Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,768,911 Members 49,844 Now Online
XDA Developers Android and Mobile Development Forum

[INFO] Understanding the risks of having an unlocked bootloader

Tip us?
 
Petrovski80
Old
(Last edited by Petrovski80; 2nd October 2012 at 09:05 PM.)
#1  
Petrovski80's Avatar
Senior Member - OP
Thanks Meter 281
Posts: 823
Join Date: Mar 2011
Location: Almelo
Default [INFO] Understanding the risks of having an unlocked bootloader

While unlocking the bootloader on a Galaxy Nexus unleashes the full potential of the bootloader, it also poses a security risk. Even with your lockscreen protected with a pattern/PIN/password, not having flashed a custom recovery, having an anti-theft app installed (maybe even converted/installed as a system app) your phone's data is easily accessible for a knowledgeable thief.

All the thief needs to do is reboot into the bootloader and boot or flash a custom recovery such as ClockWorkMod or TWRP. It's then possible to boot into recovery and use ADB commands to gain access to the phone's data on the internal memory (unless you have it encrypted) and copy/remove files at will.

Granted, the risk seems low. The thief would not only require knowledge of fastboot, he would have to turn off the phone before you have issued a wipe command using an anti-theft app. You could of course flash back the stock recovery & relock the bootloader after being done with flashing stuff, but that would require you to unlock it again if needed which will erase your userdata.

There are two ways to tackle this security risk AND retain unlocked bootloader functionality without losing userdata.

1) Encrypt your phone using Android's built-in encryption feature

Advantages:
- you can leave your bootloader unlocked & leave a custom recovery installed without risk of exposing your data.

Disadvantages:
- unless the custom recovery can decrypt your phone, you cannot use all of its features.
- when decryption fails, you cannot access your phone and need to do a factory reset from recovery. Users have reported not being able to decrypt after applying OTA updates.
- the encryption process is irreversible. The only way to return to an unencrypted phone is to perform a factory data reset which erases all your data.


2) Unlock & relock the bootloader from Android OS

Prerequisites:
- root access
- an app that can unlock/relock the bootloader at will such as BootUnlocker

Steps
Root your device using one of the many guides out there (recommended guide). Install BootUnlocker. Reflash stock recovery and lock the bootloader. Whenever you need an unlocked bootloader again, simply use Bootlocker to unlock it (this won't wipe userdata). When done, relock.

Advantages:
- doesn't require encryption (for those who do not wish to use it).

Disadvantages:
- relies on third-party apps.
- method will not work if you lose root access for whatever reason.
- method will not work when you cannot boot into Android for whatever reason.


USB debugging
Strictly not related to the bootloader, but for maximum security disable USB debugging when not required. Having it enabled allows the execution of ADB commands even if the lockscreen is still locked. Myself, I use Tasker in combination with Secure Settings to automatically enable USB debugging when my device is connected to my home WiFi access point but disabled if not connected.

The following video demonstrates what a knowledgeable thief can do with your phone when you have USB debugging enabled by default: http://www.youtube.com/watch?v=ah7DWawLax8&t=7m0s

More info: recently, an exploit has been discovered that will enable gaining root without going through the 'traditional' process of unlocking the bootloader & flashing a custom recovery in order to flash Superuser or SuperSU packages. See this post for a guide.

Play store devices
Devices bought directly from Google's Play Store apparently do NOT wipe userdata after fastboot oem unlock. So for these devices, method number 2 does not add any security. For more info, read this thread: http://forum.xda-developers.com/show....php?t=1650830
Current phone
Model: Motorola Moto G | ROM: Cyanogenmod 11 | Recovery: PhilZ recovery

Phone history
Philips Diga | Motorola V3690 | Nokia 3310 | Nokia 3510 | Siemens S35 | Samsung D720 | SonyEricsson T630 | HTC Touch Diamond | Nokia 3500 classic | Nokia 6700 classic | Nokia N97 mini | Samsung Galaxy Ace | Samsung Galaxy Nexus | LG Nexus 5
The Following 22 Users Say Thank You to Petrovski80 For This Useful Post: [ Click to Expand ]
 
efrant
Old
(Last edited by efrant; 22nd September 2012 at 03:48 PM.)
#2  
efrant's Avatar
Senior Moderator
Thanks Meter 8043
Posts: 9,522
Join Date: Feb 2009
Location: Montreal Bow2DaCow

 
DONATE TO ME
Very well written!!

One thing you may want to tie in to your explanation is the effect of having USB Debugging enabled - it's easy to gain root (and subsequently unlock your bootloader) with it enabled, even with a locked bootloader.

Sent from my Galaxy Nexus using Tapatalk 2
At present, I am not readily available on the forums or via PM -- if you are in need of a moderator, please contact someone from this list.

I do NOT answer technical questions via PM. Post in a thread.

Google Nexus 5

XDA Forum Rules & Moderator List

WHAT MATTERS IS UNDERSTANDING THE JOURNEY...
The Following 4 Users Say Thank You to efrant For This Useful Post: [ Click to Expand ]
 
Petrovski80
Old
#3  
Petrovski80's Avatar
Senior Member - OP
Thanks Meter 281
Posts: 823
Join Date: Mar 2011
Location: Almelo
Added some information regarding USB debugging. Thanks for the tip efrant.
Current phone
Model: Motorola Moto G | ROM: Cyanogenmod 11 | Recovery: PhilZ recovery

Phone history
Philips Diga | Motorola V3690 | Nokia 3310 | Nokia 3510 | Siemens S35 | Samsung D720 | SonyEricsson T630 | HTC Touch Diamond | Nokia 3500 classic | Nokia 6700 classic | Nokia N97 mini | Samsung Galaxy Ace | Samsung Galaxy Nexus | LG Nexus 5
The Following User Says Thank You to Petrovski80 For This Useful Post: [ Click to Expand ]
 
Mach3.2
Old
#4  
Mach3.2's Avatar
Senior Member
Thanks Meter 450
Posts: 2,043
Join Date: May 2012
Location: Singapore
Good read
I do NOT answer technical questions via PM.

Titanium Silver GSM Galaxy Nexus 16GB
Recovery: CWM 6.0.4.3
ROM: CM10.2 23/10 Nightly
Kernel: Lean Kernel 8.3 Experimental
Radio: XXLJ1
Bootloader: PRIMELC03

Jubakuba's Guide
Stock Nexus Images
Unlock gnex bootloader without root

Making a Dropbox account?
Click this referral link to signup and download the Dropbox application so both of us get extra 500MB of space
 
Oscuras
Old
#5  
Member
Thanks Meter 8
Posts: 57
Join Date: Sep 2011
Do you have to be on stock rom to lock the bootloader ?
 
efrant
Old
#6  
efrant's Avatar
Senior Moderator
Thanks Meter 8043
Posts: 9,522
Join Date: Feb 2009
Location: Montreal Bow2DaCow

 
DONATE TO ME
Quote:
Originally Posted by Oscuras View Post
Do you have to be on stock rom to lock the bootloader ?
Nope.

Sent from my Galaxy Nexus using Tapatalk 2
At present, I am not readily available on the forums or via PM -- if you are in need of a moderator, please contact someone from this list.

I do NOT answer technical questions via PM. Post in a thread.

Google Nexus 5

XDA Forum Rules & Moderator List

WHAT MATTERS IS UNDERSTANDING THE JOURNEY...
 
Guiding.God
Old
(Last edited by Guiding.God; 27th September 2012 at 01:53 PM.)
#7  
Guiding.God's Avatar
Senior Member
Thanks Meter 76
Posts: 218
Join Date: Apr 2012
Thanks for this

Trying to wrap my head around this with regards to anti theft protection etc.

Currently have an unlocked bootloader, custom rom, and root. If I have something like Cerberus or Avast running (both claim to work as system apps so will not be deleted via hard reset), have debugging unchecked and a pin lock at screen on - if I lock bootloader now, how secure am I to data theft?

Presumably, with debug disabled, fastboot from pc command prompt to unlock bootloader will not work? Can ODIN be used to flash a new ROM and if so my system apps (and thus the security apps) will be wiped, rendering the whole thing useless?

Thanks
Google SkyNet will become self aware at 11:59:59 a.m, on August 25 2017. Dress appropriately.


HTC One Black | KitKat Stock


Hit 'Thanks' if you think I've helped
 
Petrovski80
Old
#8  
Petrovski80's Avatar
Senior Member - OP
Thanks Meter 281
Posts: 823
Join Date: Mar 2011
Location: Almelo
Quote:
Originally Posted by Guiding.God View Post
Thanks for this

Trying to wrap my head around this with regards to anti theft protection etc.

Currently have an unlocked bootloader, custom rom, and root. If I have something like Cerberus or Avast running (both claim to work as system apps so will not be deleted via hard reset), have debugging unchecked and a pin lock at screen on - if I lock bootloader now, how secure am I to data theft?

Presumably, with debug disabled, fastboot from pc command prompt to unlock bootloader will not work? Can ODIN be used to flash a new ROM and if so my system apps (and thus the security apps) will be wiped, rendering the whole thing useless?

Thanks
If you have the stock recovery (custom will allow adb), your personal data is as secure as it can be. Of course, you cannot stop anybody from booting into your bootloader and run fastboot oem unlock OR use Odin to flash your device. However, doing so will effectively wipe your device so your personal data cannot be accessed.

Current phone
Model: Motorola Moto G | ROM: Cyanogenmod 11 | Recovery: PhilZ recovery

Phone history
Philips Diga | Motorola V3690 | Nokia 3310 | Nokia 3510 | Siemens S35 | Samsung D720 | SonyEricsson T630 | HTC Touch Diamond | Nokia 3500 classic | Nokia 6700 classic | Nokia N97 mini | Samsung Galaxy Ace | Samsung Galaxy Nexus | LG Nexus 5
The Following User Says Thank You to Petrovski80 For This Useful Post: [ Click to Expand ]
 
qtwrk
Old
#9  
qtwrk's Avatar
Senior Member
Thanks Meter 803
Posts: 2,490
Join Date: Sep 2011
Location: Barcelona
I would more worry about my phone then data because I have nothing important on it...

Sent from my Galaxy Nexus using xda premium
if my words are useful or helpful to you , i will appreciate it you click thanks button
GT-i9023 Nexus S
GT-i9250 Galaxy Nexus
GT-i9300 Galaxy S III
GT-s5830 Galaxy Ace
GT-i9300 Galaxy S III
GT-i9506 Galaxy S IV 4G+
GT-i9505 Galaxy S IV (current)
 
Guiding.God
Old
#10  
Guiding.God's Avatar
Senior Member
Thanks Meter 76
Posts: 218
Join Date: Apr 2012
Quote:
Originally Posted by Petrovski80 View Post
If you have the stock recovery (custom will allow adb), your personal data is as secure as it can be. Of course, you cannot stop anybody from booting into your bootloader and run fastboot oem unlock OR use Odin to flash your device. However, doing so will effectively wipe your device so your personal data cannot be accessed.

Quote:
Originally Posted by qtwrk View Post
I would more worry about my phone then data because I have nothing important on it...

Sent from my Galaxy Nexus using xda premium
Thanks for the clarification.

And I worry more about the work related data, the phone itself is insured
Google SkyNet will become self aware at 11:59:59 a.m, on August 25 2017. Dress appropriately.


HTC One Black | KitKat Stock


Hit 'Thanks' if you think I've helped

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes