Related
Does the phone encryption (stock unrooted 4.2.1) slow down the phone at all? Does it decrypt the storage at startup or on-the-fly?
Is there any point in encrypting the device if the bootloader is locked as unlocking to install a third party recovery to try read the data would wipe it anyway? (I already use a PIN for the lock screen)
Just trying to figure out if it's worth bothering...
I think the point of an encrypted hard drive is if an attacker has physical access to it. Meaning, they pull it out of the device and then attempt to read it. Locked bootloader won't help here, encryption will.
I believe it decrypts on startup.
My last phone, when encrypted, did not slow down at all. That was on 4.0.4 but I don't see why JB on faster hardware would be any different.
Sent from my Nexus 4 using xda app-developers app
Great, thanks for the replies.
(and thanks to crachel for moving this to the correct forum)
How safe is encrypting you phone? Are there any hazards to encrypting your phone?
donec said:
How safe is encrypting you phone? Are there any hazards to encrypting your phone?
Click to expand...
Click to collapse
I just got my N4 and was curious about the encryption feature. I found this article to be informative and decided against encryption after reading it. Perhaps you may find it useful.
http://www.howtogeek.com/141953/how-to-encrypt-your-android-phone-and-why-you-might-want-to/
shobuddy said:
I just got my N4 and was curious about the encryption feature. I found this article to be informative and decided against encryption after reading it. Perhaps you may find it useful.
http://www.howtogeek.com/141953/how-to-encrypt-your-android-phone-and-why-you-might-want-to/
Click to expand...
Click to collapse
That was the kind of information I needed to decide against encrypting my whole phone.
Hi,
Running an unlocked bootloader is quite risky assuming someone has physical access to your phone.
It's extremely easy simply to put it into fastboot mode, flash a recovery (cwm/twrp) and then adb will provide root access to all data.
This is mitigated by encrypting the device, however, I haven't been successful in doing this (http://forum.xda-developers.com/showthread.php?p=48848592) on this particular phone although it works without any issues on nexus phones.
For the people with unlocked bootloaders, do you simply don't care about someone getting physical access or is there anything that can be done?
Also, did someone manage to successfully encrypt the phone (using the standard settings -> security -> encrypt phone) or is everyone running unencrypted?
Having a remote wipe capability is next to useless assuming the thief will power off the phone immediately (before you have a chance to issue the remote wipe).
An unlocked bootloader is mandatory for running Cyanogenmod so that's that.
Thank you.
A thief (if he had the knowledge or the inclination), could steal a locked bootloader phone (without encryption) and simply flash an ftf and untick "wipe data". He would then have full access to the data on the phone by rooting and flashing a recovery for LB. So locked bootloader is cold comfort really
Sent from my C6603 using xda app-developers app
i think the best to happen is to have passwords , when entering fastboot or flashtool , a password should pop up to access the fastboot or flash tool connection , and when entering recovery , a password should also pop up , it is so much secure to get these , but i think it is so hard to make it work or even impossible
You're right, a locked bootloader is indeed a false security.
At the end, encryption is needed but on this phone, it doesn't seem to work and no one tried using it apart from me...
I have my BL locked and I ensure that USB debugging is off, seeing as most rooting solutions required USB debugging I should be good for the average criminal. So the only way to have access to my data...(obviously SD card is immediately compromised with physical access) would be to guess my unlock code. Otherwise, a full wipe of the phone would be required for it to be usable but that should delete all my accounts off the device.
(At least this is what I tell myself to sleep better at night lol)
SmallsXD said:
I have my BL locked and I ensure that USB debugging is off, seeing as most rooting solutions required USB debugging I should be good for the average criminal. So the only way to have access to my data...(obviously SD card is immediately compromised with physical access) would be to guess my unlock code. Otherwise, a full wipe of the phone would be required for it to be usable but that should delete all my accounts off the device.
(At least this is what I tell myself to sleep better at night lol)
Click to expand...
Click to collapse
Getting all your data is as trivial as flashing a custom recovery for locked bootloaders which will provide direct root access.
It probably takes less than a few minutes.
Like they say, there's nothing more dangerous than the sense of false security.
Its not just having a Locked bootloader but also having USB Debugging off, 3rd Party App installs off as that alone would dramatically reduce the number of compatible tools to achieve root access to your device. As far as I know you have to be rooted in most cases to install custom recoveries or at least that is what most instructions say. Remember security is hardly ever a complete solution, its about making it not worth the effort.
For the average person/criminal it is not worth their time to access my data as it is actually worthless to them, As I said the SD card is already taken as soon.
My antitheft software will be lingering with a Data Wipe command, I would have changed the account information stored, I never stored Billing information. So my risk level is very low and not worth any more effort on my end.
As stated, Im speaking from a personal perspective and not a "best practice" one.
The real problem is we like to unlock everything and tick every security risk option and then complain when things get patched that make our device more secure, like all the root exploits.
BL unlocked - Any compilable kernel can now run
USB Debugging - Access from PC's to send commands to your device
Installs from unknown sources - Allows installations of root apps and other apps
All things we need set to do some great things with our devices but how many of us actually look back at these setting once we enable them. It is the equivalent to taking off a door to get the fancy new furniture inside but never putting it back on when we are done.
elias234 said:
i think the best to happen is to have passwords , when entering fastboot or flashtool , a password should pop up to access the fastboot or flash tool connection , and when entering recovery , a password should also pop up , it is so much secure to get these , but i think it is so hard to make it work or even impossible
Click to expand...
Click to collapse
Suppose i have encrypted my device, i.e., it asks for password before booting up...
Q1 So, is it still possible to access the fastboot or recovery mode? Will entering the recovery or fastboot mode would require the password?
Q2 If no, how can i prevent access to fastboot and recovery mode with an unlocked bootloader?
Yo. I got my Nexus 6P the other day and immediately flashed CM13 on it, and came across a couple of problems. I used the following guide, step by step: (Can't post links. but it's on Devs-Lab)
So, first off, after finishing everything (Unlocking the bootloader, Rooting & Installing Recovery and finally installing CM13) I came across a couple of problems. Firstly, my phone refused to start as it couldn't be decrypted even though I never encrypted it or set a password for the encryption (which it asked me for, to decrypt) so I tried to factory reset the phone. Didn't work, formated the phone which did work and now it launches / works with no issues. However, every time I start the phone it tells me that the device is corrupted and can't be trusted. What's up with this?
Thanks in advance,
Alex.
I don't have CM installed but what you are describing is normal. Read this:
https://support.google.com/nexus/answer/6185381?p=verified_boot&rd=1
Ah yeah, you're right.
But what about the encryption thing? It's sketchy as ****, I know for sure I didn't encrypt the phone myself / set a password to decrypt it.
zixti said:
Ah yeah, you're right.
But what about the encryption thing? It's sketchy as ****, I know for sure I didn't encrypt the phone myself / set a password to decrypt it.
Click to expand...
Click to collapse
The device comes encrypted out the box.
If you look at the article by Heisenberg
http://forum.xda-developers.com/nexus-6p/general/guides-how-to-guides-beginners-t3206928
3. How To Decrypt Your Data Partition
This is no longer necessary as long as you use TWRP 2.8.7.1 or newer
Click to expand...
Click to collapse
And according to that thread, formatting your phone will remove the encryption. Which it did. Gotcha.
Last thing, why did it ask me for a password to decrypt? Or, why didn't I have that password? Mostly out of curiosity.
Hi all,
Just ordered my OnePlus 5 and doing a little research whilst waiting for it to reply.
I'm struggling to understand why people would choose to disable encryption - have I missed something?
The only 'downside' to having it (that I can see) is having to unlock with a pattern/PIN at first boot (and when entering TWPR etc). I guess there will also be a slight performance hit, but shouldn't be noticeable.
The 'upsides' to having it are the added security if you loose your phone (and maybe Magisk needs it).
Removing encryption needs an extra file to flash after installing TWRP, and then having to format the user partition / sd card.
Any thoughts?
Cheers,
phoenix1589 said:
Hi all,
Just ordered my OnePlus 5 and doing a little research whilst waiting for it to reply.
I'm struggling to understand why people would choose to disable encryption - have I missed something?
The only 'downside' to having it (that I can see) is having to unlock with a pattern/PIN at first boot (and when entering TWPR etc). I guess there will also be a slight performance hit, but shouldn't be noticeable.
The 'upsides' to having it are the added security if you loose your phone (and maybe Magisk needs it).
Removing encryption needs an extra file to flash after installing TWRP, and then having to format the user partition / sd card.
Any thoughts?
Cheers,
Click to expand...
Click to collapse
I second this opinion, I'd like to know before my device arrives tomorrow.
I did find a thread on the OP3 forums earlier, the read/write speed difference is negligible... So performance wise it doesn't make much difference.
My university requires an encrypted phone for Outlook though... Not a big deal as there are plenty of other alternate email apps available but it'd be nice to use for a change.
Alex Charles said:
I second this opinion, I'd like to know before my device arrives tomorrow.
I did find a thread on the OP3 forums earlier, the read/write speed difference is negligible... So performance wise it doesn't make much difference.
My university requires an encrypted phone for Outlook though... Not a big deal as there are plenty of other alternate email apps available but it'd be nice to use for a change.
Click to expand...
Click to collapse
my 1+3 was always encrypted, never had to wait for anything.
Gesendet von meinem Lenovo YT3-X50F mit Tapatalk
I remember reading something about not being able to restore data partition from a nandroid backup as it leads to bootloop and something about not being able to make a backup with security such as PIN, is this the case or an i mistaken?
AllEyezOnMe said:
I remember reading something about not being able to restore data partition from a nandroid backup as it leads to bootloop and something about not being able to make a backup with security such as PIN, is this the case or an i mistaken?
Click to expand...
Click to collapse
As far as nandroid backups and the data partition restore causing bootloops, there is a TWRP beta version released where the dev is asking for someone to test if it is fixed. As of that threads current posts no one has stepped up and confirmed if its fixed one way or the other.
You are correct that it is recommend that before you take a nandroid backup that you need to change your lock screen security to swipe or none. Otherwise a restore causes bootloops but there is a documented workaround using TWRP.
The workaround results in your lock screen security being removed (specific files are deleted). What I don't like about being forced to remove the lock screen security to do a nandroid backup is that it also wipes all your finger print input. Re-entering a pin number or swipe, is not much of a bother but doing four fingerprint training each time I want to take a safe nandroid backup is a pain. Previously I liked doing a nandroid backup at least once a week now I'll only do it when I feel any system changes (e.g. OTA, ROM flash), will put my phone at risk. With that being written I will still remain encrypted at least for the foreseeable future.
What I don't like about being forced to remove the lock screen security to do a nandroid backup is that it also wipes all your finger print input. Re-entering a pin number or swipe, is not much of a bother but doing four fingerprint training each time I want to take a safe nandroid backup is a pain.
Click to expand...
Click to collapse
Is there not some kind of system-app that holds this info, that we could back-up with Titanium, and restore after taking the Nandroid? Still a bit of work, but at least you'll be consequent.
Encryption is automatically enabled if you set up any sort of screen lock (PIN, etc). Booting into recovery gives you a password prompt by which the PIN does not work as a decryption password.
gdanko said:
Encryption is automatically enabled if you set up any sort of screen lock (PIN, etc). Booting into recovery gives you a password prompt by which the PIN does not work as a decryption password.
Click to expand...
Click to collapse
So how do you decrypt to access files from within TWRP recovery? Given this is needed to do backups (which are working, according to the TWRP 3.1.1 thread) there must be a way.
gdanko said:
Encryption is automatically enabled if you set up any sort of screen lock (PIN, etc). Booting into recovery gives you a password prompt by which the PIN does not work as a decryption password.
Click to expand...
Click to collapse
In my case the PIN I've set up works perfectly as decryption password.
phoenix1589 said:
So how do you decrypt to access files from within TWRP recovery? Given this is needed to do backups (which are working, according to the TWRP 3.1.1 thread) there must be a way.
Click to expand...
Click to collapse
depends on the right twrp version. dont look for the original one yet, look for the right one for the op5.
halfblack said:
In my case the PIN I've set up works perfectly as decryption password.
Click to expand...
Click to collapse
I've tried both PIN and password with zero success.
---------- Post added at 11:46 PM ---------- Previous post was at 11:44 PM ----------
halfblack said:
In my case the PIN I've set up works perfectly as decryption password.
Click to expand...
Click to collapse
What version of OxygenOS do you have?
gdanko said:
I've tried both PIN and password with zero success.
---------- Post added at 11:46 PM ---------- Previous post was at 11:44 PM ----------
What version of OxygenOS do you have?
Click to expand...
Click to collapse
I went from 4.5.0 to 4.5.3. I don't know what makes it work for me (I remember that I had issues just like you did on 3T).
From what I've gathered, you must remove pattern/PIN protection (I'm assuming this disables encryption?) before creating a backup via TWRP or else it will be impossible to decrypt (even with the right pattern/PIN), requiring a factory reset, which kinda negates the whole point of a backup. As long as you remember to do that (or TWRP for the OP5 matures a little more, it is after all only a few days old at this point), there isn't really a reason to disable it.
Also, any non OxygenOS based ROM will need the data to be decrypted for it to boot.
There are a few reasons to decrypt, but if you have to ask why you should or shouldn't, then you probably don't need to decrypt if the first place, so don't.
So I need to decrypt in order to flash roms?
Not, there is no reason to. Bare in mind I always decrypted my phone's
The trade off just isn't worth it.
Run a script is enter a password, either way you have work to do.
Sent from my ONEPLUS A5000 using XDA-Developers Legacy app
gursimar said:
So I need to decrypt in order to flash roms?
Click to expand...
Click to collapse
For the oreo Rom yes
Padres_1984 said:
For the oreo Rom yes
Click to expand...
Click to collapse
When it's completely released this should not be the case.
How I decrypt my phone. There is something called no verity, but I can't find it.
Odoslané z ONEPLUS A5000 pomocou Tapatalku
chlap said:
How I decrypt my phone. There is something called no verity, but I can't find it.
Odoslané z ONEPLUS A5000 pomocou Tapatalku
Click to expand...
Click to collapse
To decrypt your phone you need to back it up and format data..if you check my signature you'll see the method I used for no limits Oreo (decrypted) from nougat (encrypted)
Hello,
I doesn't know if this is a real problem in newer Android versions.
I apologize if this problem is already solved; i'm out of Android development since a while...
From me the problem is to protect MY data if I loss the phone...
If my phone is password protected (and bootloader locked), a person that found the device can't use it directly.
It can unlock the bootloader (more or less easily) but the phone data is removed by the unlock process.
My data is sure!
But if the bootloader is unlocked the person that has found my phone can acess to the custom recovery (or load a custom recovery if I'm on stock recovery) then force a wipe of the device.
Due to that, all my security (fingerprint and lock code) was erased and the user can access to my phone and also to all the data stored in /sdcard.
My data isn't sure!
It exists any mode to use a custom ROM but maintaining my data sure?
(I'm not confidence with the Google remote device access)
Thanks in advance!
I think you'll be fine, as the data on your internal memory should be encypted, which is enabled by default!
I'll be honest and I mean no offense but your data is worthless. If someone steals your device the first things done are Sim removed and devices reset or powered off. Data thieves don't get the data from stolen devices. They get it from the places we give it freely. Like shopping stores and on line accounts.
Nobody can access your phone data the way you describe unless you also run your phone decrypted --which is not the default for Android or even for custom ROMs for that matter. When you boot into recovery on a phone that is encrypted TWRP asks for your pin number and without it your data is not accessible. But that doesn't mean a thief couldn't still wipe and use your phone. You need to report it stolen so the IMEI number is blacklisted.
jhs39 said:
Nobody can access your phone data the way you describe unless you also run your phone decrypted --which is not the default for Android or even for custom ROMs for that matter. When you boot into recovery on a phone that is encrypted TWRP asks for your pin number and without it your data is not accessible. But that doesn't mean a thief couldn't still wipe and use your phone. You need to report it stolen so the IMEI number is blacklisted.
Click to expand...
Click to collapse
The /sdcard in phones that doesn't have external sdcard, like O+5, are also protected by the encriptation?
Thanks
bartito said:
The /sdcard in phones that doesn't have external sdcard, like O+5, are also protected by the encriptation?
Thanks
Click to expand...
Click to collapse
Yep, like any other android, the oneplus 5 has full disk encryption enabled by default:
http://www.androidpolice.com/2015/1...ll-disk-encryption-by-default-on-new-devices/
bartito said:
Hello,
I doesn't know if this is a real problem in newer Android versions.
I apologize if this problem is already solved; i'm out of Android development since a while...
...........................................
Click to expand...
Click to collapse
Well, IMO your concern is right to some extent.
With an unlocked bootloader, if there is some version of TWRP (or any other customer recovery for that matter) that can decrypt your data partition automatically or if you have ever formatted your /data partition from TWRP , or even an insecure kernel (most insecure kernels allow USB debugging without asking for authorization keys), all the thief needs is 2 adb commands and your screen lock will be turned off and all your stuff will be exposed 'as is'.
For educational purposes, the commands are:
Code:
adb shell rm /data/system/*.key
adb reboot
Now, for that matter, having a locked bootloader either doesn't ensure that your data is safe. For example, for HTC phones, you don't even need to unlock the bootloader for flashing a custom recovery or kernel. You can turn the phone to S-Off state using some proprietary tools (without losing data) and then flash custom images over a locked bootloader.
In case of Samsung, only FRP lock prevents you from flashing custom images (that too on newer phones) but in that case also, you can turn FRP off using some paid services and then flash any custom images and run the above mentioned commands.
In case of LG, it is even easier. Professional tools exist for communication over download mode protocol and turning off the screen lock doesn't even require a custom image in LG's case. However, most newer models are not supported by those tools yet.
In case of Apple, professional tools existed that used to read screen lock over a time span of 1-4 hours in an older version of iOS. I've heard that a tool is being made available for the current versions also in the coming weeks.
So, if you are conscious about your data, it is safe as far as the you have the phone in your possession. Once you lose it, you can't be sure about what is happening with it.
But then, as said in above posts, why would the thief want to crack open the data of a common man. If you are not a common man, you should worry. Otherwise I personally really don't care.
Hello,
Absolutelly appreciate your anwer.
I'm a common man, but I'm a bit worried due to 2 points:
1) I'm using LastPass and I doesn't would to my passwords to fall into someone's hands if I loss the device,
2) I'm using the app from my bank to pay using NFC and I doesn't would that anyone can use it
EDIT: 3) Of course, I'm using my Google account to store my contacts data. It would be a mess if someone erase my contacts
Thanks!
sikander3786 said:
Well, IMO your concern is right to some extent.
With an unlocked bootloader, if there is some version of TWRP (or any other customer recovery for that matter) that can decrypt your data partition automatically or if you have ever formatted your /data partition from TWRP , or even an insecure kernel (most insecure kernels allow USB debugging without asking for authorization keys), all the thief needs is 2 adb commands and your screen lock will be turned off and all your stuff will be exposed 'as is'.
For educational purposes, the commands are:
Code:
adb shell rm /data/system/*.key
adb reboot
Now, for that matter, having a locked bootloader either doesn't ensure that your data is safe. For example, for HTC phones, you don't even need to unlock the bootloader for flashing a custom recovery or kernel. You can turn the phone to S-Off state using some proprietary tools (without losing data) and then flash custom images over a locked bootloader.
In case of Samsung, only FRP lock prevents you from flashing custom images (that too on newer phones) but in that case also, you can turn FRP off using some paid services and then flash any custom images and run the above mentioned commands.
In case of LG, it is even easier. Professional tools exist for communication over download mode protocol and turning off the screen lock doesn't even require a custom image in LG's case. However, most newer models are not supported by those tools yet.
In case of Apple, professional tools existed that used to read screen lock over a time span of 1-4 hours in an older version of iOS. I've heard that a tool is being made available for the current versions also in the coming weeks.
So, if you are conscious about your data, it is safe as far as the you have the phone in your possession. Once you lose it, you can't be sure about what is happening with it.
But then, as said in above posts, why would the thief want to crack open the data of a common man. If you are not a common man, you should worry. Otherwise I personally really don't care.
Click to expand...
Click to collapse
jhs39 said:
Nobody can access your phone data the way you describe unless you also run your phone decrypted --which is not the default for Android or even for custom ROMs for that matter. When you boot into recovery on a phone that is encrypted TWRP asks for your pin number and without it your data is not accessible. But that doesn't mean a thief couldn't still wipe and use your phone. You need to report it stolen so the IMEI number is blacklisted.
Click to expand...
Click to collapse
Black listing the imei doesn't work everywhere. Plus while banned on xda so I can't say how. But the imei is not that hard to change.
bartito said:
Hello,
Absolutelly appreciate your anwer.
I'm a common man, but I'm a bit worried due to 2 points:
1) I'm using LastPass and I doesn't would to my passwords to fall into someone's hands if I loss the device,
2) I'm using the app from my bank to pay using NFC and I doesn't would that anyone can use it
EDIT: 3) Of course, I'm using my Google account to store my contacts data. It would be a mess if someone erase my contacts
Thanks!
Click to expand...
Click to collapse
Maybe some experts can give their opinion on how to protect your data using some third party apps or by using some other options that I am not aware of. But in my opinion, a phone with an unlocked bootloader is always more vulnerable than a phone with locked bootloader.
Of course, I agree with your affirmation at 100%
The question is: I can improve security if I keep TWRP as a recovery instead of return to the stock recovery and I lock the bootloader?
Thanks
sikander3786 said:
Maybe some experts can give their opinion on how to protect your data using some third party apps or by using some other options that I am not aware of. But in my opinion, a phone with an unlocked bootloader is always more vulnerable than a phone with locked bootloader.
Click to expand...
Click to collapse
bartito said:
Of course, I agree with your affirmation at 100%
The question is: I can improve security if I keep TWRP as a recovery instead of return to the stock recovery and I lock the bootloader?
Thanks
Click to expand...
Click to collapse
I don't think you will be able to boot TWRP after relocking the bootloader. You need to test it yourself. Chances are very few because locked bootloaders prevent from booting un-signed images.
If you do manage to boot TWRP after relocking, make sure your data is encrypted. If it is not, then it doesn't matter if the bootloader is locked or not.
Also, you will need to turn off "oem unlock" option from developer options.
sikander3786 said:
I don't think you will be able to boot TWRP after relocking the bootloader. You need to test it yourself. Chances are very few because locked bootloaders prevent from booting un-signed images.
If you do manage to boot TWRP after relocking, make sure your data is encrypted. If it is not, then it doesn't matter if the bootloader is locked or not.
Also, you will need to turn off "oem unlock" option from developer options.
Click to expand...
Click to collapse
I think in the end I will stay as I am: bootloader unlocked and TWRP instead of the original recovery.
After all... I've never lost a phone...
bartito said:
The /sdcard in phones that doesn't have external sdcard, like O+5, are also protected by the encriptation?
Thanks
Click to expand...
Click to collapse
I haven't checked, but I believe it should.
nxss4 said:
Yep, like any other android, the oneplus 5 has full disk encryption enabled by default:
http://www.androidpolice.com/2015/1...ll-disk-encryption-by-default-on-new-devices/
Click to expand...
Click to collapse
Uh no, OP5 with OOS 4.5.x Nougat uses File-Based Encryption (FBE), not FDE.
I know because I wrote the utility to get back to FDE, which works if you change the/fstab* file:
https://forum.xda-developers.com/showthread.php?t=3672477
sikander3786 said:
Well, IMO your concern is right to some extent.
With an unlocked bootloader, if there is some version of TWRP (or any other customer recovery for that matter) that can decrypt your data partition automatically or if you have ever formatted your /data partition from TWRP , or even an insecure kernel (most insecure kernels allow USB debugging without asking for authorization keys), all the thief needs is 2 adb commands and your screen lock will be turned off and all your stuff will be exposed 'as is'.
Click to expand...
Click to collapse
Do you have a source for the first part of that information? The part where if userdata is formatted with TWRP, it is vulnerable?
I don't see how that can happen unless you run decrypted. TWRP is never involved in the encryption process. When you format userdata, it just runs mkfs. Android upon booting sees the forceencrypt flag in the fstab and then promptly encrypt the device with a default passphrase. When you later set up security, the passphrase is changed to whatever you input.
How can TWRP decrypt the files at this point without your passphrase?
Note that if you are running FBE, and run adb shell on a device that's booted into TWRP while waiting for the password, you will be able to see the file structure under /data, but most of its contents will be garbage (=encrypted).
If you're running FDE, and run adb shell on a device that's booted into TWRP, /data will be completely inaccessible.
sikander3786 said:
For educational purposes, the commands are:
Code:
adb shell rm /data/system/*.key
adb reboot
Click to expand...
Click to collapse
This will remove the PIN/password phrase to get into Android, but won't give access to any encrypted files.
That may mess your phone royally as well.
Hello,
Thanks for your anwer. I appreciate the time that have you spend on my question
I need to go to the FDE thread to learn a bit more about the process and results.
Now, I have 2 more questions...
1) If the phone is encrypted with FBE a user can remove user passwords using "adb shell rm /data/system/*.key
&& adb reboot" commands, like @sikander3786 has explained but, due to the device is encripted, it can't access to my data
and the device will require for the decrypt password when booting in normal mode or recovery. I'm correct?
2) If the device is encrypted with FBE a user can access to /sdcard even without the decrypt password in recovery (TWRP) mode but not if encrypted with FDE?
Thanks again!
Fif_ said:
I haven't checked, but I believe it should.
Uh no, OP5 with OOS 4.5.x Nougat uses File-Based Encryption (FBE), not FDE.
I know because I wrote the utility to get back to FDE, which works if you change the/fstab* file:
https://forum.xda-developers.com/showthread.php?t=3672477
Do you have a source for the first part of that information? The part where if userdata is formatted with TWRP, it is vulnerable?
I don't see how that can happen unless you run decrypted. TWRP is never involved in the encryption process. When you format userdata, it just runs mkfs. Android upon booting sees the forceencrypt flag in the fstab and then promptly encrypt the device with a default passphrase. When you later set up security, the passphrase is changed to whatever you input.
How can TWRP decrypt the files at this point without your passphrase?
Note that if you are running FBE, and run adb shell on a device that's booted into TWRP while waiting for the password, you will be able to see the file structure under /data, but most of its contents will be garbage (=encrypted).
If you're running FDE, and run adb shell on a device that's booted into TWRP, /data will be completely inaccessible.
This will remove the PIN/password phrase to get into Android, but won't give access to any encrypted files.
That may mess your phone royally as well.
Click to expand...
Click to collapse
nxss4 said:
I think you'll be fine, as the data on your internal memory should be encypted, which is enabled by default!
Click to expand...
Click to collapse
Suppose i encrypt my device, i.e., it asks for password everytime before booting...
Q1. Will booting into fastboot or recovery require the password?
Q2. If no, how can i prevent access to fastboot and recovery on an unlocked bootloader?
anuragm13 said:
Suppose i encrypt my device, i.e., it asks for password everytime before booting...
Q1. Will booting into fastboot or recovery require the password?
Q2. If no, how can i prevent access to fastboot and recovery on an unlocked bootloader?
Click to expand...
Click to collapse
You can't, but your data isn't accessible without the password
bartito said:
You can't, but your data isn't accessible without the password
Click to expand...
Click to collapse
But one can flash custom recovery from fastboot and subsequently use it to flash custom roms.
Am i right?
anuragm13 said:
But one can flash custom recovery from fastboot and subsequently use it to flash custom roms.
Am i right?
Click to expand...
Click to collapse
Yes, you can flash any recovery and any rom, but phone data can't be accessible if you don't have the password.
To use the device you need to know the password or do a data format
Isn't your phone technically always safe as long as you keep it encrypt it?
Only thing a thief could do would be a reset in both cases, isn't it?