Minimising the impact of someone stealing both your Android phone and its passcode

[ozaz]

We've probably all read the recent reports highlighting the ability of phone thieves to takeover your Apple account if they have stolen your phone and spied your phone passcode (as well as ability to access some biometric-protected apps which have chosen to use the device passcode as a fallback access point). My understanding is the same issue is present with Android phones and Google accounts.

There has been lots of discussion by iPhone users about minimising risk (e.g. use of a screen time PIN as an additional layer to protect Apple account), but I haven't seen much discussion from Android users. Am curious what steps (if any) Android users are taking to mitigate the impact of someone stealing both your device and device passcode?

I'm thinking I should probably move away from using gmail as my primary email and stop using google drive if its so easy for someone to take over my Google account. Perhaps also start using a secure folder app and install certain apps in there (any sensitive apps which don't have passcode protection that's independent of device passcode). I'm aware of Samsung Secure folder but are there similar apps anyone would recommend for non-Samsung phones?

 

[HouseLannister]

Instead of ditching Google services, ditch the simple passcode. Just set up a long password that would be hard to observe you entering. Multiple odd words all jammed together or something 1337-speak. If you setup biometrics, you will rarely need the password, so just don't make it something too simple.

 

[LIVEFRMNYC]

Someone knowing your passcode is not an exploit, it's someone knowing your passcode. If someone knows that info on ANY platform, you're in trouble. Just do what HouseLannister mentioned and set up a long enough password. Passcodes are easy to glance at, cause the of the giant numerical keypad that takes over the entire display. Passwords require the normal keyboard input, which is hard for someone to glance at.

Just use multi device or multi factor authentication with Google and you'll be fine.

Nothing beats Samsung's Secure Folder. All the other imitations on Android and iOS are just normal apps.

 

[ozaz]

ditch the simple passcode

I agree this helps. But would still like to do more, or at least consider what else can be done to minimise risk/impact even further.

Just use multi device or multi factor authentication with Google and you'll be fine.

This doesn't help. I have 2-factor authentication enabled on my Google account, but can change my Google password with only my phone and phone pin/password.

Settings > Your Info > Manage your Google Account > Personal Info > Password > Forgot Password > Confirm your screen lock > Tap Yes on your phone or tablet

After following the above I was able to change my Google password. No separate device was needed.

Nothing beats Samsung's Secure Folder. All the other imitations on Android and iOS are just normal apps.

Is Samsung Secure Folder the only option for putting an app (i.e. not just files) inside a folder / environment that's protected using a method other than the screen pin/password?

 

[LIVEFRMNYC]

This doesn't help. I have 2-factor authentication enabled on my Google account, but can change my Google password with only my phone and phone pin/password.

Settings > Your Info > Manage your Google Account > Personal Info > Password > Forgot Password > Confirm your screen lock > Tap Yes on your phone or tablet

After following the above I was able to change my Google password. No separate device was needed.

Yea, you're right. That's a major concern if someone has access to your phone's passcode/password. And it didn't even ask for any verification.

I didn't go through with the password change, but I suspect there's no notification on alternative email or popups on another device that asks if you changed the password tap Yes or No.

Major oversight IMO!!!!

Is Samsung Secure Folder the only option for putting an app (i.e. not just files) inside a folder / environment that's protected using a method other than the screen pin/password?

The Secure Folder is pretty much a separate OS. The only thing that's integrated is notifications if you choose. When Samsung first implemented it, you had to completely dual boot into it. But they made it much simpler now with the same protection and just called it Secure Folder.

 

[ozaz]

I didn't go through with the password change, but I suspect there's no notification on alternative email or popups on another device that asks if you changed the password tap Yes or No.

Major oversight IMO!!!!

I tried it.

You do get notification on other devices and alternative email saying password has been changed. The email has the following content...

The password for your Google account **********@gmail.com was changed [1]. If you didn't change it, you should recover your account [2]. You can also see security activity at https://myaccount.google.com/notifications

Text in square brackets added by me.
[1]: Asterisks added by me. You actually see the full email address.
[2]: Has an embedded link to https://accounts.google.com/RecoverAccount

I didn't try a second recovery to see if the first could be revoked, but I imagine its a lot of hassle.

The Secure Folder is pretty much a separate OS. The only thing that's integrated is notifications if you choose. When Samsung first implemented it, you had to completely dual boot into it. But they made it much simpler now with the same protection and just called it Secure Folder.

What do non-samsung secure folder apps provide? Just a place for files and not apps?

 

[jamezr]

We've probably all read the recent reports highlighting the ability of phone thieves to takeover your Apple account if they have stolen your phone and spied your phone passcode (as well as ability to access some biometric-protected apps which have chosen to use the device passcode as a fallback access point). My understanding is the same issue is present with Android phones and Google accounts.

There has been lots of discussion by iPhone users about minimising risk (e.g. use of a screen time PIN as an additional layer to protect Apple account), but I haven't seen much discussion from Android users. Am curious what steps (if any) Android users are taking to mitigate the impact of someone stealing both your device and device passcode?

I'm thinking I should probably move away from using gmail as my primary email and stop using google drive if its so easy for someone to take over my Google account. Perhaps also start using a secure folder app and install certain apps in there (any sensitive apps which don't have passcode protection that's independent of device passcode). I'm aware of Samsung Secure folder but are there similar apps anyone would recommend for non-Samsung phones?

As others have pointed out 2 step authentication is your friend here. Turn on biometric authntication for everything. Then if someone steals your phone and your passcode....immediatley change all your passwords. Freeze your credit file.
I routinley rotate my passwords to important things like finnacials and google where people can try to steal identitly type things.

 

[ozaz]

2 step authentication is your friend here

This does not stop someone changing your Google Password if they have access to one of your devices. As explained above, if they have access to your phone and phone password, they can change your Google Password by initiating a lost password reset from the phone. This does not need to be approved by another device even with 2 step authentication turned on.

2 step authentication only helps if someone has obtained your Google password (or attempts a password reset) but does not have access to any of your devices. In this scenario it prevents them logging into your Google account.

 

[jamezr]

This does not stop someone changing your Google Password. As explained above, if they have access to your phone and phone password, they can change your Google Password by initiating a lost password reset. This does not need to be approved by another device even with 2 step authentication turned on.

Google has help for this

How can i stop someone from changing my password using the "when was your account created?" - Google Account Community

Find, lock, or erase a lost Android device​

Find, secure, or erase a lost Android device - Google Account Help

If you lose an Android device or Wear OS watch, you can find, secure, or erase it remotely. You can also help a friend find, secure, or erase their lost device with the Find My Device app. If you've

support.google.com

There is a ton more help links here

🔎 remote wipe phone - Google Search

www.google.com

Iphone remote wipe is here

Erase a device in Find Devices on iCloud.com

In Find Devices on iCloud.com, remotely erase your iPhone, iPad, Mac, or Apple Watch.

support.apple.com

 

[floral]

I don't get what this sudden surge of panic over passcodes and security is about... no lock is perfect and stuff like iOS/Android lock screens, Google/Apple ID accounts, and people looking to steal them, have existed for over a decade. People have had their accounts and/or phones stolen in the past, many times, and it was a well-accepted fact that having a strong password is encouraged. Why are so many people suddenly being paranoid and overcautious about it?

 

[ozaz]

Google has help for this

How can i stop someone from changing my password using the "when was your account created?" - Google Account Community

Find, lock, or erase a lost Android device​

Find, secure, or erase a lost Android device - Google Account Help

If you lose an Android device or Wear OS watch, you can find, secure, or erase it remotely. You can also help a friend find, secure, or erase their lost device with the Find My Device app. If you've

support.google.com

There is a ton more help links here

🔎 remote wipe phone - Google Search

www.google.com

Iphone remote wipe is here

Erase a device in Find Devices on iCloud.com

In Find Devices on iCloud.com, remotely erase your iPhone, iPad, Mac, or Apple Watch.

support.apple.com

Just had a look through. None of these seem to address the vulnerability that someone can change your Google password with just your phone and phone password.

I don't get what this sudden surge of panic over passcodes and security is about... no lock is perfect and stuff like iOS/Android lock screens, Google/Apple ID accounts, and people looking to steal them, have existed for over a decade. People have had their accounts and/or phones stolen in the past, many times, and it was a well-accepted fact that having a strong password is encouraged. Why are so many people suddenly being paranoid and overcautious about it?

It's because a recent high-profile report at WSJ has got more people interested. Previous reports/discussions were pretty low-profile (limited to tech blogs). And its a good thing more people are interested. The ability to change your Google or iCloud password with simply access to phone and phone password is a pretty weak link that needs improving.

 

[floral]

It's because a recent high-profile report at WSJ has got more people interested. Previous reports/discussions were pretty low-profile (limited to tech blogs). And its a good thing more people are interested. The ability to change your Google or iCloud password with simply access to phone and phone password is a pretty weak link that needs improving.

That does make sense

 

[compwiz1202]

Just had a look through. None of these seem to address the vulnerability that someone can change your Google password with just your phone and phone password.



It's because a recent high-profile report at WSJ has got more people interested. Previous reports/discussions were pretty low-profile (limited to tech blogs). And its a good thing more people are interested. The ability to change your Google or iCloud password with simply access to phone and phone password is a pretty weak link that needs improving.

And what's funny is people in the post about Apple said it's not so easy on Android, but guess they were wrong?

 

[compwiz1202]

Just had a look through. None of these seem to address the vulnerability that someone can change your Google password with just your phone and phone password.



It's because a recent high-profile report at WSJ has got more people interested. Previous reports/discussions were pretty low-profile (limited to tech blogs). And its a good thing more people are interested. The ability to change your Google or iCloud password with simply access to phone and phone password is a pretty weak link that needs improving.

And what's funny is people in the post about Apple said it's not so easy on Android, but guess they were wrong?

 

[ozaz]

And what's funny is people in the post about Apple said it's not so easy on Android, but guess they were wrong?

I've just responded to some of those people in that thread. Who knows, maybe they have enabled some setting on their devices which prevents what I've described earlier in this thread 🤷‍♂️

 

[LIVEFRMNYC]

This does not stop someone changing your Google Password if they have access to one of your devices. As explained above, if they have access to your phone and phone password, they can change your Google Password by initiating a lost password reset from the phone. This does not need to be approved by another device even with 2 step authentication turned on.

2 step authentication only helps if someone has obtained your Google password (or attempts a password reset) but does not have access to any of your devices. In this scenario it prevents them logging into your Google account.

Something I didn't think about before. Someone has to be already logged in to your account to change the Google password, that alone will trigger the device authentication since it's a log on from new device. That's when you'll get a pop up on your device and email giving you the option to tap Yes or No to new log on. But that's still not that secure, cause if you ignore it, the new device is still logged in.

The best way would be using a third party 2FA like Authy. Which is probably what jamezr is referring to, instead of relying on device authentication. I completely forgot I had Authy set with my main Google account. So even if someone had my password, they couldn't log in without the 2FA code.

I know Google has it's own 2FA app as well. But I never tried it cause I heard it was buggy.

 

[ozaz]

The best way would be using a third party 2FA like Authy. Which is probably what @jamezr is referring to, instead of relying on device authentication. I completely forgot I had Authy set with my main Google account. So even if someone had my password, they couldn't log in without the 2FA code.

But can you disable the ability of an Android device (which has your Google account signed into it) to act as one of the authentication factors?

I've connected an authenticator app to my Google account as a 2FA method, but it isn't used if I try to reset my Google password from an Android device which has my Google account signed in (which is what a thief might do). In this scenario the two factors that are used to reset the password are the stolen Android device (something owned) and the stolen device pin/password (something known).

Once the thief has reset the Google password they can then sign in anywhere because they then have possession of 2 factors which will enable signing into locations beyond the phone: something owned (the device) and something known (the new Google password).

 

[compwiz1202]

But can you disable the ability of an Android device (which has your Google account signed into it) to act as one of the authentication factors?

I've connected an authenticator app to my Google account as a 2FA method, but it isn't used if I try to reset my Google password from an Android device which has my Google account signed in (which is what a thief might do). In this scenario the two factors that are used to reset the password are the stolen Android device (something owned) and the stolen device pin/password (something known).

Once the thief has reset the Google password they can then sign in anywhere because they then have possession of 2 factors which will enable signing into locations beyond the phone: something owned (the device) and something known (the new Google password).

Agree. Why give the 2FA to the device you are on? Maybe at least have some app that needs some unique code or PW that constanly asks?

 

[LIVEFRMNYC]

But can you disable the ability of an Android device (which has your Google account signed into it) to act as one of the authentication factors?

I've connected an authenticator app to my Google account as a 2FA method, but it isn't used if I try to reset my Google password from an Android device which has my Google account signed in (which is what a thief might do). In this scenario the two factors that are used to reset the password are the stolen Android device (something owned) and the stolen device pin/password (something known).

Once the thief has reset the Google password they can then sign in anywhere because they then have possession of 2 factors which will enable signing into locations beyond the phone: something owned (the device) and something known (the new Google password).

If you're using a 2FA, even if someone is already in your phone and resets your Google account password, they still can't attempt any new log on unless they have the 2FA code.

I have the Authy app on my phone, but it's locked behind a pin code. If I was to put the Authy app in Secure Folder, then that would be yet another layer and password they would need,

 

[russell_314]

Just had a look through. None of these seem to address the vulnerability that someone can change your Google password with just your phone and phone password.



It's because a recent high-profile report at WSJ has got more people interested. Previous reports/discussions were pretty low-profile (limited to tech blogs). And its a good thing more people are interested. The ability to change your Google or iCloud password with simply access to phone and phone password is a pretty weak link that needs improving.

I didn't realize this was a "feature" of Android as well. Someone mentioned that someone knowing your passcode isn't an "exploit" and they are correct. The exploit is the ability to change your account password with only knowing the passcode. This is clearly lazy security. At least make the person answer a security question.


At least on iPhone there seems to be a temporary fix till Apple decides to patch this. I suspect they will soon.