Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: How Can I Prepare For the Theft of My Android Phone?

Posted by Unknown on from the self-destruct-fuse dept.

New submitter Adam Jorgensen writes "Last week my 4-week old Moto G phone was stolen while getting onto the train at Salt River in Cape Town, South Africa. That in itself is no big deal. Cellphone theft is a huge problem here in South Africa and I've had at least two previous cellphones stolen. The big deal this time, for me at least, was that this was the first time I've lost an Android phone to theft. When I actually sat down and thought about it, losing a fully configured Android phone is actually a big deal as it provides ready access to all kinds of accounts, including ones Google account. This could potentially allow the thief to engage in all kinds of malicious behavior, some of which could have major implications beyond the scope of the theft.

Luckily for me it seems that the thief did the usual thing: Dumped the SIM card, wiped the phone, and switched it off. It's probably had its IMEI changed by now and been sold on to some oblivious punter, possibly some oblivious punter in another country. Still, the potential for serious issue is making me have second thoughts about replacing the phone with anything capable of doing much more than calling. My question is this: Are there any serious solutions out there for Android that secure against theft?"

He continues:

By serious I mean solutions that go beyond the laughably easy to defeat 'Find My Phone' and 'Remote Wipe' options provided at present. Presently I'm thinking along the lines of:

  • Full encryption of phone contents
  • Some kind of 'Travel Safe' mode that would lock the phone down and trigger a full wipe of not unlocked correctly (Including wiping the phone on next boot if not unlocked before being switched off/running out of battery).

So, any ideas?"

10 of 374 comments (clear)

  1. Seriously? by LordLimecat · · Score: 5, Informative

    Encrypt the phone, and set a numeric PIN of 6 or more.

    Done and done.

    1. Re:Seriously? by dfsmith · · Score: 5, Funny

      Thanks! I set my PIN to "7".

    2. Re:Seriously? by slashgordo. · · Score: 5, Informative

      After encrypting the phone with a good passwd/pin, go to all apps -> Google Settings app -> Android Device Manager, and enable "Remotely locate this device" and "Allow remote lock and erase". Then if it does get stolen, you can use the Device Manager app or https://www.google.com/android... to find it or remotely wipe it. Then go to your Google account settings at https://security.google.com/se... , select your device and "Revoke Access". If you used an application specific password for your Android device, go to https://accounts.google.com/b/... and revoke it. Change your Google password. If you used 2-step verification, move the Google Authenticator to a different device, and re-seed the keys with a new QR code. It is scary how much important private stuff we keep on these portable smartphones, tablets, etc these days, and how screwed we could be if that falls into the wrong hands.

    3. Re:Seriously? by Anonymous Coward · · Score: 5, Insightful

      None of the things will protect against theft.

      The thief will still pick your pocket. When they get back to their evil lair, they will find it is password protected. If they try to break the protection (which is easy with the right tools) they will find it is encrypted. Then they will trash the device or perhaps attempt to sell it. For you it doesn't matter, your device is still stolen and must be replaced.

      There are tons of tools out there to make backups so restoration is easy on a new device. But your device is still stolen and must be replaced.

      Encryption has jack shit to do with recovering the hardware.

      Your data and personal information contained on the phone can be proven far more valuable and far more difficult to recover from if leaked.

      Neither of these facts belie your ignorance here. Use your damn head. Encryption helps mitigate a rather specific problem with phone theft.

    4. Re:Seriously? by mlts · · Score: 5, Informative

      Here is what I do to secure my Android device:

      1: Unlock the bootloader, flash a CM or custom ROM that doesn't sport crapware.

      2: Encrypt the device with a screen locker PIN 4+ digits. I personally use six for this, just for ease of typing.

      3: Use "su -c vdc cryptfs changepw foobar" to change the passphrase. This separates the passphrase Android asks for at boot versus the screen unlocker PIN. Of course, if you change the screen password, the cryptfs password will change, so you will need to use root and change it again, or use an app for this.

      The advantage of this method is that the boot password can be very secure, while the password to get past the screen locker can be easy to type in.

      4: Relock the bootloader. This forces someone to have to erase the data partition if they want to reflash.

      5: Install a third party security app like Cerberus or Lookout that can locate and remotely erase the device, or just sound a siren until the holder trashes it. Some utilities can go into /system and persist against wipes as well.

      6: If the device has a SD card, consider using an EncFS app to mount and store files under. This way, anything written is immediately encrypted.

      7: Use Titanium Backup Pro with encryption and saving to a remote cloud provider. TB's encryption is remarkably sane (it uses private/public key, so the passphrase is only needed on a restore), and storing copies of backups remotely means that data is still obtainable even if the phone is lost. It does require root though.

      8: Unless directly in use, keep USB and ADB completely off until needed.

      9: Use a utility that demands a PIN before various apps can launch, especially preferences and an app that pops up a console/shell window.

      10: Use a TRIM utility that runs in the background. This way, if the data isn't encrypted, it is not existing.

      These will help protect data on a phone. If stolen, the attacker would have a few guesses on the PIN before the device locks them out. A reboot will force the attacker against the full passphrase. A data wipe will still mean Cerebus or a security program is still in /system, forcing the thief to completely reflash the phone to a factory image (ensuring all is gone.)

      Of course, there is the physical hardware loss, which insurance might cover (Asurion for example), and stored data can be recovered via Titanium Backup. However, done right, an Android phone can be made decently resistant to theft or physical attacks.

      The reason why one should use a utility to PIN protect apps and app groups is that if the phone is swiped before the screen locker comes on (for example, out of the user's hands directly). That way, assuming preferences and other settings are secure, a thief has limited run on what is available on the phone.

  2. Laughably Easy? by noh8rz10 · · Score: 5, Interesting

    Citation needed for the "laughably easy to defeat 'Find My Phone' and 'Remote Wipe' options". How are these laughably easy to defeat? Do tell. Also iphones have a kill switch installed, so they can't be wiped and reused. Compare this to your android solution of asking slashdot. I await more information.

  3. Cerberus by iviv66 · · Score: 5, Informative

    I use Cerberus. It's available on the store: https://play.google.com/store/... Though if you download it direct from their website then you can flash it straight into the ROM, meaning that even if someone does a factory wipe on your phone it will still be installed and you can remote into it: https://www.cerberusapp.com/do... With it installed, you register your phone on the website, then sign into your account on the phone. From there you can carry out all sorts of commands, including GPS tracking, location history, call and SMS logs. You can even call or message the phone, get it to display messages, record audio, video, take pictures, all sorts. And finally you can wipe the SD card, wipe the phone, or reboot it. I don't remember how much it cost, but it was only a couple of pounds. I've never had my phone stolen yet, but I occasionally log into the site to check that everything is working and it always does what I want it to, so I've had no complaints with it.

  4. Re:Pretty easy. by dugancent · · Score: 5, Informative

    You can use an alphanumeric password on iOS. You do t have to use a 4-digit pin.

    --
    SJWs are the new boogeyman. -Me
  5. Re:Android Has Full Device Encryption by camperdave · · Score: 5, Funny

    Enable the "Wipe after X failures."

    I presume you don't have kids :-)

    Or you teach them that certain things are not toys. Why, maybe you even keep those things out of the kid's reach! Wow! Y'know, like every real parent has done throughout the ages. Knives, matches, car keys, stoves, cleaning chemicals, really there are things much worse than cellphones out there.

    Confirmed. He's never had kids.

    --
    When our name is on the back of your car, we're behind you all the way!
  6. Re:oops... just wanted to read the comments by PopeRatzo · · Score: 5, Interesting

    but I'd like to go on record as joining the beta sucks bandwagon

    Instead of cursing the darkness, why not light a candle?

    http://soylentnews.org/

    --
    You are welcome on my lawn.