
If your bootloader is locked he also can't access your data. Since stock recovers doesn't allow/support Usb-filetransfer. So a lockpattern is all you need there. Encryption shouldnt really matter against the normal thief.
I am going this way: Unlocked bootloader to get rid of Miui, Twrp to have a proper recovery menu, and encryption+pattern to save my data. Disable USB-Developer Options to prevent adb shenanigans.
But on the hand if you wan't to get really panariod a locked bootloader would be better since you still can read the system image from the phone from twrp, this means, and this is a easy way to do it, you could read it copy it to the pc and simply brutefroce the lockpattern. If you have the partitions you can simply try 3 patterns either it works or the phone locks itself up because you did 3 wrong. If it locks up you simply write the partitions back and try again. If you can do 3 in 30 seconds you are done in 45 days since there are only 390.000 different patterns on a 3x3 grid (which is what most people use since some Roms don't even allow for 4x4 or 5x5) but if you emulate it and can do 3 in 15 seconds you are down to 23 days. If you run it in 20 emulators you are done in 1 day. (That would be an awesome weekend project.) In emulation you could really optimize this since you can cut everything out what isn't needed for the attempt to encrypt the partition. you dont even need the screen to load, simply send the decryption module whatever the last module in the Numbers-from-touches-chain would have sent, everything that is loaded before the attempt to decrypt must be unencrypted therefore can be messed with, probably it's even universal across phones since that's a stock android thing. If it tries to write used attempts, save whatever what gets overwritten beforehand, let it write its thing, kill the process, revert changes and try again with the next set. Maybe you get it down to 3s or 4s for 3 attempts and boom you are at 6 hours to encrypt any android phone, no matter which version, with an unlocked bootloader which uses a 3x3 pattern. But your data would be really valueable to someone if they did this. You can't do that with a locked bootloader since you can't read the partitions or you could just use the 5x5 pattern, which you cant do on MIUI (i just tried and havent found where you could change it). But probably i have a giant oversight in there so this probably woudn't work
________________________________________________
On the other hand if you want to recover your phone you should make it as easy as possible to get the thief into your phone since you dont want them to run it off and wipe it. I DONT RECOMMEND THIS. But you could make a 2nd user who has no lock pattern on it. Concider your Data public at this point but while they are busy looking at your selfies you could use a app like prey to track the phone. But since Data are more important than a phone i'd never do or recommend that.
Click to expand...
Click to collapse
Really appreciate the time you took to type out this post, thankyou.

Related

[Q] Encryption

Hey there. Can't find any info about encryption and what it brings, so I'll just fire away a few questions about details for that matter. Not that I'm so obsessed with security, more like just curious about the possibility. And keeping things under protection is nice when dealing with business stuff.
What encryption brings? Only data in encrypted, or apps/system too?
Would someone be able to get something from TF by connecting it to a PC? Or he will fail even using ADB or nvflash?
How secure we're speaking about? Any info on encryption method and key length in bits.
If I forget my password, or any other weird thing happen, could I reset it with nvflash, loading new clean images? Maybe encrypted volumes are handled differently, and it's not so easy...
Clockwork Recovery. Would it work perfectly fine with encrypted tablet?
Custom ROMs (like Prime!). Any possible problems when messing with system files without total wipe?
Performance. How bad it could be affected? I'm not sure Tegra2 has RSA-optimized module built-in (or whatever method it's using).
Unlocking. Will I be prompted to enter password every time I see unlock screen, or only when I reboot?
Any known limitations, like password length (I like to set long passwords, it's more efficient and easier to remember).
Bump - heard that HC 3.2 enabled encryption at last. Anyone tried it and can answer any of my questions?
Never done it myself, but from information I read:
tixed said:
Hey there. Can't find any info about encryption and what it brings, so I'll just fire away a few questions about details for that matter. Not that I'm so obsessed with security, more like just curious about the possibility. And keeping things under protection is nice when dealing with business stuff.
What encryption brings? Only data in encrypted, or apps/system too?
Would someone be able to get something from TF by connecting it to a PC? Or he will fail even using ADB or nvflash?
How secure we're speaking about? Any info on encryption method and key length in bits.
If I forget my password, or any other weird thing happen, could I reset it with nvflash, loading new clean images? Maybe encrypted volumes are handled differently, and it's not so easy...
Clockwork Recovery. Would it work perfectly fine with encrypted tablet?
I guess this should be fine.
Custom ROMs (like Prime!). Any possible problems when messing with system files without total wipe?
Performance. How bad it could be affected? I'm not sure Tegra2 has RSA-optimized module built-in (or whatever method it's using).
I read that this would have lesser performance since it has to be decrypted on fly and also affects battery.
Unlocking. Will I be prompted to enter password every time I see unlock screen, or only when I reboot?
I guess every time when you unlock.
Any known limitations, like password length (I like to set long passwords, it's more efficient and easier to remember).
Click to expand...
Click to collapse
I found THIS little tid bit after a Google search.
I do know that it does NOT encrypt your removable MicroSD card or SD card. The encryption can take a considerable amount of time to encrypt all your data (1 to 3 hrs and has to be powered on and at 100%). It will require a PIN or Password prompt at power on and possibly for other data sensitive action. It will also allow for password mining which is the process by which you are required to reenter a new password after so long. Also once you encrypt the only way back is a factory reset. If you lose your PIN or Password your SOL about getting your sensitive data back.
You might be better off using an app that can encrypt individual files that you choose.
Cheers...
tixed said:
What encryption brings? Only data in encrypted, or apps/system too?
Would someone be able to get something from TF by connecting it to a PC? Or he will fail even using ADB or nvflash?
How secure we're speaking about? Any info on encryption method and key length in bits.
If I forget my password, or any other weird thing happen, could I reset it with nvflash, loading new clean images? Maybe encrypted volumes are handled differently, and it's not so easy...
Clockwork Recovery. Would it work perfectly fine with encrypted tablet?
Custom ROMs (like Prime!). Any possible problems when messing with system files without total wipe?
Performance. How bad it could be affected? I'm not sure Tegra2 has RSA-optimized module built-in (or whatever method it's using).
Unlocking. Will I be prompted to enter password every time I see unlock screen, or only when I reboot?
Any known limitations, like password length (I like to set long passwords, it's more efficient and easier to remember).
Click to expand...
Click to collapse
Had a brief experience with encryption before I wiped back to stock. I would strongly recommend against it unless you wish to stick to a stock system and very much need that type of security. From what I remember of my experience:
The data partition is encrypted (not sure what else, but not MicroSD). When your device boots, a prompt that somewhat resembles a lockscreen pops fairly early on when the OS attempts to mount those partition(s). Thereafter, everything is accessible as usual; you can grab things via ADB. You do not have to constantly enter the password (though you would probably want to lockscreen your device as general good practice). As to what nvflash would get you, I'm not sure, since that would be before the partition mount...probably nothing usable. The problem with having an encrypted partition is that CWM at moment can't really do anything useful to those partitions. You cannot flash, backup, or restore via CWM. This means your ability to work with custom ROMs is effectively crippled. In fact, to undo the encryption (or if you forget your password), I had to nvflash back to stock. Factory reset via CWM cannot be done since, again, the partitions are still encrypted.
If in the future, CWM is able to access the partitions like the stock recovery can, then you'd be fine. Performance was not noticeably slower in anyway.
Thanks for the replies. This feature seems pretty grim at the moment. Well, we can all hope that Google and ASUS will update it properly. At least, they did a lot of good updates recently.

Lock bootloader/recovery

I know that this has definitely been asked before, but I just want to counter some points other people have been making against password/pin protecting either the bootloader or the recovery. I sense that it's very doable, and practical for several reasons.
The first is, obviously, anyone can go on youtube and watch a tutorial on wiping the phone to bypass the lock screen, but not every average thief can flash new recoveries, bootloaders, ROMs, etc, etc. They'd probably give up after a while and just let it sit there for apps like cerberus to locate.
The second point is to prevent unauthorized entry into recovery, on my old S2 running CWM, my friend rebooted into recovery and nearly destroyed my system (began installing random zip files)
I wouldn't think it would be too hard to execute either, TWRP (which I currently use) already has a "swipe to unlock system", it wouldn't be hard to modify it to contain a pin.
So hopefully someone actually sees this, and best-case scenario, one of the TWRP devs sees this...so thank you for reading that random spur of arguments, and I know that Team Win has already responded a while back but hopefully this gives some new arguments for why there should be a lockscreen.

OnePLus stuck trying to encrypt

So I wanted to do the full encryption on my device. Let the device charge, and started the encryption process. The screen went blank, and then a green figure of the android came on the screen and has been there since. Its been almost three hours now? If my phone loses all its data thats ok, but I dont know if a bad encryption could brick the device?
Not sure if this is significant, but I have been on Facebook messenger since my phone was encrypting, and several msgs and text msgs have been showing on the screen?
Any ideas or advice would be great.
The encryption process may take quite a long time; it's not uncommon to see some phones take 6+ hours to encrypt, depending on the internal storage capacity.
AFAIK, Android will encrypt all of the internal storage, even the empty space. So if you have the 64GB version, that's a lot of storage space to encrypt at one go.
I would leave the phone plugged in and running the encryption for at least 24 hours if it's taking a while. It shouldn't take that long, and something might be broken, but better safe than sorry, I suppose.
Interrupting encryption will probably, if not definitely, result in data corruption or loss on the device. Depending on how far along the encryption was, you may end up with a bricked device, but it's pretty much impossible to say for certain what the outcome will be if you interrupt it.
There's a bug in CM11S 33R that broke full device encryption.
Normally, soon as you set a PIN and click encrypt, you will see a green bot, then you phone should restart into the Encryption Progress 1%, 2%, 3%, etc. screen.
As it is right now on CM11S, which is the stock software that the OnePlus One come in, you will see the green bot screen but the damn tying won't restart. OnePlus confirmed this is a bug that should be fixed in next OTA update.
In the mean time, if you unlock your bootloader, encryption will start. Or flash CM11 nightly.
Sorry, might be the wrong thread to ask, but what is the point of encryption, if there is no storage to be removed from this phone?
Send from OnePlus One using Tapatalk
Satras said:
Sorry, might be the wrong thread to ask, but what is the point of encryption, if there is no storage to be removed from this phone?
Click to expand...
Click to collapse
Someone could boot a stolen phone to boatloader, access the partitions (data, internal sd, etc) by adb and copy the contents of your device to an alternate location. One could also flash a custom recovery and create backups and push them over to a pc.
It also seems possible for some devices to unlock the bootloader without wiping data. So there are some unlocked doors, if device is not encrypted.
You can compare it to a WindowsPC -> Just boot from USB-Stick / CD and mount the Harddisk and you can access all of its contents, if device encryption isn't used.
Your should see a percentage indicator when it's encrypting. My 64gb took around an hour or so to finish
nsmart said:
Someone could boot a stolen phone to boatloader, access the partitions (data, internal sd, etc) by adb and copy the contents of your device to an alternate location. One could also flash a custom recovery and create backups and push them over to a pc.
It also seems possible for some devices to unlock the bootloader without wiping data. So there are some unlocked doors, if device is not encrypted.
You can compare it to a WindowsPC -> Just boot from USB-Stick / CD and mount the Harddisk and you can access all of its contents, if device encryption isn't used.
Click to expand...
Click to collapse
Fair Point.
So once they fixed the bug, can I do a nandroid Backup and simply test it. If it ain't my cup of tea, can I simply apply the nandroid Backup again and my phone is unencrypted again?
Send from OnePlus One using Tapatalk
No, nandroid wont apply over an encrypted partition. It requires the partition to be decrypted first.
Hm, so I need to move the Backups to my computer first.
Send from OnePlus One using Tapatalk
Yeh something like that. Worst comes to worst if you forget you can just boot the phone normally and copy SD contents across by USB. Then format and restore nandroid.
I haven't had any issues with encryption, TWRP 2801 fixed it.
Possibly off topic also, sorry, but what are the downsides to full device encryption? Reasons why every isn't doing it? Seems much more secure, although I'm not using it myself at the moment.
Sent via quantum entanglement, focused through my OnePlus One.
Lower performance, less battery life, harder to troubleshoot if it does not boot correctly.
Make sure to have off-site backups when starting the encryption
Send from OnePlus One using Tapatalk
As an addendum, on a fast device like our OPO, the performance penalty is negligible. The security benefits far outweigh the costs, as pin locks are easy to defeat and even without, data can be accessed from bootloader/recovery. Remote wipes are not always reliable and for others like me who keep sensitive emails, company info, SSH/GPG keys, it's peace of mind.
It's also rumored that Android 5 will bring by-default encryption.
Strange, you say pin locks are easy to defeat, but isn't this the default for unlocking your encrypted phone?
Send from OnePlus One using Tapatalk
I changed my decrypt password to 16+ characters, and screen unlock remains at 4 digits. That way inconvenience is minimized.
There is an app on Play Store to set separate screen unlock / decryption passwords.
SenK9 said:
I changed my decrypt password to 16+ characters, and screen unlock remains at 4 digits. That way inconvenience is minimized.
There is an app on Play Store to set separate screen unlock / decryption passwords.
Click to expand...
Click to collapse
Do you know if that app will work with TimePIN? I rather like the app, though it's currently removed from play store while developer works on ART issues, because it changes the screen unlock to the current time which enhances the security of the device. I've thought about doing full device encryption previously but that always made me hesitate with the amount of hassle to check it.
I dont know what TimePIN is, but it should be fine. Changing the decryption password doesn't affect the lockscreen pin/password, they are independent.
Now that I'm back on my computer, I can drop some links here.
Cryptfs password changer
https://play.google.com/store/apps/details?id=org.nick.cryptfs.passwdmanager
This changes the pre-boot decryption password ONLY, not your lockscreen password. It's good for people who want a very secure encryption password, but without the hassle of typing it in each time they unlock the device (by default, Android will use the same for both, which has been a long-debated point).
Manually:
If you want to do it manually, you can configure Android's vold module (https://source.android.com/devices/tech/storage/config.html)
At prompt (with root):
Code:
vdc cryptfs enablecrypt inplace <password>
Security:
I can't find the link, but there was a Github script I ran across that was able to extract the encrypted filesystem header from an Android device in recovery mode, to an attached computer and brute force it. For a 4 digit PIN (which is what many people use), it takes less than a minute on an average home PC.
Hopefully that helps somebody ...
SenK9 said:
Yeh something like that. Worst comes to worst if you forget you can just boot the phone normally and copy SD contents across by USB. Then format and restore nandroid.
I haven't had any issues with encryption, TWRP 2801 fixed it.
Click to expand...
Click to collapse
twrp 2801 did allow me to encrypt, but the password will not decrypt in twrp. Color me confused.
Sent from my A0001 using XDA Premium HD app
Error message in TWRP?
SenK9 said:
Error message in TWRP?
Click to expand...
Click to collapse
"Password Failed. Please Try Again"
&
"E: Failed to decrypt data"
I have tried changing the password too, and get the same error.
Sent from my A0001 using XDA Premium HD app

Lollipop - Enabled encryption. Not sure if it worked

Hey guys
I flashed the factory images last night effectively wiping my Nexus 5 and starting from scratch. I did not restore apps and settings either. After I manually installed a bunch of my apps back and changed around a few settings, I decided to enable encryption. However, I don't think it enabled properly.
First, I had not set a PIN lock on my phone yet at the time.
When I decided to enable encryption and go through the process, it didn't ask me to enter a PIN.
It seemingly completed encrypting the phone. When I go back to the security menu, it says "Encrypted".
However, I am not prompted to enter a PIN upon booting the phone (not talking about the lock screen PIN).
So, it seems like it didn't work but I'm not sure. Has anyone else enabled encryption yet?
and yes, I saw the performance degradation that comes with enabling encryption but I'd rather have the security.
definitely sounds like there's an issue there. Do you have a custom recovery? If so, you could boot into that, pull some data and see if it opens. If it does, yeah its not encrypted.
Not worth mentioning degradation. All encryption always has and always will have performance degradation. It's par for the course
That sounds like a good idea. If it's not encrypted, then I guess the only method is to wipe and reinstall again.
mattkroeder said:
That sounds like a good idea. If it's not encrypted, then I guess the only method is to wipe and reinstall again.
Click to expand...
Click to collapse
I think so. You can't reverse the encryption flag without a wipe I dont think
mattkroeder said:
Hey guys
I flashed the factory images last night effectively wiping my Nexus 5 and starting from scratch. I did not restore apps and settings either. After I manually installed a bunch of my apps back and changed around a few settings, I decided to enable encryption. However, I don't think it enabled properly.
First, I had not set a PIN lock on my phone yet at the time.
When I decided to enable encryption and go through the process, it didn't ask me to enter a PIN.
It seemingly completed encrypting the phone. When I go back to the security menu, it says "Encrypted".
However, I am not prompted to enter a PIN upon booting the phone (not talking about the lock screen PIN).
So, it seems like it didn't work but I'm not sure. Has anyone else enabled encryption yet?
and yes, I saw the performance degradation that comes with enabling encryption but I'd rather have the security.
Click to expand...
Click to collapse
Not sure, but i think it's designed to works just like that, the encryption key is not the PIN anymore but something (random?) that is stored somewhere on the phone.
that would protect the data in case someone tries to read it directly from the phone's memory, but useless if you don;t have a PIN/PASSWORD.
I avoided encryption before for exactly that reason (requiring a password to boot). If I lose the phone I want the person that found/stole it to be able to at least boot it. if the person is not a thief there's a contact number so they can call me to give it back. if he/she's a thief well, as long as it's on I can call it, track it, wipe it. even brick it.
by not being able to boot it, the chances of getting it back are 0 if the battery dies or is dead!
http://readwrite.com/2014/10/28/google-android-lollipop-encryption-issues
there isn't much info out there about it.
kenshin33 said:
Not sure, but i think it's designed to works just like that, the encryption key is not the PIN anymore but something (random?) that is stored somewhere on the phone.
that would protect the data in case someone tries to read it directly from the phone's memory, but useless if you don;t have a PIN/PASSWORD.
I avoided encryption before for exactly that reason (requiring a password to boot). If I lose the phone I want the person that found/stole it to be able to at least boot it. if the person is not a thief there's a contact number so they can call me to give it back. if he/she's a thief well, as long as it's on I can call it, track it, wipe it. even brick it.
by not being able to boot it, the chances of getting it back are 0 if the battery dies or is dead!
http://readwrite.com/2014/10/28/google-android-lollipop-encryption-issues
there isn't much info out there about it.
Click to expand...
Click to collapse
I went ahead and wiped the phone again. I reinstalled lollipop and made sure to enable a lockscreen PIN before I enabled encryption. It seems to have encrypted properly. It prompts me for my PIN at boot up now.
You make a good point about encryption making it more difficult for someone to get a hold of me if I lose the phone though.
Same problem here, with Nexus 5 and Android v5
My work Exchange server enforces a security policy to the phone which forces you to enable encryption. So I went ahead and did that, and the email app is still saying that encryption needs to be enabled. When I reboot the phone I never get prompted for a PIN to decrypt the device, yet in the settings screen it says it is encrypted.
I'm going to have to re-flash. Is it possible the issue is caused by leaving the bootloader unlocked? or is this is a bug?
EDIT: Update. Reflashed, but first thing I did was relock the bootloader and enable a security screenlock PIN, *then* encrypted the phone. Now it's prompting me for a PIN on boot and looks like it's worked. Hope the Exchange email policy stays happy this time, as it worked before for about a day before it complained about the lack of encryption
this worked for me also
I did what was stated below and it worked....
1. reflashed,
2. locked bootloader
3. created lock pin
4. encrypted, THEN
5. added MDM control (MAAS360) and exchange email.
It seems to work OK now.
Thanks!
JoyrexJ9 said:
Same problem here, with Nexus 5 and Android v5
My work Exchange server enforces a security policy to the phone which forces you to enable encryption. So I went ahead and did that, and the email app is still saying that encryption needs to be enabled. When I reboot the phone I never get prompted for a PIN to decrypt the device, yet in the settings screen it says it is encrypted.
I'm going to have to re-flash. Is it possible the issue is caused by leaving the bootloader unlocked? or is this is a bug?
EDIT: Update. Reflashed, but first thing I did was relock the bootloader and enable a security screenlock PIN, *then* encrypted the phone. Now it's prompting me for a PIN on boot and looks like it's worked. Hope the Exchange email policy stays happy this time, as it worked before for about a day before it complained about the lack of encryption
Click to expand...
Click to collapse
mattkroeder said:
Hey guys
I flashed the factory images last night effectively wiping my Nexus 5 and starting from scratch. I did not restore apps and settings either. After I manually installed a bunch of my apps back and changed around a few settings, I decided to enable encryption. However, I don't think it enabled properly.
First, I had not set a PIN lock on my phone yet at the time.
When I decided to enable encryption and go through the process, it didn't ask me to enter a PIN.
It seemingly completed encrypting the phone. When I go back to the security menu, it says "Encrypted".
However, I am not prompted to enter a PIN upon booting the phone (not talking about the lock screen PIN).
So, it seems like it didn't work but I'm not sure. Has anyone else enabled encryption yet?
and yes, I saw the performance degradation that comes with enabling encryption but I'd rather have the security.
Click to expand...
Click to collapse
If you set up a screen lock pin the phone will ask you then if you would like the PIN to be enabled or not at boot.
kenshin33 said:
Not sure, but i think it's designed to works just like that, the encryption key is not the PIN anymore but something (random?) that is stored somewhere on the phone.
that would protect the data in case someone tries to read it directly from the phone's memory, but useless if you don;t have a PIN/PASSWORD.
I avoided encryption before for exactly that reason (requiring a password to boot). If I lose the phone I want the person that found/stole it to be able to at least boot it. if the person is not a thief there's a contact number so they can call me to give it back. if he/she's a thief well, as long as it's on I can call it, track it, wipe it. even brick it.
by not being able to boot it, the chances of getting it back are 0 if the battery dies or is dead!
http://readwrite.com/2014/10/28/google-android-lollipop-encryption-issues
there isn't much info out there about it.
Click to expand...
Click to collapse
Sorry for OT, but how can you remotely brick your phone? Just curious in case I ever need to. Don't live in the best of neighborhoods. I can remote wipe, track, take pics. The normal lost/stolen stuff, but I haven't heard of remotely bricking a phone ever.
Nexus 5 still looking to be encrypted
Only a temp fix---Both my Nexus 7, and Nexus 5 just started asked to be encrypted again....
This is still a problem with Lollipop
thegasmaster said:
I did what was stated below and it worked....
1. reflashed,
2. locked bootloader
3. created lock pin
4. encrypted, THEN
5. added MDM control (MAAS360) and exchange email.
It seems to work OK now.
Thanks!
Click to expand...
Click to collapse
wipe efs partition (I do have a backup on my computer) and the phone is no longer a phone.
Just to be clear, you can enable encryption on Android 5.0, and it will not force you to lock the phone. (Like the PIN screen and boot lock). When you buy a Nexus 6/9 the data partition is encrypted but there's no lock set. The following is from this article;
First, the encryption doesn't help much if you haven't set a passcode. Ludwig said studies have shown that roughly have of users don't set passcodes on their devices, largely because they find it inconvenient to keep entering them dozens of times a day. Lollipop will still encrypt your data, but it will also automatically decrypt it in normal use. So if you don't have a passcode, much of your information will be available to anyone who picks up your phone.
Click to expand...
Click to collapse
So if you've enabled encryption, and gone through the process, you're phone data partition is encrypted. It's just not locked down until you use some kind of phone lock too. BTW, the article goes on to describe the limited usefulness of having an encrypted data partition and no phone lock;
Lollipop's encryption still offers some limited protection even under those circumstances—for instance, by protecting stored data against anyone who tries to read it directly from the phone's memory. That could shield user passwords and other sensitive data from attackers.
Click to expand...
Click to collapse
As to why Exchange policies don't see the phone as encrypted is probably due to another issue.
Setting PIN to be required at startup after encryption possible fix
I now have my Nexus 5 & 7 working with exchange on Lollipop using this-
1. Reflashed Lollipop
2. Let phone reinstall all my apps
3. Locked bootloader.
4. Set a screen lock PIN
5. Encrypt phone
6. Set screen lock PIN to be required on start up (this was missing before!)
7. Installed MDM control via Mass360-all policies look to be met, including encryption
8. Installed my exchange account via Gmail
//code.google.com/p/android/issues/detail?id=79342
Updated thread with solution
---
* It used to be that when I did a reboot or shutdown and restart, I would have to enter a password before the system fully started.
* But now the phone boots into the phone without putting in my password. I can reboot the phone and it will boot all the way to the Lock screen, and I can unlock the lock screen with my fingerprint or my backup password.
* I am concerned that somehow my device is either no longer encrypted or that there is some setting which has stored the boot password.
--
Solution :
For those of you who find they have this problem and have not solved it, I found a solution that works, related to a bug (feature?) in Accessibility.
Apologies if this was suggested further in the thread, and that I'm replying to an old post. But I recently had this problem and figured out a solution.
- Accessibility was enabled and for some reason this cached the boot password. So- when I removed the app (rights) and turned off accessibility, and changed (reset/reentered) the password in security settings... On next boot the phone correctly asked me for password.
YMMV.
subs said:
I posted this elsewhere... But I'm having the same problem. Any thoughts? I can post more details, but don't want to repost this everywhere that I see people having the same unresolved problem.
---
* It used to be that when I did a reboot or shutdown and restart, I would have to enter a password before the system fully started.
* But now the phone boots into the phone without putting in my password. I can reboot the phone and it will boot all the way to the Lock screen, and I can unlock the lock screen with my fingerprint or my backup password.
* I am concerned that somehow my device is either no longer encrypted or that there is some setting which has stored the boot password.
Click to expand...
Click to collapse
Hi, please try not to bump threads almost a year old. I realise that it might have taken you a while to actually reach this thread, but hear me out.
Opening a new thread is always better, since software versions, features and devices are most likely different, along with different device usage habits/users.
You say you're having "the same problem"... as.. who exactly? There's a bunch of different specific "issues" that relate to encryption. Be specific.
For instance, you mentioning fingerprint sensor leads me to presume that you are not using a Nexus 5.
Sent from my Nexus 10 using Tapatalk

Making the S8+ completely theft proof

Hey!
It's my first post here so it this isn't the best place for such a question then by all means mods pls move the thread to where it should be
Basically, where I'm currently living (Brazil), things tend to get pretty violent and phone thefts are very common. Now the thing is, if it's an iPhone usually the thieves just throw it away, as once it's locked it becomes useless. When it comes to Android though, some of them will dig deep trying to access your info like pictures, passwords, bank information, among other things. They even manage to break IMEI locks and stuff. I got my S5 stolen recently and the information theft part put me through hell. Yet, I'd much rather have an S8+ then any other iPhone currently, so my question is how could I completely theft proof it?
I'm not really worried about them restoring the phone and reselling it, more about them accessing the data inside of it. I know the SD card can be protected through cryptography (although would accept "stronger" tips if there are any). When it comes to apps, aside from the basics of trusting what you install and stuff, are apps like Cerberus, Knox 2.0, or other Samsung features I'm not aware of, any good against someone who knows what they're doing? Is there a way to disable airplane mode or power offs? Also what is probably my strongest concern: is there a way to completely not allow system changes through a computer, like the one that removes the lock screen?
Being a programmer and computer science undergrad student (although not specializing in security nor mobile), I'd have no problem if the solutions would involve some coding or tweaking, just as long as they prove to be effective.
So, would you guys have any tips on how to completely secure the data given those concerns?
The sd card can be Encrypted and if you have a password lock (fingerprint irsi etc...) then it will ask for that before it will unlock the phone.
Also they have a remote wipe. You can log i to google and remote wipe your phone when you found out its been stolen.
You can set the phone to require a password to decrypt it when it's restarted. You can encrypt the SD card too. You can set it to lock instantly when the screen turns off. And you can use only a password to unlock it (no biometrics), which is the most secure option (if you use a suitable password). Finally, you can set the phone so that you can wipe it remotely, or to wipe itself after a number of consecutive incorrect password attempts. But even without the last two measures, your data will be unreadable without your password.
Unfortunately, though, if thieves are violent enough, they may be able to coerce you into divulging the password. If they succeed, they have full access to your phone.
Gary02468 said:
You can set the phone to require a password to decrypt it when it's restarted. You can encrypt the SD card too. You can set it to lock instantly when the screen turns off. And you can use only a password to unlock it (no biometrics), which is the most secure option (if you use a suitable password). Finally, you can set the phone so that you can wipe it remotely, or to wipe itself after a number of consecutive incorrect password attempts. But even without the last two measures, your data will be unreadable without your password.
Unfortunately, though, if thieves are violent enough, they may be able to coerce you into divulging the password. If they succeed, they have full access to your phone.
Click to expand...
Click to collapse
What about stuff like that Dr. Fone Toolkit that supposedly removes the lock screen? From the quick look I took it seems it somehow patches the Android on the phone to remove the lock screen. Is there some sort of system encryption/lock to avoid that kind of stuff when connected to a computer?
xile6 said:
The sd card can be Encrypted and if you have a password lock (fingerprint irsi etc...) then it will ask for that before it will unlock the phone.
Also they have a remote wipe. You can log i to google and remote wipe your phone when you found out its been stolen.
Click to expand...
Click to collapse
Usually they just put it on airplane mode though, so google remote wipe is useless... Which is why I was looking for more of an offline fix through cryptography and such
I use smart Lockscreen protector to prevent somebody putting my phone to airline mode or shutting it down ( It won't help phones with removable battery)
If you have the phone encrypted and have the require pin on boot set. And you have the Qualcomm version that is locked down you have nothing to worry about.
Even the iPhone 7 has been jail broken or rooted the S8 with the Qualcomm chip is one of only a few phones that have not been hacked. It's actually WAY more secure than an iPhone.
lvrma said:
What about stuff like that Dr. Fone Toolkit that supposedly removes the lock screen? From the quick look I took it seems it somehow patches the Android on the phone to remove the lock screen. Is there some sort of system encryption/lock to avoid that kind of stuff when connected to a computer?
Click to expand...
Click to collapse
The phone is completely encrypted, so if you set it to require a password to restart and to turn the screen back on, then its contents are unreadable without the password regardless of how you connect to it.
lvrma said:
...
Usually they just put it on airplane mode though, so google remote wipe is useless... Which is why I was looking for more of an offline fix through cryptography and such
Click to expand...
Click to collapse
If you have a lock screen set you can lock the status of your phone(wifi state, airplane mode, power settings). This way you have to unlock it to toggle these modes.
I just ran across this, some good advice.
http://thedroidguy.com/2017/04/setu...security-features-tutorials-1071462#Tutorial1
lvrma said:
What about stuff like that Dr. Fone Toolkit that supposedly removes the lock screen? From the quick look I took it seems it somehow patches the Android on the phone to remove the lock screen. Is there some sort of system encryption/lock to avoid that kind of stuff when connected to a computer?
Click to expand...
Click to collapse
Like you, I'm interested with this topic, but unlike you, I would like the theief to have a useless phone if they cant unlock it. So that they would think twice the next time they want to steal an android. Else they would just continue stealing since you just put the phone on download mode, connect to a computer and root it.
About your question. Isnt disabling usb debugging mode on developer option block that risk? Also in my note 4, enabling knox will prevent your device from being rooted, at least thats what i understand from the description. i wonder where it is in s8.
speaking of knox, s8 has "Secure folder". its like a secured environment within a phone. Everything you put in here will be protected by knox. Apps, accounts, files, etc. And it would ask for another security to access it(pattern/pin/password).
lvrma said:
Usually they just put it on airplane mode though, so google remote wipe is useless... Which is why I was looking for more of an offline fix through cryptography and such
Click to expand...
Click to collapse
you mentioned cerberus app, it has a function than can wipe device memory and wipe sd card via SMS command. so if you are fast enough, while the thief is running away and before he pulls out your sim card from the phone, you can send an sms command to wipe data.
Since you mentioned you are a programmer, this may be interesting to you, locking download mode and recovery mode on android to prevent thief from flashing hack to your phone. but this require a bit of patience if android isnt your forte.
https://ge0n0sis.github.io/posts/20...-mode-using-an-undocumented-feature-of-aboot/
BratPAQ said:
Like you, I'm interested with this topic, but unlike you, I would like the theief to have a useless phone if they cant unlock it. So that they would think twice the next time they want to steal an android. Else they would just continue stealing since you just put the phone on download mode, connect to a computer and root it.
About your question. Isnt disabling usb debugging mode on developer option block that risk? Also in my note 4, enabling knox will prevent your device from being rooted, at least thats what i understand from the description. i wonder where it is in s8.
speaking of knox, s8 has "Secure folder". its like a secured environment within a phone. Everything you put in here will be protected by knox. Apps, accounts, files, etc. And it would ask for another security to access it(pattern/pin/password).
you mentioned cerberus app, it has a function than can wipe device memory and wipe sd card via SMS command. so if you are fast enough, while the thief is running away and before he pulls out your sim card from the phone, you can send an sms command to wipe data.
Since you mentioned you are a programmer, this may be interesting to you, locking download mode and recovery mode on android to prevent thief from flashing hack to your phone. but this require a bit of patience if android isnt your forte.
https://ge0n0sis.github.io/posts/20...-mode-using-an-undocumented-feature-of-aboot/
Click to expand...
Click to collapse
Don't put your phone anywhere besides your pocket. Get a cover that makes it look like as different phone with a cracked screen.
the easiest way to encrypt sd and phone, enable adoptable storage.
cantenna said:
the easiest way to encrypt sd and phone, enable adoptable storage.
Click to expand...
Click to collapse
How is that easier than just selecting the Settings options to encrypt the SD card and to require a password to unlock upon restart?
---------- Post added at 06:08 AM ---------- Previous post was at 05:11 AM ----------
lvrma said:
Usually they just put it on airplane mode though, so google remote wipe is useless[.] Which is why I was looking for more of an offline fix through cryptography and such
Click to expand...
Click to collapse
Yes, and even without airplane mode, they can physically enclose the phone to block all electronic signals. Encrypting the phone (and SD card), using a secure password as the sole unlock method, affords the strongest protection against all attacks (except coercing the password from you).
Gary02468 said:
How is that easier than just selecting the Settings options to encrypt the SD card and to require a password to unlock upon restart?
---------- Post added at 06:08 AM ---------- Previous post was at 05:11 AM ----------
Yes, and even without airplane mode, they can physically enclose the phone to block all electronic signals. Encrypting the phone (and SD card), using a secure password as the sole unlock method, affords the strongest protection against all attacks (except coercing the password from you).
Click to expand...
Click to collapse
oh yea, may bad, i often assume everyone on xda is here because there interested in unlocked boot loaders, root and custom kernels. My recomindation applies only to people who have unlocked pandor's box only.
the method of encyption you suggested the isnt availble for users like me but we can enable adoptable storage which does encrypt the system by other means and it is compatible with root, etc
dynospectrum said:
Don't put your phone anywhere besides your pocket. Get a cover that makes it look like as different phone with a cracked screen.
Click to expand...
Click to collapse
Where can you get/ how can you make such a cover?
Also sometimes when I'm in bad Areas, I go to developer options and turn on some of the screen update stuff, so it flashes the screen purple a lot and make it look messed up.

Categories

Resources