I have some questions about device security running with an unlocked bootloader.
I am somewhat experienced and comfortable with flashing custom ROMs, mostly LineageOS,
and flashing back the original stock ROMs for Pixel and Samsung devices.
I have recently experimented with running LineageOS 20 (Android 13) on a Samsung Galaxy
Tab S5e with Magisk (and a few Magisk modules). Within several of the XDA forums, and also at
other web sites, it's recommended with custom ROMs the bootloader not be re-locked since
this can create problems.
I use my S5e for steaming videos, basic web browsing and other things. I don't do banking or
have anything I would consider a huge security risk. My intent is to understand what risks
exist with an unlocked bootloader so I can make more informed decisions what I should/should
not install.
With later versions of Android, including 13, the built in storage is encrypted by default.
If the device is powered off filesystems are at rest in an encrypted state so is it possible
for someone else to gain access to my data if they power on the device or flash
their own recovery and/or custom OS? If someone boots into recovery mode encrypted
filesystems should not be mounted and remain unavailable. I'm wanting to understand where
there are weaknesses that could be exploited to access data.
If the device is powered on and the OS has been screen unlocked the first time after boot
(so encrypted filesystems are mounted and available) is access to my data at increased risk,
assuming USB debugging is disabled?
Can apps be sideloaded in recovery mode that an attacker could use to gain access to data
in other ways even if encrypted filesystems have not been mounted.
Any other security issues to be aware of?
If risks I haven't considered are too great I can also go back to stock ROM, but would consider
ways of mitigating or reducing any risks with a custom ROM and unlocked bootloader.
Please let me know if there is a more appropriate place for this posting.
Thanks,
Rodney
Samsung encryption not supported in TWRP recovery, but I have seen Samsung device running LineageOS on AOSP encryption.
of course on unlocked bootloader attacker can enable adb, inject scripts and gain root access easy. however, still it requires lock screen credentials for decrypting, so your personal data remains secured.
for some devices it's possible to set user-settable root of trust, this would allow to compile LineageOS with avb/dm-verity and re-lock bootloader.
Thanks for the reply, would be great to figure out a way to be able to lock the bootloader with LineageOS.
I do notice the "OEM Unlocking" option does not exist in Developer Settings in LineageOS 20.
lol have fun!
How to properly ENABLE dm-verity and FEC for /system on Motorola X4 with LineageOS 17.1?
Related
After receiving my beloved 1+2, I rooted it, installed TWRP and flashed Xposed. Then I encrypted the phone. After wanting to update the rom, I realized TWRP doesn't yet support encryption. I reflashed the stock recovery, which I found here. This didn't help either, no encryption supported.
How can you safely remove the encryption? Does anyone have a functioning setup with stock recovery an encrypted device? Or is it possible to flash new firmware throught fastboot leaving it encrypted?
I made my Htc M7 useless trying to remove it's encryption, so i'm really careful one the 1+2...
Does really nobody know how to reverse this prominent feature in android???
A simple factory reset from the settings menu completely removed the encryption
My x727 fails to encrypt itself. After the reboot it did not start the encryption but got stuck for several hours.
Has anyone managed to encrypt the phone? Thank you.
(On my phone, Magisk v8, TWRP, PHH's Superuser and xposed is installed.)
Now that more people have the phone and more ROM versions (including first custom ROMs) are available: has anyone managed to encrypt the phone?
(Device encryption is very important to me because my employer does not allow me to connect an unecrypted phone to the firm network. Therefore, the phone is currently almost useless to me.)
Thanks!
I suppose x727 data partition it's already factory encrypted because during unlocking tests some users said the device asks for a key.
I have now managed to encrypt the phone with the latest ROM: http://forum.xda-developers.com/le-pro3/how-to/5-9-020s-update-x720-t3506829
are you using airwatch ?
Hello,
I just ordered my first OnePlus and should receive it by the end of the month. Like all my previous (and quite old) phones, I would like to root it for several reasons and I found the native encryption needs to be disabled in order to be able to root the phone. Fair enough.
Since I never had to deal with encryption on my previous phones, I was wondering if you could tell me more about the consequences:
1) once the phone is rooted, can I enable the encryption again without hassles?
2) once rooted and (hopefully) encrypted, how will I have to update my phone? Flash the full OTA everytime (no partial updates allowed on rooted phones if I understood correctly)? Can I do this without disabling/re-enabling the encryption? After the full flash, will the data & cache be wiped or will it be hassle-free?
3) I generally use Titanium Backup to backup my apps (hence the need for root access) and copy the files on a network drive. Am I correct to assume that native encryption of the OP5 will not affect this process (either during backup or when the files are copied to the network drive (encrypted)?
Thanks for your help
GeeM said:
Hello,
I just ordered my first OnePlus and should receive it by the end of the month. Like all my previous (and quite old) phones, I would like to root it for several reasons and I found the native encryption needs to be disabled in order to be able to root the phone. Fair enough.
Since I never had to deal with encryption on my previous phones, I was wondering if you could tell me more about the consequences:
1) once the phone is rooted, can I enable the encryption again without hassles?
2) once rooted and (hopefully) encrypted, how will I have to update my phone? Flash the full OTA everytime (no partial updates allowed on rooted phones if I understood correctly)? Can I do this without disabling/re-enabling the encryption? After the full flash, will the data & cache be wiped or will it be hassle-free?
3) I generally use Titanium Backup to backup my apps (hence the need for root access) and copy the files on a network drive. Am I correct to assume that native encryption of the OP5 will not affect this process (either during backup or when the files are copied to the network drive (encrypted)?
Thanks for your help
Click to expand...
Click to collapse
First of all native encryption will still work when rooted. When you root using supersu or Magisk the encryption will stay. When you get your phone you first must boot to fastboot and unlock the bootloader. Doing so will erase data so do it as soon as you get the phone. Second you will need to flash TWRP. Wipe factory settings and flash Supersu or Magisk 13.3. I prefer Magisk. Once in setup you will need to put a password and fingerprint to get the encryption started. After that your all set. To update the rom just head to downloads.oneplus.net and download the correct rom for Oneplus 5 and flash it over TWRP then flash Magisk/Supersu after. I prefer using [ROM] xXx NoLimits 2.0 [OOS][OP5] ☆ Speed/RAM optimized ☆ because it uses stock oxygen os rom with better performance and battery life. Plus extra features like debloating. But other than that you will not lose encryption when rooting. Only when you want to install custom roms for right now like (LineageOS, RR, AOSP).
I'm rooted using Magisk and I'm using ElementalX kernel, I do not have TWRP installed as I want to get OTAs... my question is, can I re-ecrypt my data without losing Magisk? I remember TWRP having problems decrypting the partition when I first tried to install Magisk/EX so, in case I lose Magisk, can I reinstall Magisk/EX in TWRP or Fashfire once I re-encrypt my device? (i.e. can TWRP decrypt "user encrypted" data partitions? and/or can Magisk run from an encrypted data partition?)
jhonyrod said:
I'm rooted using Magisk and I'm using ElementalX kernel, I do not have TWRP installed as I want to get OTAs... my question is, can I re-ecrypt my data without losing Magisk? I remember TWRP having problems decrypting the partition when I first tried to install Magisk/EX so, in case I lose Magisk, can I reinstall Magisk/EX in TWRP or Fashfire once I re-encrypt my device? (i.e. can TWRP decrypt "user encrypted" data partitions? and/or can Magisk run from an encrypted data partition?)
Click to expand...
Click to collapse
You have a premise incorrect here... If you are not 100% stock, you CANNOT take an OTA, even if you have stock recovery... you have modified the kernel, ramdisk image (Magisk), and likely the system partition (if not, why did you bother to root?), so OTA updates will FAIL. Even with FlashFire they are less there is less than a 50% success rate with this device when rooted.
Although I haven't tried in a long time, TWRP should handle encryption fine, as long as you know the password/PIN... I can't speak for ElementalX specifically, but it is a mainline kernel so I think it should be fine.
The point is that once you have unlocked the bootloader, your device security is pretty much zero... that is kind of a given, encryption helps safeguard your private information, but unlocked bootloader negates FRP and anyone could just fastboot TWRP, wipe and enjoy using your device. This is one of the reasons (of several) that I have stopped unlocking the bootloader and rooting anymore.
My question was mainly about Magisk and TWRP working with encrypted partitions.
About the security, I'm aware of the implications and I just want to keep my data safe, which is more important than the device itself.
As for the device modifications, AFAIK ElementalX uses the ramdisk just as Magisk does, it doesn't write anything to the kernel partition, also, I haven't modified /system at all; all possible modifications I've done have been through Magisk modules and Xposed (which I installed systemlessly of course). The main reason I rooted is indeed Xposed so I can use stuff like NeoPowerMenu, Whatsapp Extensions, ActivityForceNewTask, etc.
Given the fact that I've only modified the ramdisk so far, are you sure that I can't accept OTAs? (I know they'll break my current setup, but it should be easy to fix)
jhonyrod said:
My question was mainly about Magisk and TWRP working with encrypted partitions.
About the security, I'm aware of the implications and I just want to keep my data safe, which is more important than the device itself.
As for the device modifications, AFAIK ElementalX uses the ramdisk just as Magisk does, it doesn't write anything to the kernel partition, also, I haven't modified /system at all; all possible modifications I've done have been through Magisk modules and Xposed (which I installed systemlessly of course). The main reason I rooted is indeed Xposed so I can use stuff like NeoPowerMenu, Whatsapp Extensions, ActivityForceNewTask, etc.
Given the fact that I've only modified the ramdisk so far, are you sure that I can't accept OTAs? (I know they'll break my current setup, but it should be easy to fix)
Click to expand...
Click to collapse
Positive... 99% sure they will fail. And although Xposed may be installed systemless, it's modules still modify /system.
Flashing the custom rom with rooting the device make the device less secure and we cannot use the internet banking applications so , can we flash the custom rom without rooting the device ! If, yes then what will be the procedure !?
altafalam540 said:
Flashing the custom rom with rooting the device make the device less secure and we cannot use the internet banking applications so , can we flash the custom rom without rooting the device ! If, yes then what will be the procedure !?
Click to expand...
Click to collapse
Jajajajajaja sorry but your question is very funny????
But no, it's not possible install custom ROM without root
I would think one can flash when booted into TWRP. One needs to be unlocked though.
The custom ROM you flash does not need to be rooted either.
In fact one can boot into TWRP from fastboot. So one does not even need TWRP on the device itself.
You do not need to root your device to use a custom ROM. But if you wanna flash GApps, then you need to root your device or it may not work as intended.
Wrong, Gapps can be installed from TWRP which has unlimited access to the system partition. In that sense, TWRP is "rooted". But this has nothing to do with the installed firmware being rooted or not.
altafalam540 said:
Flashing the custom rom with rooting the device make the device less secure and we cannot use the internet banking applications so , can we flash the custom rom without rooting the device ! If, yes then what will be the procedure !?
Click to expand...
Click to collapse
Wow this thread exploded with mis-information.
You can install custom ROM's unto your device via TWRP, as well as flash GAPPS and any custom kernels, mods etc you'd like WITHOUT having to gain superuser access within the ROM itself.
You WILL however require to unlock your bootloader that, at least as far as I know, WILL trigger safety net and thus render certain applications (like said banking apps) unusable. To avoid this you can flash magisk, an alternative root solution that also masks certain aspects of the device that allows the device to pass safetynet while retaining root.
There are plentiful amounts of tutorials out pretty much everywhere that will allow you to easily unlock your bootloader, install twrp and root w/ magisk if desired, etc.
DECHTECH said:
Wow this thread exploded with mis-information.
You can install custom ROM's unto your device via TWRP, as well as flash GAPPS and any custom kernels, mods etc you'd like WITHOUT having to gain superuser access within the ROM itself.
You WILL however require to unlock your bootloader that, at least as far as I know, WILL trigger safety net and thus render certain applications (like said banking apps) unusable. To avoid this you can either A. Relock your bootloader after flashing custom rom (should work) or B. Flash magisk, an alternative root solution that also masks certain aspects of the device that allows the device to pass safetynet while retaining root.
There are plentiful amounts of tutorials out pretty much everywhere that will allow you to easily unlock your bootloader, install twrp and root w/ magisk if desired, etc.
Click to expand...
Click to collapse
I don't think you can relock the bootloader when on a custom rom. This will probably brick your device since it will fail the checks of the locked bootloader and then you will have a bricked device with a locked bootloader.
So yeah, you also spread some misinformation I suppose which is even more dangerous than what the other users suggested.
+1, no way you can relock your bootloader after installing a custom firmware. Bootloop guaranteed.
michkost858 said:
I don't think you can relock the bootloader when on a custom rom. This will probably brick your device since it will fail the checks of the locked bootloader and then you will have a bricked device with a locked bootloader.
Click to expand...
Click to collapse
Lannig said:
+1, no way you can relock your bootloader after installing a custom firmware. Bootloop guaranteed.
Click to expand...
Click to collapse
Could have sworn you could do this but I guess I was wrong, sorry for that.
Edited original post.