this post was submitted on 06 Jun 2024
910 points (97.8% liked)

Technology

59416 readers
2765 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

This is a very entertaining and educational article, giving insights into the methods used by thiefs to try and get access to your phone data.

I don't like Apple but it's great that their security is so good when it comes to this.

you are viewing a single comment's thread
view the rest of the comments
[–] Nurse_Robot 143 points 5 months ago (8 children)

As much as I love my android phone, I have to admit Apple takes privacy and security much more seriously.

[–] [email protected] 84 points 5 months ago (4 children)

How so? A Samsung or pixel with default settings would also behave that way, possibly even more securely because it wouldn't show the thieves your number.

[–] Nurse_Robot 45 points 5 months ago* (last edited 5 months ago) (9 children)

I guess just anecdotally. I have a pixel 7, I'm pretty confident I could factory reset the device without 3rd party authentication. Also, from the tech channels I follow, I think I could recover my data if I forgot the password. Android has always felt more "free"and customizable, and I love it for that. But I also think that freedom allows for more exploits. It's a trade off that's worth it to me, personally. But if I had illegal shit to hide on my phone, I'd probably do it on an apple device.

Edit: just checked. I can completely bypass all my locked down Google Pixel settings to factory reset my phone pretty easily if I press the right keys in the right order. It would be pretty easy to steal and resell my phone.

[–] wreckedcarzz 43 points 5 months ago (1 children)

If you do it the manual way - not unlocking the phone and doing it through settings - you can wipe it sure, but when you try to set it up it requires the prior Google account credentials to proceed. No creds, no passing go, just a shiny brick. It's been like that for years.

Also might I recommend you take a gander at GrapheneOS for more intense security capabilities than stock.

[–] [email protected] 7 points 5 months ago

Not sure about the latest Android version, but I managed to unlock and bypass a phone which had factory reset protection, and as far as I know a lot of vendors like Samsung have their own exploit available.
Using this you can manage to get to the settings app (while still locked, waiting for the previous owners google account) and remove the account, add your own or disable the security.
Done!

[–] [email protected] 32 points 5 months ago (1 children)

You can factory reset it easily. You can't use it without the previous Google account credentials afterwards. You can't reuse a stolen Pixel which has Google account logged into it.

[–] wreckedcarzz 9 points 5 months ago

Ding ding ding, I can confirm this. I thought it was for all devices, but I guess not.

[–] Thatuserguy 14 points 5 months ago (1 children)

For what it's worth, they're trying to fix that with Android 15. Not sure if this is one of the features they'll also be back porting to older phones too like this article briefly touches on, but either way it sounds like if you factory reset the phone, it can't be set up again unless they know your login: https://www.wired.com/story/android-15-theft-detection-lock/

Google says in a blog post, the company is adding four data protection features that can help keep your information locked down. The first stops your phone from being set up after a factory reset, unless the person knows your login details. “This renders a stolen device unsellable, reducing incentives for phone theft,” Google vice president Suzanne Frey writes.

[–] [email protected] 9 points 5 months ago (2 children)

Doesn't that already exist as the Factory Reset Protection (FRP) partition?

[–] wreckedcarzz 5 points 5 months ago (1 children)

Yeah, I've had to wipe pixel devices the dirty way and it prompts (requires) your credentials to continue. Maybe it's a pixel exclusive, and others are getting it via a15?

[–] thequantumcog 2 points 5 months ago

No, its not exclusive. But FRP can be bypassed if you know the right tools.

load more comments (1 replies)
[–] Yamayo 13 points 5 months ago (3 children)

Edit: just checked. I can completely bypass all my locked down Google Pixel settings to factory reset my phone pretty easily if I press the right keys in the right order. It would be pretty easy to steal and resell my phone.

Mind to share what "Keys in the right order" are? I mean a link, of course, because in my experience you just can't do that with a locked bootloader.

load more comments (3 replies)
[–] [email protected] 10 points 5 months ago

AFAIK you can't wipe the IMEI and if you report it stolen to providers they will block it from using their networks. (It will only be able to use wifi.)

[–] [email protected] 6 points 5 months ago* (last edited 5 months ago) (2 children)

The encryption on Android devices is pretty strong, as long as you use a good screen lock you should be fine. Yes they can reset you phone, but accessing your data is a whole other level.

If I had illegal shit on my phone, I wouldn't send it to apple servers by using an iPhone. They are the first who would comply with a surpena. I'd use GrapheneOS on a Pixel and use an obvious duress pin like 1234. If entered it wipes your encryption keys and avoids restoring your data.

And if it gets stolen, it is gone and I'd get a new one. This is the cost of having proper opsec.

Edit:

But I also think that freedom allows for more exploits.

This is a common misconception called security through obscurity

load more comments (2 replies)
[–] [email protected] 6 points 5 months ago

Im pretty sure u cant fuck with a device that has a locked bootloader without unlocking said bootloader which requires u know the password. And u definatly cant recover data without passcode unless u can extract the hash from whatever chip holds it (shouldn't be possible if u have a tpm) and bruteforce it. Ur data should be encrypted and u shouldn't be able to tamper with os without unlocking bootloader which once unlocked will wipe all device data. Might be possible if u do some dodgy power injection directly into some of the chips but thats pretty advanced stuff.

[–] [email protected] 6 points 5 months ago (2 children)

Same for Samsung afaik. Pop into the bootloader and just wipe everything.

[–] [email protected] 11 points 5 months ago

AFAIK you can't wipe the IMEI and if you report it stolen to providers they will block it from using their networks. (It will only be able to use wifi.)

[–] Aceticon 4 points 5 months ago

If recently upgraded an old Samsung tablet (Tab A6 from 2016) to Lineage OS and not only do you have to remove the Google Account before flashing just the TWRP to be able to just start replacing the actual OS, but there is a configuration flag that can only be changed in the stock OS logged in to that Google Account and with Dev Mode enabled to, after you replace the OS, allow the custom OS to actually work (if you don't do it the device with the custom OS will go into a boot fail loop as soon as you restart it).

It was actually a PITA to do that upgrade of my own device because of that (I had to reinstall the old OS and log in to the old account just to toggle the "Allow OEM install" option after which I could install Lineage OS ... again ... without the device going into a boot fail loop on the first restart)

This is on a Samsung device that's almost 8 years old so it would be a bit strange if they went back on it since, especially as it's in the best interest of Samsung to make it hard for people to upgrade their devices away from the enshittified Samsung software.

[–] TrickDacy 3 points 5 months ago* (last edited 5 months ago) (4 children)

As everyone is pointing out you're just wrong about this.

Also apple is overbearing AF. I recently had several back and forths with my IT department about an old company mac laptop I used to have. Since I had signed into my apple account once, Apple permanently tied that laptop to my account and wouldn't allow the fucking IT department to fully wipe it.

Keep in mind also that I would have preferred to not have or use an apple account (they kind of force it on you, even asking you to login to iCloud constantly even if you've literally never used it once), and even though I could login to the apple account in my browser and see that the laptop wasn't listed under my devices, IT was still locked out.

Literally the only way to fix this was giving the IT dept my apple password so they could authenticate then sign out of it. There was nothing I could do remotely about it. This is a security issue in itself. Zero reason I shouldn't be able to use my account remotely to remove or sign that device out. Zero reason I should have to give my password to another human. Except for apple being shit.

The apple security theater is widely believed but it's still largely theater.

Edit: before you tell me I didn't have to give up my password, understand that I fucking know that. I could've driven to the office, told my employer to fuck off, had them ship the laptop, etc... all of which are things that shouldn't be necessary. I took the least shitty option at the time. Kindly fuck off if you are so dicksloppery on apple that you can't understand the obvious point: pretending every shit decision is about security doesn't shield you from all criticism.

[–] matthewc 13 points 5 months ago (29 children)

Your post details how it isn’t possible for IT professionals to wipe a Mac without the consent of the owner’s account. How is that security theater?

[–] [email protected] 2 points 5 months ago (2 children)

IT was the owner and obviously consented to their own actions.

You didn't read the post.

You pretty much MUST use paid mobile device management tools to set up and administer company owned Apple hardware, and those tools are notoriously annoying and often just bad

load more comments (2 replies)
load more comments (28 replies)
[–] Juvyn00b 3 points 5 months ago (2 children)

I get this as being a bit of a hurdle, but wouldn't a good option in hind sight be to create a separate work related apple account based on your work email? I've done that in the past with various companies for iPhones and MacBooks. Makes it cleaner to return the device and doesn't compromise my personal account should they ultimately need my credentials on the non-owned-by-me device.

load more comments (2 replies)
load more comments (2 replies)
[–] [email protected] 26 points 5 months ago* (last edited 5 months ago)

iPhones don’t do that on their own.

She said she activated lost mode, so it’s possible/likely she made her contact info available. Asking Siri who the phone belongs to will also give up contact info, but you can change that remotely from the find my phone app.

I think - being a writer - she sort of set herself up for the interaction so she would have material. No judgment, though. It was an interesting read.

[–] [email protected] 2 points 5 months ago

As far as I know factory resetting an android phone is relatively easy without having access to the device. But it's been a while since I've looked I hti that.

[–] [email protected] 2 points 5 months ago (2 children)

You can fairly easily factory reset phones from both. While you can report your phone as stolen and the IMEI will be blacklisted on US carriers, it would probably work fine abroad.

load more comments (2 replies)
[–] [email protected] 63 points 5 months ago (3 children)

Security yes, but privacy not so much...

[–] [email protected] 30 points 5 months ago (7 children)

If you’re talking about a stock Android OS on anything other than a Pixel, iOS wins in both regards. Stock on a Pixel, I don’t know that Apple is more secure, but if you’re installing apps via Google Play that use Google Play Services, iOS is certainly more private. Vs GrapheneOS on a Pixel, iOS is less private by far.

load more comments (7 replies)
[–] mholiv 25 points 5 months ago (10 children)

Compared to any android phone the privacy is substantially better. Apple is in the business of selling overpriced phones. Google is in the data collection business.

[–] [email protected] 16 points 5 months ago* (last edited 5 months ago) (4 children)

The issue here is that while baseline apple is more secure than baseline android, a user with knowledge or a guide can improve the android security by a lot, whereas the apple baseline is also the ceiling. There's stuff you can do with iPhones but if you don't trust apple, you are kind of fucked.

Android people that mention security won't be using a stock phone from the store, they will have disabled stuff, enables alternative stuff, or even installed a completely new android based OS, and this can't be done with iPhone or iOS.

[–] mholiv 13 points 5 months ago (1 children)

True. But for 99% of people baseline is what they use. Windows can be made very secure by experts but the fact is 99% of people just use windows as is.

[–] [email protected] 4 points 5 months ago (1 children)

100% agree, just take into account that most people you encounter on lemmy, specially on posts about security, are in that 1% that tweak stuff and if you throw blanked statements they will think you are talking to them specifically.

load more comments (1 replies)
load more comments (3 replies)
load more comments (9 replies)
load more comments (1 replies)
[–] [email protected] 8 points 5 months ago

What are you talking about, it's literally the same thing on Android. Also why the shilling out of nowhere?

[–] nutsack 7 points 5 months ago

they love bricked phones because it means one less for a secondhand market

load more comments (4 replies)