Android 5.0 Lollipop in 3D–EVO 3D, That Is!

It is that time of the year once again. Flowers bloom (or snow falls, depending on which … more

Gaming Console with Lollipop? Ouya Gets an Android TV Port

Android is a very flexible platform, and it can be used on a large variety of … more

Android App Review: Manage Your Connections Automagically – XDA TV

Material Design is all the buzz in the Android world right now. … more

Official TWRP Recovery Lands on Micromax Canvas Magnus

With the recent release of Android One, Micromax and MediaTek released fully buildable … more

Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

Password Protect ADB?

OP MartinFick

26th March 2009, 10:16 PM   |  #1  
MartinFick's Avatar
OP Senior Member
Flag Boulder, CO
Thanks Meter: 2
 
214 posts
Join Date:Joined: Mar 2009
More
Has anyone thought about implementing password protection to the G1's adb interface? If someone finds (steals) your phone, it' seems like they can get easy access to your data using adb if it is enabled? Instead of forcing the default to adb-debug disabled, it seems like requiring a password would be more useful?

I realize that this might be risky since it might prevent recovery when the password is forgotten, but at that point, there is still the "wipe all my data" unlock method right?

Without this, I find it hard to trust any sensitive data to my phone (since I do not want to toggle adb on/off constantly).
26th March 2009, 11:02 PM   |  #2  
Senior Member
Thanks Meter: 0
 
125 posts
Join Date:Joined: Jun 2007
More
I agree with you any one who find our g1 or steal it, can find easy in the internet how to use adb, or they can even find out how you can do a wipe if you turn the phone off and start the phone using Home+Power button. And they will be good to go to use the G1. I hope someone can add a password protection to this 2 options.
26th March 2009, 11:20 PM   |  #3  
MartinFick's Avatar
OP Senior Member
Flag Boulder, CO
Thanks Meter: 2
 
214 posts
Join Date:Joined: Mar 2009
More
I guess it might be nice to add a password option to the "wipe" option, but that seems like it would sorta defeat the purpose then, wouldn't it?

I am more concerned about my data than the device itself. If someone steals my phone and they can't use it, it doesn't really help me. But, if I can at least prevent them from reading my data... I envision using my phone as a secure token to access various logins at some point (anyone want to code that up? . So, I just want to ensure that they cannot get any keys/passwords on it.

The other problem with preventing someone from wiping it is, "what do you do if you forget your own password"? I would prefer to let the thief use the phone (without my data) than to potentially brick the phone for myself. Lastly, locking it permanently off to thieves would not be a deterrent to theft unless every phone did it since they would not know about it until they stole your phone!

I am surprised that the "serious" hackers have not implemented adb protection yet, have they?
26th March 2009, 11:21 PM   |  #4  
Senior Member
Flag Dallas
Thanks Meter: 71
 
1,048 posts
Join Date:Joined: Dec 2008
More
Yea its kinda a good and bad thing tho. Look at it like this .
You put the password on your phone to stop people from doing anything to it, then you forgot your password, how do you get back in? You cant. Unless you have a way around that which if you have a way around that the thief would to.

The only thing i would like is to be able to protect files so if you lost your phone someone wouldn't be able to get into it without wiping the phone.
26th March 2009, 11:28 PM   |  #5  
Senior Member
Thanks Meter: 0
 
125 posts
Join Date:Joined: Jun 2007
More
Quote:
Originally Posted by xile6

Yea its kinda a good and bad thing tho. Look at it like this .
You put the password on your phone to stop people from doing anything to it, then you forgot your password, how do you get back in? You cant. Unless you have a way around that which if you have a way around that the thief would to.

The only thing i would like is to be able to protect files so if you lost your phone someone wouldn't be able to get into it without wiping the phone.


I agree with you and at the same time don't (right now I don't put personal files in my sd for that very reason if I lost the phone anyone can see what I have on the sd) regarding to the password I guess that it will be up to the people if you know that you forget passwords just don't use it I personally use 2 password 1 for forum 6 letter something simple and easy to remember, and one for (very important stuffs) 12 characteres letters and numbers. Plus I thing that everyone in that will be using this are people to frequent this forum wich I don't think they tend to forget passwords.
27th March 2009, 03:59 PM   |  #6  
Account currently disabled
Thanks Meter: 96
 
2,645 posts
Join Date:Joined: Jan 2009
In order to gain access to program data (not applicable to sdcard), you still need to be either root, or to possess the userid of the particular program whose data you're trying to gain access to. Use of one of those secure-root password prompt programs will give you the ability to limit root access since the 'su' command will fail without the password being entered in the GUI.

This is not absolute though, since you can still boot on a recovery image, backup, and extract. Without actually encrypting the storage, there is no way to absolutely protect your data, and with a mobile device, the encryption/decryption overhead will take up too much CPU time to be practical. It could, however, be implemented on a program-by-program basis or on a data-but-not-program basis, i.e. encrypt /data/data, or /data/data-enc might be a better idea - leave data for user-programs encrypted, but system-services unencrypted, and mount the encrypted partition on screen unlock (i.e. password unlock). LUKS would be great for this. Allowing optional encryption for SD-card and allowing multiple SD-card partitions to be mounted (i.e. one encrypted, one not) would be ideal.
27th March 2009, 07:14 PM   |  #7  
MartinFick's Avatar
OP Senior Member
Flag Boulder, CO
Thanks Meter: 2
 
214 posts
Join Date:Joined: Mar 2009
More
Well, perhaps the bootloader should get a password also? Would having both an adp and a bootloader passwords secure things completely?
27th March 2009, 09:54 PM   |  #8  
Account currently disabled
Thanks Meter: 96
 
2,645 posts
Join Date:Joined: Jan 2009
Of course not. Bootloader passwords are virtually useless. All they do is stop you from booting, they do nothing at all to protect your data except from a real amateur, the likes of whom wouldn't be able to get your data off the thing even WITH root access.

As long as there is unencrypted data stored on the device, it definitely can be read off.
30th March 2009, 11:10 PM   |  #9  
MartinFick's Avatar
OP Senior Member
Flag Boulder, CO
Thanks Meter: 2
 
214 posts
Join Date:Joined: Mar 2009
More
Could you please explain why you believe that a bootloader password would not work?

In other words, if a user is locked out from performing commands via the screen without the appropriate gesture, locked out from using adb without a password, and they cannot boot into the recovery image (or access NVRAM with fastboot) without a password, how can they access data on the internal NVRAM? I am not saying they can't (I don't know), I am asking what method you think they could use? Can the NVRAM be easily removed and plugged into another device and read? Are there other boot methods that I am not aware of (likely, I am fairly new to this) that would allow them to access the data? Or, are you just assuming that there is a method that an intelligent cracker could use?
31st March 2009, 03:22 PM   |  #10  
Account currently disabled
Thanks Meter: 96
 
2,645 posts
Join Date:Joined: Jan 2009
1) you can use fastboot to boot off a recovery image file that is NOT ON THE PHONE,
2) you can connect directly to the chip and read its contents.
etc.

Keep in mind the way that bootloader passwords work; the password is NOT embedded in the bootloader - that would be stupid since you risk bricking the device every time you change the password. A password protected bootloader will access some configuration file that will have the details of the password. Fastboot would (and must) come before this stage.

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes