Unlock the Bootloader and Die??

[diesteldorf]

I'm on Verizon and won't be getting this phone because I like Big Red and their coverage too much. However, I've been getting a lot of good info and entertainment, some of which is still very relevant to my current Nexus. I recently installed Cerberus Security after many stellar reviews and recommendations from this forum and have been having fun texting my phone and having it speak obscene messages to those around me.. make rude comments etc. Even if my phone never gets stolen, it is priceless entertainment for $4.00. And, it seems to gave genuine value as a security app.

I took it an extra step further and installed the zipped version for rooted devices, that can survive a factory reset just because I knew I could and it seemed like a good idea. I've also got Lookout Mobile Security installed for my own piece of mind, even though I have yet to have a virus.
Hopefully, I'll never have to depend on either one to save me.

In one of Phil's reviews on the Nexus, he mentioned that even though the Nexus 4 could easily be unlocked, not everyone should have an unlocked bootloader. I always thought that was because an unlocked bootloader would potentially allow you to blow the speakers or overclock the processor and destroy it. However, Phil also said that an unlocked bootloader could give any potential thief access to every piece of data and intimate detail on your phone.

It doesn't seem practical to unlock, relock, and unlock your phone on a wim, as it will erase all data each time, so my Nexus has been in a virtual unlocked and rooted state since the week after I got it.

However, getting back to what Phil said, if someone steals my phone directly or designs a malicious app, that Lookout fails to catch, what info could they access that they wouldn't be able to if the phone was locked and unrooted?

I could care less about pictures, videos, contacts, or MP3s, but would an unlocked bootloader allow easy access to my passwords and Google Wallet info if my bootloader is unlocked and someone knows what they are doing?

 

[Ziptied]

We could steal your pr0n collection.

 

[Jerry Hildenbrand]

would an unlocked bootloader allow easy access to my passwords and Google Wallet info if my bootloader is unlocked and someone knows what they are doing?

Yes. I could have complete access to your Google Wallet account in a matter of minutes if your bootloader is unlocked, regardless of any security you have on the lockscreen or from an app.

I power up your phone to the bootloader.
I boot with a custom boot image that gives me root at the console via adb.
I be sure to uninstall any security progam you have installed.
I reboot your phone
I use adb as root to suck every bit of data you have in it.
Or I just change a setting in a database so that there is no active screen lock and use it right from the device.
Or I just use a custom recovery to back up your files and pull data from the back up at my leisure.
Or I flash that backup on my own phone.
Or... you get the picture.

 

[diesteldorf]

I suppose the lesson is not to allow your phone to be stolen in the first place, if that even makes sense. I can understand that once your phone is stolen the odds of getting it back are probably slim anyway and less than slim if someone knows what they are doing. You just hope the average thief isn't going to have the knowledge to defeat the lockscreen and/or use adb to root the phone.

I suppose if someone did take my phone and I knew shortly enough after it happened, I might have a finite window of opportunity where I could execute the remote command to wipe the phone.

Does anyone unlock their bootloader and relock at a certain point for added security?
I'm still going to root and unlock the bootloader, still flash custom roms, but it is interesting to see the other side of the coin and know that a company like Motorola could legitimately argue that they were doing it for my benefit--not saying that I would ever agree with it.

I really don't think I'll change my behavior and don't want to be paranoid, but I've had Wallet installed on my phone since it went live and haven't had a chance to use it, so I may uninstall for the time being.

 

[Fairclough]

Or... you get the picture.

Jerry I am now scared to let anyone like you borrow my next phone now.

 

[2defmouze]

I suppose the lesson is not to allow your phone to be stolen in the first place, if that even makes sense. I can understand that once your phone is stolen the odds of getting it back are probably slim anyway and less than slim if someone knows what they are doing. You just hope the average thief isn't going to have the knowledge to defeat the lockscreen and/or use adb to root the phone.

I suppose if someone did take my phone and I knew shortly enough after it happened, I might have a finite window of opportunity where I could execute the remote command to wipe the phone.

Does anyone unlock their bootloader and relock at a certain point for added security?
I'm still going to root and unlock the bootloader, still flash custom roms, but it is interesting to see the other side of the coin and know that a company like Motorola could legitimately argue that they were doing it for my benefit--not saying that I would ever agree with it.

I really don't think I'll change my behavior and don't want to be paranoid, but I've had Wallet installed on my phone since it went live and haven't had a chance to use it, so I may uninstall for the time being.

The way I see it the primary thing is don't lose your phone. Besides that.. you can take some solace in the fact that the vast majority of people who may potentially find your lost phone are nowhere near the hacker level of Jerry, I'm going to say around 99% or more don't even know what a bootloader is (ask your friends and family and see how many know what you're talking about). Add to that the human decency factor: most people are not inherently evil, lol. Even Jerry with all his knowledge, would not actually do what he's talking about if he found some poor guy's phone (or would you, Jerry??)..

It's a great question and you should be aware of these type of security risks you open yourself up to when you have an unlocked bootloader.. but overall I say just be careful with your property and you shouldn't have any trouble. Your physical wallet requires no hacking to get to the goods inside but most people don't lose that item very often either

 

[Mellimel22]

U have those issues carrying your personal info outside lol if someone wanted to steal your info its plenty other ways a thief might try it but s phone I doubt it

Sent from my EPIC WHITE SGS2 Rockin CM10 4.1.2 using Tapatalk 2

 

[dobiegillis]

A friend of mine lost his GS2 last weekend, he thinks by leaving it at a club. He deactivated the sim next morning and figured the device was lost. Then he got a call on Thursday that someone found it on the street and number of blocks away. The case was missing and the screen cracked but my friend says otherwise he couldn't see that anyone used it. People are stupid. Some drunk probably picked it up at the club and then threw it down on the sidewalk for no reason at all.

Sent from my SGH-T989 using Tapatalk 2

 

[diesteldorf]

It's a great question and you should be aware of these type of security risks you open yourself up to when you have an unlocked bootloader.. but overall I say just be careful with your property and you shouldn't have any trouble. Your physical wallet requires no hacking to get to the goods inside but most people don't lose that item very often either

I remember around 1999/2000 when online shopping was still new and just getting off the ground. Many dotcom startups (including Amazon, I think) would allow a person to send a check by mail if they weren't comfortable entering their financial information online. I know internet sites can and have been hacked, but I've always thought the chances of having data compromised are actually higher when you mail in your information (mail could be intercepted, opened, etc.) and there are those that still pay bills the old school way and you don't read about data being stolen through the mail very often.

I can't even begin to count the number of times I've gone out to a restaurant and handed by credit card over to the waiter/waitress for them to take up front or in some back room to run the charges. Of course, if they wanted to, I'm sure they could copy the #s but when you consider the millions of people that eat out every day or give their credit card information to a live person over the phone to pay a bill, you don't hear very many instances of fraud, and information is unencrypted.

I'm glad that Jerry took the time to respond because open phones, rooting, and unlocked bootloaders have always been promoted on sites like XDA and AC and I like having total control over my phone from a modding and customization standpoint, but even I don't fully understand the security aspect of the bootloader and it's potential to be exploited in the wrong hands.

 

[Mugler Infusion]

I think anybodys best course of action is to never buy anything from your phone and never put any sensitive information on their phone, if it does get stolen you would not have to worry about problems other than getting another phone.

 

[donec]

Thanks for posting this thread.
I'm one of those that don't know anything about this bootloader stuff. With that said I don't understand how the locked bootloader helps protect you data. It seems to me that someone with the abilities of Jerry could go ahead and unlock the bootloader any time they wanted to. Is this true and if not why not.

 

[Jerry Hildenbrand]

Thanks for posting this thread.
I'm one of those that don't know anything about this bootloader stuff. With that said I don't understand how the locked bootloader helps protect you data. It seems to me that someone with the abilities of Jerry could go ahead and unlock the bootloader any time they wanted to. Is this true and if not why not.

Unlocking the boot loader is a piece of cake. But part of the procedure is wiping all user data off the phone.

Yes I could unlock it, but there would be no data on it for me to steal afterwards.

Sent from my Nexus 4 using Android Central Forums

 

[donec]

Thanks Jerry that clears up why you would re-lock the boot loader after rooting the phone and makes sense.