Securing a Volla Phone against thieves
-
Hi,
just got a Volla Phone with ubports pre-installed and now in the process of setting it up (migrating from an older aquaris 4.5 phone).
Any advise on how to improve security against data being read from the phone when it is stolen? My concern is mostly about cached emails in dekko, address book, photos.
There is no micro-SD card installed, everything is on the local flash. Screenlock PIN configured.
How easy is it for an attacker to read from the internal flash? Developer-Options (adb etc.) seem to be disabled, and AFAICS the fastboot boot-loader does not directly allow data being read from the device? What would be the usual ways to retrieve data? By pushing some data-grabbing program via fastboot? How can that be hindered? Is it possible to lock or password-protect the fastboot boot-loader?
thanks for any hints,
cheers,Dave
-
Replying to myself: I think I asked a similar question in 2019 WRT a Google Nexus 5 phone. Re-reading those answers now, it seems like any security depends on the ability to "oem lock" the boot-loader. Is something like that possible for the Volla Phone? Unfortunately there does not seem to be much public documentation available about Volla phone internals, also I'm not at all knowledgeable about that topic...
-
@dave said in Securing a Volla Phone against thieves:
ot-loader. Is something like that possible for the Volla Phone? Unfortunately there does not seem to be much public documentatio
No sorry, on none of the Android phones we can lock the bootloader, as we are not able to sign our installation with the vendor keys. The bootloader normally refuses to boot an unsigned OS if its locked, we cannot do much about it.
My languages: π¦πΉ π©πͺ π¬π§ πΊπΈ
-
@flohack tell me if i'm wrong but the only solution would be full phone encryption right?
-
@flohack We also install the UT image in the data partition, which gets wipe when locking the phone, so it will no longer even boot even if we did have signed stuff. Also also, many newer phones will actually brick if you try to lock the bootloader again, as it will refuse to boot the signed image and there won't be anyway to unlock again.
-
@dobey there are some nice people who soldering for that, they save me sometimes... with the TV sets, STB and smartphones that had been hard bricked by bad bootloaders / firmware
-
So I accepted that I'll have to setup an encrypted home directory to have basic security.
This is not so simple on the Volla phone, due to kernel problems.
This thread has the ugly details.
-
@dave Not only that, how will you show a GUI to unlock it? Thats a blocker, the data partition must be unlocked and accessible before Lomiri can be started properly. And you are sitting on an Android device where it might not be easy to get a simple framebuffer console...
-
@flohack yes I had similar reservations which kept me from trying this. However, looking at the recipes documented here (i.e. mostly the shell script fragments by @chrisc and @c4pp4), this looks quite doable.
They're just encrypting /home/phablet. After reboot /home/phablet is non-encrypted. You run a shell-script to replace it with a dm-crypt encrypted loopback block device and restart the lightdm session. Still quite cumbersome, but still better than no encryption at all.
Maybe adding a launcher as described here for running the crypto-mount script in the terminal will make this more practical.
I'm not yet done setting this up, as I was set back by that Mediatek related dm-crypt bug in the kernel that ships on the Volla Phone. But no real show-stoppers so far.
