Google Pixel Xl 2 Security Against Firmware Attacks

With protests springing up beyond America, there’s a chance you may take your first interaction with law enforcement. Many demonstrators volition have their phones in-hand to film the action, which, sadly, could prompt an officer to need the device and any self-incriminating data it may contain. Earlier this happens, y’all should know there are tools at your disposal to protect your information in such situations.

These tips mostly involve tightening upward settings within Android, only there’s too a 3rd-party app that tin assist. Once you’ve implemented these tips, you can derail police force enforcement’south effort by keeping your telephone locked even while information technology’s in their possession. But nosotros’re not lawyers, then use these tips at your own discretion, as each circumstance is different.

Tip 1: Disable Biometrics in a Few Seconds

While biometrics do provide a not bad balance of security and convenience, they tin can be used against you when dealing with law enforcement. While a contempo ruling in the
Commune Court for the Northern District of California
deemed that constabulary forcing you to unlock your telephone with your fingerprint was a violation of the
4th
and
Fifth
Amendments, whether it stands in hereafter court hearing remains to be seen.

However, the refusal to give up your passcode has been upheld in both a
Pennsylvania
and a
Colorado
ruling. While a
Florida judge
has challenged its 5th Amendment protection, it is still the safer option.

In Android 9 Pie, Google introduced a feature known equally
Lockdown Fashion. Information technology isn’t enabled by default, so you will need to turn information technology on beginning. Once activated, you tin chop-chop lock your phone and disable biometrics with one button, leaving your Pin, pattern, or countersign as the only way to unlock your telephone. All-time of all, it just disables your fingerprint scanner (or secure facial recognition) once, so you don’t have to remember to plough off the characteristic afterwards your encounter.

If your phone is running an older Android version, there’due south another workaround: Just restart it. When yous reboot the phone, it volition require that your countersign, Pin, or blueprint is entered on the side by side unlock. In other words, biometrics will be temporarily disabled.

Tip 2: Use a Stiff Password

Piggybacking off Tip 1, the safest hallmark method offered by your phone is the alphanumeric password. With a
secure
password (which tin can exist up to 16 characters long), you can rest bodacious your phone won’t exist unlocked without your consent, as there are only too many possible combinations for law enforcement to gauge.

An eight-character countersign with no consecutive letters (or the use of mutual words or names) would take a estimator over five months to crack. Increase this to 16 characters and information technology would take several
millennia. Until Google implements the ability to require both the countersign and biometrics to unlock, this is the safest option to continue anyone (including police enforcement) out of your telephone. And with Lockdown Fashion, you will hardly ever have to employ it.

Tip 3: Disable Smart Lock

If yous’re using Android’s
Smart Lock
feature to make it easier to unlock your device, know that it’s a double-edged sword: Information technology also makes it easier for law enforcement to get into your telephone.

Especially the “On-Body Detection” setting, which keeps your phone unlocked when its move sensors observe that it has been continuously moving (in a manner consistent with a person walking) since the terminal time information technology was unlocked with a Pin, blueprint, or password. Thing is, if you get stopped while the phone’s in this unlocked state, the officer could take possession of your telephone and go on the on-body detection active past placing it on his or her person. They would then be able to unlock your phone with a simple swipe.

There’s also a slight risk with Smart Lock’due south “Trusted Places” setting. This keeps your phone unlocked in specific locations such as your dwelling house. If yous’re detained at one of these locations, officers could unlock your phone without your PIN, pattern, or password.

To disable all Smart Lock options, go to Settings –> Security –> Smart Lock, then choose each particular individually and disable the toggle switch on the subsequent screen. With Trusted Places, tap whatsoever locations, then choose “Delete.”

Tip four: Hibernate Notifications

While the lock screen does forbid law enforcement agents from accessing the contents of your telephone, it can potentially be a source of information even without admission to the rest of the phone. That is because, by default, our notifications (peculiarly messages) tin exist read — sometimes in their entirety — on the lock screen.

To change this behavior, open Settings and select “Security & location” (this may be labeled differently on your phone; if so, expect for an option with “Security” in the name). Choose “Lock screen preferences” and “On lock screen.” From the pop-upward, choose either “Hibernate sensitive content” or “Don’t testify notifications at all.”

If your phone comes equipped with a notification LED, nosotros would recommend choosing the latter, equally information technology offers the best protection. You’ll know about new notifications thanks to the blinking LED, only they volition never appear on your lock screen. Just without a notification LED, if your telephone is on silent, yous wouldn’t know you lot got a new message until the side by side time you lot unlocked information technology. In this instance, nosotros recommend choosing “Hide sensitive content.”

Alternatively, if your phone is on Android 9 or higher, yous can apply the
Lockdown Mode
choice equally a way of temporarily disabling all lock screen notifications in the event yous get pulled over or detained past law enforcement. In one case Lockdown Style is triggered, notifications won’t appear on your lock screen until the next time you unlock the device with your pattern, PIN, or password.

Tip 5: Keep Your Bootloader Locked

Android has a system of checks and balances to ensure that when it boots up, every slice of the operating organisation is even so secured. But it’due south also an
open
operating arrangement, and Google has gone to bang-up lengths to preserve this attribute.

To continue the door open for users who want to
root
while simultaneously hardening kick-up security, Google came upward with a organization that locks the kicking concatenation by default, but lets you lot use a two-function setting to unlock it if you want. One of these settings is inside the Android OS, the other resides outside of it in a pre-kick card called the
bootloader.

The setting inside Android is called
OEM Unlocking. The thinking here is y’all can only enable this option if yous’ve entered your pattern, PIN, or password to get into the Android OS. Therefore, if it’south been enabled, it was enabled by yous.

Once that setting is turned on from within Android, you can then boot into bootloader fashion and send
Fastboot
commands to unlock the bootloader. This will permit you lot to install unofficial software on the device, such equally
custom recovery
or a
custom ROM. In plough, these can help you gain root access to the telephone.

To make things even safer, the actual
human activity
of unlocking your bootloader automatically wipes all data on the device.

Merely hither’s the matter: If your bootloader is currently unlocked, law enforcement can hands install unofficial firmware on the device to bypass your lock screen and access your information.

The OEM Unlocking setting isn’t actually worth worrying near since that only allows the bootloader to be unlocked. If officers
did
unlock your bootloader, whatsoever data stored on your device would be deleted automatically.

But if y’all unlocked your bootloader
after
enabling OEM Unlocking — for example, if you
rooted your phone with Magisk
— information technology’s a good practice to go dorsum and
re-lock the bootloader once you’re done. Additionally, if you installed a custom recovery like
TWRP, you should make sure to countersign-protect the recovery menu.

Tip six: Use Cerberus

Cerberus
is a third-party app that offers all the features of Google’s
Find My Device
and much more. While it does take a monthly subscription, information technology is a much more complete security software than Find My Device. Because of Google’south policy change, Cerberus decided to
leave the Play Store
instead of disabling one of its key features. Therefore, y’all will need to download the APK from Cerberus’s website and sideload it to your device.

• 
  Download Cerberus (.apk) from Cerberususapp.com
  

In the instance the police take your phone, Cerberus lets you send SMS messages or use a browser to send commands to your phone. One command enables y’all to lock your phone with a lawmaking of your choosing that is carve up from your lock screen code.

And if y’all are worried law enforcement will be able to bypass your lock screen, you tin remote wipe your telephone using SMS commands (or through a browser) if you don’t await to get your phone dorsum. This way, even if they circumvent the other methods, there will be nothing on the phone for them to retrieve.

And if y’all are that worry about your lock screen passcode or gesture, delete your backups. For Android 9 Pie or later devices, the encryption is based on this lock screen authentication which means if they can crack your phone, they can access your backups. For older versions of Android, the backups are unencrypted so they tin can restore your device without any trouble. So it both cases, it makes more sense to remove the information.