Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,808,781 Members 46,571 Now Online
XDA Developers Android and Mobile Development Forum

Password Protect ADB?

Tip us?
 
MartinFick
Old
#1  
MartinFick's Avatar
Senior Member - OP
Thanks Meter 2
Posts: 214
Join Date: Mar 2009
Location: Boulder, CO
Default Password Protect ADB?

Has anyone thought about implementing password protection to the G1's adb interface? If someone finds (steals) your phone, it' seems like they can get easy access to your data using adb if it is enabled? Instead of forcing the default to adb-debug disabled, it seems like requiring a password would be more useful?

I realize that this might be risky since it might prevent recovery when the password is forgotten, but at that point, there is still the "wipe all my data" unlock method right?

Without this, I find it hard to trust any sensitive data to my phone (since I do not want to toggle adb on/off constantly).
 
Perrosky
Old
#2  
Senior Member
Thanks Meter 0
Posts: 125
Join Date: Jun 2007
I agree with you any one who find our g1 or steal it, can find easy in the internet how to use adb, or they can even find out how you can do a wipe if you turn the phone off and start the phone using Home+Power button. And they will be good to go to use the G1. I hope someone can add a password protection to this 2 options.
T-Mobile G1 | Samsung Vibrant GreatNess [Acceso de Raiz] |
 
MartinFick
Old
#3  
MartinFick's Avatar
Senior Member - OP
Thanks Meter 2
Posts: 214
Join Date: Mar 2009
Location: Boulder, CO
I guess it might be nice to add a password option to the "wipe" option, but that seems like it would sorta defeat the purpose then, wouldn't it?

I am more concerned about my data than the device itself. If someone steals my phone and they can't use it, it doesn't really help me. But, if I can at least prevent them from reading my data... I envision using my phone as a secure token to access various logins at some point (anyone want to code that up? . So, I just want to ensure that they cannot get any keys/passwords on it.

The other problem with preventing someone from wiping it is, "what do you do if you forget your own password"? I would prefer to let the thief use the phone (without my data) than to potentially brick the phone for myself. Lastly, locking it permanently off to thieves would not be a deterrent to theft unless every phone did it since they would not know about it until they stole your phone!

I am surprised that the "serious" hackers have not implemented adb protection yet, have they?
 
xile6
Old
#4  
Senior Member
Thanks Meter 39
Posts: 831
Join Date: Dec 2008
Location: Dallas
Yea its kinda a good and bad thing tho. Look at it like this .
You put the password on your phone to stop people from doing anything to it, then you forgot your password, how do you get back in? You cant. Unless you have a way around that which if you have a way around that the thief would to.

The only thing i would like is to be able to protect files so if you lost your phone someone wouldn't be able to get into it without wiping the phone.
if im wrong tell me. I'd ratter be correct then live life being mislead.
Phone:Note 3 NF1 rooted and stock Knox 0x0

Other Phone(s): T-mobile G1 < HTC Vision G2 < LG-P999 G2x < T989 S2 < HTC One m7 < Note 3
 
Perrosky
Old
#5  
Senior Member
Thanks Meter 0
Posts: 125
Join Date: Jun 2007
Quote:
Originally Posted by xile6 View Post
Yea its kinda a good and bad thing tho. Look at it like this .
You put the password on your phone to stop people from doing anything to it, then you forgot your password, how do you get back in? You cant. Unless you have a way around that which if you have a way around that the thief would to.

The only thing i would like is to be able to protect files so if you lost your phone someone wouldn't be able to get into it without wiping the phone.

I agree with you and at the same time don't (right now I don't put personal files in my sd for that very reason if I lost the phone anyone can see what I have on the sd) regarding to the password I guess that it will be up to the people if you know that you forget passwords just don't use it I personally use 2 password 1 for forum 6 letter something simple and easy to remember, and one for (very important stuffs) 12 characteres letters and numbers. Plus I thing that everyone in that will be using this are people to frequent this forum wich I don't think they tend to forget passwords.
T-Mobile G1 | Samsung Vibrant GreatNess [Acceso de Raiz] |
 
lbcoder
Old
#6  
Account currently disabled
Thanks Meter 95
Posts: 2,645
Join Date: Jan 2009
In order to gain access to program data (not applicable to sdcard), you still need to be either root, or to possess the userid of the particular program whose data you're trying to gain access to. Use of one of those secure-root password prompt programs will give you the ability to limit root access since the 'su' command will fail without the password being entered in the GUI.

This is not absolute though, since you can still boot on a recovery image, backup, and extract. Without actually encrypting the storage, there is no way to absolutely protect your data, and with a mobile device, the encryption/decryption overhead will take up too much CPU time to be practical. It could, however, be implemented on a program-by-program basis or on a data-but-not-program basis, i.e. encrypt /data/data, or /data/data-enc might be a better idea - leave data for user-programs encrypted, but system-services unencrypted, and mount the encrypted partition on screen unlock (i.e. password unlock). LUKS would be great for this. Allowing optional encryption for SD-card and allowing multiple SD-card partitions to be mounted (i.e. one encrypted, one not) would be ideal.
 
MartinFick
Old
#7  
MartinFick's Avatar
Senior Member - OP
Thanks Meter 2
Posts: 214
Join Date: Mar 2009
Location: Boulder, CO
Well, perhaps the bootloader should get a password also? Would having both an adp and a bootloader passwords secure things completely?
 
lbcoder
Old
#8  
Account currently disabled
Thanks Meter 95
Posts: 2,645
Join Date: Jan 2009
Of course not. Bootloader passwords are virtually useless. All they do is stop you from booting, they do nothing at all to protect your data except from a real amateur, the likes of whom wouldn't be able to get your data off the thing even WITH root access.

As long as there is unencrypted data stored on the device, it definitely can be read off.
 
MartinFick
Old
#9  
MartinFick's Avatar
Senior Member - OP
Thanks Meter 2
Posts: 214
Join Date: Mar 2009
Location: Boulder, CO
Could you please explain why you believe that a bootloader password would not work?

In other words, if a user is locked out from performing commands via the screen without the appropriate gesture, locked out from using adb without a password, and they cannot boot into the recovery image (or access NVRAM with fastboot) without a password, how can they access data on the internal NVRAM? I am not saying they can't (I don't know), I am asking what method you think they could use? Can the NVRAM be easily removed and plugged into another device and read? Are there other boot methods that I am not aware of (likely, I am fairly new to this) that would allow them to access the data? Or, are you just assuming that there is a method that an intelligent cracker could use?
 
lbcoder
Old
#10  
Account currently disabled
Thanks Meter 95
Posts: 2,645
Join Date: Jan 2009
1) you can use fastboot to boot off a recovery image file that is NOT ON THE PHONE,
2) you can connect directly to the chip and read its contents.
etc.

Keep in mind the way that bootloader passwords work; the password is NOT embedded in the bootloader - that would be stupid since you risk bricking the device every time you change the password. A password protected bootloader will access some configuration file that will have the details of the password. Fastboot would (and must) come before this stage.

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes