Ask Slashdot: How Can I Prepare For the Theft of My Android Phone?

← Back to Stories (view on slashdot.org)

Ask Slashdot: How Can I Prepare For the Theft of My Android Phone?

Posted by Unknown on Monday March 10, 2014 @12:10PM from the self-destruct-fuse dept.

New submitter Adam Jorgensen writes "Last week my 4-week old Moto G phone was stolen while getting onto the train at Salt River in Cape Town, South Africa. That in itself is no big deal. Cellphone theft is a huge problem here in South Africa and I've had at least two previous cellphones stolen. The big deal this time, for me at least, was that this was the first time I've lost an Android phone to theft. When I actually sat down and thought about it, losing a fully configured Android phone is actually a big deal as it provides ready access to all kinds of accounts, including ones Google account. This could potentially allow the thief to engage in all kinds of malicious behavior, some of which could have major implications beyond the scope of the theft.

Luckily for me it seems that the thief did the usual thing: Dumped the SIM card, wiped the phone, and switched it off. It's probably had its IMEI changed by now and been sold on to some oblivious punter, possibly some oblivious punter in another country. Still, the potential for serious issue is making me have second thoughts about replacing the phone with anything capable of doing much more than calling. My question is this: Are there any serious solutions out there for Android that secure against theft?"

He continues:

By serious I mean solutions that go beyond the laughably easy to defeat 'Find My Phone' and 'Remote Wipe' options provided at present. Presently I'm thinking along the lines of:

Full encryption of phone contents
Some kind of 'Travel Safe' mode that would lock the phone down and trigger a full wipe of not unlocked correctly (Including wiping the phone on next boot if not unlocked before being switched off/running out of battery).
So, any ideas?"

29 of 374 comments (clear)

Min score:

Reason:

Sort:

Seriously? by LordLimecat · 2014-03-10 12:14 · Score: 5, Informative

Encrypt the phone, and set a numeric PIN of 6 or more.
Done and done.
1. Re:Seriously? by dfsmith · 2014-03-10 12:15 · Score: 5, Funny
  
  Thanks! I set my PIN to "7".
2. Re:Seriously? by LordLimecat · 2014-03-10 12:15 · Score: 4, Informative
  
  Followup, in case you dont know how to do that:
  http://www.howtogeek.com/14195...
  Its been available for quite some time IIRC.
3. Re:Seriously? by slashgordo. · 2014-03-10 12:48 · Score: 5, Informative
  
  After encrypting the phone with a good passwd/pin, go to all apps -> Google Settings app -> Android Device Manager, and enable "Remotely locate this device" and "Allow remote lock and erase". Then if it does get stolen, you can use the Device Manager app or https://www.google.com/android... to find it or remotely wipe it. Then go to your Google account settings at https://security.google.com/se... , select your device and "Revoke Access". If you used an application specific password for your Android device, go to https://accounts.google.com/b/... and revoke it. Change your Google password. If you used 2-step verification, move the Google Authenticator to a different device, and re-seed the keys with a new QR code. It is scary how much important private stuff we keep on these portable smartphones, tablets, etc these days, and how screwed we could be if that falls into the wrong hands.
4. Re:Seriously? by Anonymous Coward · 2014-03-10 12:55 · Score: 5, Insightful
  
  None of the things will protect against theft.
  The thief will still pick your pocket. When they get back to their evil lair, they will find it is password protected. If they try to break the protection (which is easy with the right tools) they will find it is encrypted. Then they will trash the device or perhaps attempt to sell it. For you it doesn't matter, your device is still stolen and must be replaced.
  There are tons of tools out there to make backups so restoration is easy on a new device. But your device is still stolen and must be replaced.
  Encryption has jack shit to do with recovering the hardware.
  Your data and personal information contained on the phone can be proven far more valuable and far more difficult to recover from if leaked.
  Neither of these facts belie your ignorance here. Use your damn head. Encryption helps mitigate a rather specific problem with phone theft.
5. Re:Seriously? by K.+S.+Kyosuke · 2014-03-10 13:16 · Score: 4, Funny
  
  You've set it awfully low, most phones these days go at least up to "11".
  
  --
  Ezekiel 23:20
6. Re:Seriously? by mlts · 2014-03-10 16:49 · Score: 5, Informative
  
  Here is what I do to secure my Android device:
  1: Unlock the bootloader, flash a CM or custom ROM that doesn't sport crapware.
  2: Encrypt the device with a screen locker PIN 4+ digits. I personally use six for this, just for ease of typing.
  3: Use "su -c vdc cryptfs changepw foobar" to change the passphrase. This separates the passphrase Android asks for at boot versus the screen unlocker PIN. Of course, if you change the screen password, the cryptfs password will change, so you will need to use root and change it again, or use an app for this.
  The advantage of this method is that the boot password can be very secure, while the password to get past the screen locker can be easy to type in.
  4: Relock the bootloader. This forces someone to have to erase the data partition if they want to reflash.
  5: Install a third party security app like Cerberus or Lookout that can locate and remotely erase the device, or just sound a siren until the holder trashes it. Some utilities can go into /system and persist against wipes as well.
  6: If the device has a SD card, consider using an EncFS app to mount and store files under. This way, anything written is immediately encrypted.
  7: Use Titanium Backup Pro with encryption and saving to a remote cloud provider. TB's encryption is remarkably sane (it uses private/public key, so the passphrase is only needed on a restore), and storing copies of backups remotely means that data is still obtainable even if the phone is lost. It does require root though.
  8: Unless directly in use, keep USB and ADB completely off until needed.
  9: Use a utility that demands a PIN before various apps can launch, especially preferences and an app that pops up a console/shell window.
  10: Use a TRIM utility that runs in the background. This way, if the data isn't encrypted, it is not existing.
  These will help protect data on a phone. If stolen, the attacker would have a few guesses on the PIN before the device locks them out. A reboot will force the attacker against the full passphrase. A data wipe will still mean Cerebus or a security program is still in /system, forcing the thief to completely reflash the phone to a factory image (ensuring all is gone.)
  Of course, there is the physical hardware loss, which insurance might cover (Asurion for example), and stored data can be recovered via Titanium Backup. However, done right, an Android phone can be made decently resistant to theft or physical attacks.
  The reason why one should use a utility to PIN protect apps and app groups is that if the phone is swiped before the screen locker comes on (for example, out of the user's hands directly). That way, assuming preferences and other settings are secure, a thief has limited run on what is available on the phone.
7. Re:Seriously? by evenmoreconfused · 2014-03-10 23:39 · Score: 4, Funny
  
  None of the things will protect against theft.
  No. The only way I know to do that is what I do: forget it at home every day.
  
  --
  No. Well...maybe. Actually, yes. It really just depends.
8. Re:Seriously? by cayenne8 · 2014-03-11 01:41 · Score: 3, Insightful
  
  But what is society doing wrong that these guys can't seem to wrap their heads around wealth to begin with?
  It isn't so much society in general, but the black community itself that seems to have a problem with what it takes to get out of the vicious cycle of poverty and crime.
  I've known blacks, even back when I was growing up, that during HS were working hard to get an education, taking part in scholastic function, like president of student council, etc. They were often shunned or ridiculed by their peers for "acting white". I was shocked to hear this.
  I think that is a large part of what the problem is. The culture, at least of the lower end of the class system, of blacks don't promote things like getting an education and working hard to be successful in today's society as something to strive for. However, thug life, gangsta rap type trappings, and professional athletes are the main heroes that are held up as something to emulate.
  I think this is part of the problem, and it is not something that you can legislate away.
  This general type of attitude is something that can ONLY be fixed from the inside of the community itself, and so far, this isn't being pushed. And sadly, you often see folks that DO escape from this cycle of poverty into successful jobs and neighborhoods, they also shun the lower end and often understandably so, as that they don't want their kids around that culture.
  
  --
  Light travels faster than sound. This is why some people appear bright until you hear them speak.........
Laughably Easy? by noh8rz10 · 2014-03-10 12:19 · Score: 5, Interesting

Citation needed for the "laughably easy to defeat 'Find My Phone' and 'Remote Wipe' options". How are these laughably easy to defeat? Do tell. Also iphones have a kill switch installed, so they can't be wiped and reused. Compare this to your android solution of asking slashdot. I await more information.
1. Re:Laughably Easy? by gnasher719 · 2014-03-10 12:22 · Score: 3, Informative
  
  Well, there was huge discussion a week ago how to defeat it. Take a stolen iPhone, wait for your mum to die, take iPhone, death certificate and will to the Apple Store... and damn, they still don't unlock it for you!
Cerberus by iviv66 · 2014-03-10 12:20 · Score: 5, Informative

I use Cerberus. It's available on the store: https://play.google.com/store/... Though if you download it direct from their website then you can flash it straight into the ROM, meaning that even if someone does a factory wipe on your phone it will still be installed and you can remote into it: https://www.cerberusapp.com/do... With it installed, you register your phone on the website, then sign into your account on the phone. From there you can carry out all sorts of commands, including GPS tracking, location history, call and SMS logs. You can even call or message the phone, get it to display messages, record audio, video, take pictures, all sorts. And finally you can wipe the SD card, wipe the phone, or reboot it. I don't remember how much it cost, but it was only a couple of pounds. I've never had my phone stolen yet, but I occasionally log into the site to check that everything is working and it always does what I want it to, so I've had no complaints with it.
1. Re:Cerberus by Mr+44 · 2014-03-10 14:12 · Score: 3, Informative
  
  Note that there was a major security hole in this last year:
  http://www.ifc0nfig.com/cerber...
And, via SMS commands - ALL FREE by DontScotty · 2014-03-10 12:21 · Score: 4, Informative

http://www.xtrasec.com/feature...
"How Can I Prepare For the Theft of My Android?" by Jeremiah+Cornelius · 2014-03-10 12:24 · Score: 3, Funny

Save us both some time, and just send it to me...

--
"Flyin' in just a sweet place,
Never been known to fail..."
Root, Push Whatever by sexconker · 2014-03-10 12:29 · Score: 3, Informative

Don't store important shit on your phone.
When your shit gets stolen, just change the passwords to any accounts it was authorized to.
Don't be one of those idiots who uses 2-factor authentication with one of those RSA hash clock apps on their phone. You'll just end up locking yourself out of shit when you lose your phone.
Encrypting your phone does nothing because you decrypt it every time you power it on, and you always have your phone on, don't you?
Passwords / locks will stop casual thieves from getting in, but they don't want in - they just want to sell the phone.
Passwords / locks will NOT stop thieves who want your information. If your info is worth enough to be targeted it's worth enough for a 0-day bounty. (And with Android you don't even need that - it's likely to be a 6+ month old bug that your manufacturer / carrier never patched / pushed out the patch for).
You may as well ask how to make sure your car can't be stolen. Can't win, don't try. Just minimize the impact.
Public kiosk by pla · 2014-03-10 12:44 · Score: 4, Insightful

Simple answer: Treat your phone/tablet as only slightly more trusted than logged in from a semi-public PC, such as at a library.

I pretty much only log in to anything from my Android tablet via a browser in private browsing mode / incognito. I can then do everything through the browser that TFS' author presumably uses pre-logged-in native apps to do. Email, IM, cloud storage... I use them all, I just don't have my device set up to one-click root-my-life.

I don't even bother with a password on the thing - It wastes more of my time than that of a potential thief. If someone nabs it, hey, they get a few gigs of music (that I have backups of) and a $50 (replacement value - they don't tend to age well) tablet. Woo-hoo.
Re:Physical security? by baka_toroi · 2014-03-10 13:00 · Score: 3, Informative

It seems Lady Luck has bestowed you with the privilege of being born in a first-world country. Good for you!
Re:Pretty easy. by dugancent · 2014-03-10 13:05 · Score: 5, Informative

You can use an alphanumeric password on iOS. You do t have to use a 4-digit pin.

--
SJWs are the new boogeyman. -Me
Re:How exactly was it stolen? by WuphonsReach · 2014-03-10 14:42 · Score: 4, Informative

I couldn't believe, when I left New York to go to college, how many people stored things in their back pockets. I used to tell them all the same little rhyme --

Yeah, ever since I started traveling for business on public transport, I no longer keep a wallet in my back pocket. Instead it goes in a front pocket, which is more difficult to pick pocket. Works well with jeans. This doesn't do so well if you are wearing dress slacks with loose pockets, so you'll have to resort to other means like the various types of hidden / zippered pockets.

It's just too easy to have your back pocket searched when riding public transportation. And inside coat pockets aren't much better unless they have a button or zipper.

Backpacks aren't safe either, a good thief can unzip it and look inside without being noticed. I prefer a messenger type bag with a cover that folds over the top and is latched down by snap-buckles combined with velcro. Harder to open quietly and I always have an arm wrapped around it anyway.

--
Wolde you bothe eate your cake, and have your cake?
Solve the problem at the source by thegarbz · 2014-03-10 14:47 · Score: 4, Funny

There's a few simple steps to follow to prevent phone theft in the first place:
Step 1: Wear gloves at all times
Step 2: Put a non-conductive silicon case on your phone
Step 3: Slip phone into pocket
Step 4: Charge up a 400V 10uF capacitor and slip it into your pocket, leads up (now you see the need for gloves).
Then you play a simple game.
1 point for a loud scream on public transit.
10 points for a loud scream followed by self injury while attempting to run away.
100 points if the thief had a pre-existing heart condition.
1000 points for a girl in the vicinity mistaking the agony with simple surprise of your well equipped package and offering to "take you now" right there on the train.
Re:Android Has Full Device Encryption by camperdave · 2014-03-10 15:17 · Score: 5, Funny

Enable the "Wipe after X failures."
I presume you don't have kids :-)
Or you teach them that certain things are not toys. Why, maybe you even keep those things out of the kid's reach! Wow! Y'know, like every real parent has done throughout the ages. Knives, matches, car keys, stoves, cleaning chemicals, really there are things much worse than cellphones out there.
Confirmed. He's never had kids.

--
When our name is on the back of your car, we're behind you all the way!
Re:Rooted? by camperdave · 2014-03-10 15:22 · Score: 4, Insightful

Did you ever think that some of the Ask Slashdot topics exist to provoke discussion rather than to seek knowledge? Take this one for example. How many folks here have never thought about anti-theft software until now? I'm sure I'm not the only one.

--
When our name is on the back of your car, we're behind you all the way!
Simple by antifoidulus · 2014-03-10 15:23 · Score: 3, Funny

Set your background to a really attractive but clothed female to make them think that's the owner of the phone. Then put an app on your phone(displayed in a prominent place) that says "my hot nude pics" that when launched, wipes your phone. Done!

--
Monstar L
Re:oops... just wanted to read the comments by PopeRatzo · 2014-03-10 15:34 · Score: 5, Interesting

but I'd like to go on record as joining the beta sucks bandwagon
Instead of cursing the darkness, why not light a candle?
http://soylentnews.org/

--
You are welcome on my lawn.
Re:Physical security? by puto · 2014-03-10 15:39 · Score: 3, Insightful

Really, I am Colombian citizen and Colombia is a country where people tend to steal your shoes if they are not tied tightly to your feet. Third world denizens tend to carry their expensive equipment in their hands as a show of wealth, and they get marked and the phones are easily stolen. I lived on and off in Colombia for years with expensive phones and never got them stolen. Why? I do not use them on the bus, the bar, or in the street. Stop using your smartphone as a status symbol in public.

--
The Revolution Will Not Be Televised
Re:oops... just wanted to read the comments by mjwx · 2014-03-10 18:05 · Score: 3, Insightful

but I'd like to go on record as joining the beta sucks bandwagon
Instead of cursing the darkness, why not light a candle?
http://soylentnews.org/
Because every time I go to that site, I find it as frustrating to use as beta. Why do truncated comments have to load a new page?

Also I haven't been forced onto beta since I opted for /. classic the first time I encountered beta.

Soylent news will have to improve to get readership.

--
Calling someone a "hater" only means you can not rationally rebut their argument.
Re:Physical security? by mjwx · 2014-03-10 18:47 · Score: 3, Interesting

Really, I am Colombian citizen and Colombia is a country where people tend to steal your shoes if they are not tied tightly to your feet. Third world denizens tend to carry their expensive equipment in their hands as a show of wealth, and they get marked and the phones are easily stolen. I lived on and off in Colombia for years with expensive phones and never got them stolen. Why? I do not use them on the bus, the bar, or in the street. Stop using your smartphone as a status symbol in public.
This,

It doesn't matter how wealthy the country is, most people get their phones stolen through carelessness. There may be fewer thieves in a somewhere like London or New York compared to Bogata or Medellin, but they're still there and they're still looking for the same thing, an easy mark. The standards are different, everyone and their dog has their phone out in New York or London so they look for the ones that are drunk and alone, of course people do get their phones snatched in public but because everyone walks around with their phones out, they think that it wont be them (and act so surprised when it happens to them).

This is why a lot of first worlder's get stuff stolen when they go to developing nations, they've never lived in a place where you have to be on your guard, where your phone will get stolen if you wander around with it.

I've had a grand total of three things stolen from me in my travels, all due to carelessness on my part but fortunately, nothing that has cost me much to replace.

--
Calling someone a "hater" only means you can not rationally rebut their argument.
Re:IMEI change by tlambert · 2014-03-10 18:54 · Score: 4, Informative

I thought IMEI could not be changed. Is it possible here because on a smartphone everything is software defined?
You can generally do this, if you are super technically inclined, and have the right tools for the phone in question. In almost every case, you have to defeat the security on the baseband firmware, because it's embedded as part of the firmware in what's called a "seczone" (contains security data for the phone, which is cryptographically signed, including the carrier lock and IMEI).
Most of the work required to rewrite the IMEI is not actually done by people attempting to be able to rewrite the IMEI; instead, the purpose is to be able to rewrite the carrier lock which happens to be in the same area, so if you have the source code for the tools, or know how to use IDA Pro and read and modify assembly language, you can convert the tool.
This is basically true of almost every Samsung baseband chip firmware, since it has a buffer overflow attack that works against the cryptographic signature check, and then - game over. This is how the Sony, Samsung, and original iPhones carrier lock was busted. For other phones, you can buffer overflow the firmware by using a specially designed chip that pretends it's a SIM chip, and buffer overflows the baseband from the other side of things, rather than from application space. It's probably worth my while to not go into too much detail here.
A non-stupid company that wanted to disincentivize that level of hacking on the baseband - said hacking also being an effective means of modifying the radio tables for the SDR (Software Defined Radio) - would put the carrier lock up in application space, rather than putting it in the baseband firmware in the first place. Most companies, Apple included, have been pretty stupid about their carrier lock implementations, though.
So yeah, the tools exist, mostly because of carrier lock, and the implementation details for the carrier lock being in a stupid location that makes the IMEI rewrite an easy opportunistic target.