How Secure Is Android?

Sajan Parikh

Active member
Jan 6, 2011
27
0
0
Visit site
I've got a Samsung Galaxy SII Skyrocket (2.3.6) and was wondering how secure the device itself is.

I've set a password on it, but if I lose the phone...what are the chances of someone breaking into it before I get a chance to remotely wipe the device?

Say for example on a 4 character, all lowercase alpha password.
 

xlDeMoNiClx

Well-known member
Jan 4, 2012
2,986
23
0
Visit site
Depends on how easy to guess your password is. If you make it something obvious then I wouldn't get my hopes up that it'll stay secure.
 

PvilleComp

Well-known member
Jun 13, 2010
4,146
603
0
Visit site
A 4 digit pin only has 10,000 possible solutions. So yes it can eventually be cracked.

I just tested the pin unlock in Gingerbread (CM7) and it will "lock you out" after 5 attempts. The lockout is only 30 seconds, but it adds time to the equation.
 

EvilMonkey

Well-known member
Jun 4, 2010
1,808
103
0
Visit site
A 4 digit pin only has 10,000 possible solutions. So yes it can eventually be cracked.

That's only if you set up a 4 digit numeric password. He was asking about alphanumeric (letters and numbers), which significantly increase the number of combinations:

Sticking with only lower case letters (26) + numbers (0-9) = 36 ^ 4 = 1,679,616 possible combinations
Including upper and lower case increases that to 64 ^ 4 = 14,776,336 combinations.

So I would say a 4 digit alphanumeric password (even if you stick with all lower case letters) is relatively secure and should buy you quite a bit of time, especially if there's a 30 second lockout after 5 failed attempts, since even if they have some kind of automatic program that will quickly try 5 combinations then wait 30 seconds, it's still going to slow them down a LOT to get through 1.6+ million combinations (or more accurately, however many combinations they have to try before they hit the correct one)

If you want more security then that, use upper and lower case, or set up your password with 6 or 8 or 10 characters (which makes it more of a pain to unlock the phone of course)
 
Last edited:

Sajan Parikh

Active member
Jan 6, 2011
27
0
0
Visit site
Thanks for the replies.

I guess I should've been more clear. I'm not too worried about some random kid at a Taco Bell picking up my phone and trying passwords.

I was wondering about someone actually cracking/hacking the phone. Or perhaps law enforcement access, and things like that.
 

xlDeMoNiClx

Well-known member
Jan 4, 2012
2,986
23
0
Visit site
Thanks for the replies.

I guess I should've been more clear. I'm not too worried about some random kid at a Taco Bell picking up my phone and trying passwords.

I was wondering about someone actually cracking/hacking the phone. Or perhaps law enforcement access, and things like that.

I'm almost positive that it's impossible to hack a phone, they're not like computers. But I guess anything's possible these days.
 

KMyers

Active member
Apr 15, 2011
34
3
0
Visit site
Android is inherently secure by design. Some tips are

1) Encrypt the phone AND sd card if your version supports it (Prevents nandroid backups from being read)
2) Turn off USB Debugging when not needed
3) Use strong passwords rather then PINS
4) BARK Twice
5) Read and Understand all app permissions
 

EvilMonkey

Well-known member
Jun 4, 2010
1,808
103
0
Visit site
I was wondering about someone actually cracking/hacking the phone. Or perhaps law enforcement access, and things like that.

Well, I guess it's as secure as you make it. I mean, if you have a removable SD card that's not encrypted, all someone has to do is take it out and put it in a card reader, right? So that's not very secure, so it won't matter how hard your password on the device is if you can just bypass it by taking out the SD card.

I don't think you really have to worry about someone hacking the device itself. Follow KMyer's advice and you'll be fine, I would think.

Don't get me wrong, if the FBI confiscates the phone, they probably have all sorts of ways to get the stuff (I'm guessing...but I watch a lot of movies that may not be entirely accurate)
 

Cellmeister

Well-known member
Jan 12, 2011
252
19
0
Visit site

Anthonicia

Well-known member
Apr 16, 2011
188
19
0
Visit site
Nothing is or will be 100% secure on any platform...


But Read This:

"LOL! FBI Can't Unlock Pimps Android Phone, Serves Warrant To Google! by Eric McBride on Mar 14, 2012 10:25:59 PM"

LOL! FBI Can't Unlock Pimps Android Phone, Serves Warrant To Google! - AndroidPIT

"FBI Asks Google to Unlock Android Phone " from "mashable"

http://mashable.com/2012/03/16/fbi-android-phone/

Use all your security features of your phone!

:D

That's awesome! Been a long time since I used pattern lock. Remember getting really messed up one night and changed it. Took me a little bit to get it right, but was never locked out. Seems to me that anyone could figure it out, let alone the FBI.

Pimps up, feds down I guess, LOL.

Sent from my PC36100 using Android Central Forums
 

conman1395

Well-known member
May 13, 2012
57
1
0
Visit site
I'm almost positive that it's impossible to hack a phone, they're not like computers. But I guess anything's possible these days.

I don't know about "hack" but it is totally possible for a phone to be compromised if there is a bad app that you don't pay attention to. That along with rooting your phone could present some serious problems.
 

Anthonicia

Well-known member
Apr 16, 2011
188
19
0
Visit site
That's only if you set up a 4 digit numeric password. He was asking about alphanumeric (letters and numbers), which significantly increase the number of combinations:

Sticking with only lower case letters (26) + numbers (0-9) = 36 ^ 4 = 1,679,616 possible combinations
Including upper and lower case increases that to 64 ^ 4 = 14,776,336 combinations.

So I would say a 4 digit alphanumeric password (even if you stick with all lower case letters) is relatively secure and should buy you quite a bit of time, especially if there's a 30 second lockout after 5 failed attempts, since even if they have some kind of automatic program that will quickly try 5 combinations then wait 30 seconds, it's still going to slow them down a LOT to get through 1.6+ million combinations (or more accurately, however many combinations they have to try before they hit the correct one)

If you want more security then that, use upper and lower case, or set up your password with 6 or 8 or 10 characters (which makes it more of a pain to unlock the phone of course)

Check your numbers again. Upper+lower+0-9=52, not 64. The odds are against a brute force attack. Not near impossible tho.

Sent from my PC36100 using Android Central Forums
 

awswnk

New member
May 31, 2012
4
0
0
Visit site
Phone password security is nonexistent if there isn't any sort of auto-wipe feature baked into the system (like on BlackBerry devices if you enter the password wrong 10 times, it wipes everything), and even then a clever person can get around the auto-wipe.

Password security these days requires what's called a "work factor" in the algorithm to secure the data. This means that a series of computations are conducted in order to even test the password. A work factor equivalent to one second of processing on your desktop computer is generally enough to stop a would-be attacker dead in his tracks even if he rented a supercomputer for a day (this is assuming you have a "secure password," which I'm assuming everyone here knows what that entails). The problem with phones and other mobile devices is that their processors are so wimpy that they can't handle any sort of worthwhile work factor. It might as well not exist at all, which is almost as bad as brute-forcing a password that's protected by nothing more than a simple hash algorithm.


All of this is to say that a "secure password" will not stop a clever person from getting into your phone. Your phone is simply incapable of it.



As a side note, I use a 5-second work factor on my desktop to store some encrypted files. I once tried accessing them from my phone and it took the phone about 15 minutes to finish the calculations. It was hilarious but it's also what made me realize that phones are far, far, too weak to prevent a brute-force.