This is a very entertaining and educational article, giving insights into the methods used by thiefs to try and get access to your phone data.

I don’t like Apple but it’s great that their security is so good when it comes to this.

  • @[email protected]
    link
    fedilink
    English
    1907 months ago

    As much as I love my android phone, I have to admit Apple takes privacy and security much more seriously.

    • @[email protected]
      link
      fedilink
      English
      1007 months ago

      How so? A Samsung or pixel with default settings would also behave that way, possibly even more securely because it wouldn’t show the thieves your number.

      • @[email protected]
        link
        fedilink
        English
        62
        edit-2
        7 months ago

        I guess just anecdotally. I have a pixel 7, I’m pretty confident I could factory reset the device without 3rd party authentication. Also, from the tech channels I follow, I think I could recover my data if I forgot the password. Android has always felt more "free"and customizable, and I love it for that. But I also think that freedom allows for more exploits. It’s a trade off that’s worth it to me, personally. But if I had illegal shit to hide on my phone, I’d probably do it on an apple device.

        Edit: just checked. I can completely bypass all my locked down Google Pixel settings to factory reset my phone pretty easily if I press the right keys in the right order. It would be pretty easy to steal and resell my phone.

        • Midnight Wolf
          link
          fedilink
          English
          477 months ago

          If you do it the manual way - not unlocking the phone and doing it through settings - you can wipe it sure, but when you try to set it up it requires the prior Google account credentials to proceed. No creds, no passing go, just a shiny brick. It’s been like that for years.

          Also might I recommend you take a gander at GrapheneOS for more intense security capabilities than stock.

          • @[email protected]
            link
            fedilink
            English
            87 months ago

            Not sure about the latest Android version, but I managed to unlock and bypass a phone which had factory reset protection, and as far as I know a lot of vendors like Samsung have their own exploit available.
            Using this you can manage to get to the settings app (while still locked, waiting for the previous owners google account) and remove the account, add your own or disable the security.
            Done!

          • Midnight Wolf
            link
            fedilink
            English
            97 months ago

            Ding ding ding, I can confirm this. I thought it was for all devices, but I guess not.

        • @[email protected]
          link
          fedilink
          English
          16
          edit-2
          7 months ago

          As everyone is pointing out you’re just wrong about this.

          Also apple is overbearing AF. I recently had several back and forths with my IT department about an old company mac laptop I used to have. Since I had signed into my apple account once, Apple permanently tied that laptop to my account and wouldn’t allow the fucking IT department to fully wipe it.

          Keep in mind also that I would have preferred to not have or use an apple account (they kind of force it on you, even asking you to login to iCloud constantly even if you’ve literally never used it once), and even though I could login to the apple account in my browser and see that the laptop wasn’t listed under my devices, IT was still locked out.

          Literally the only way to fix this was giving the IT dept my apple password so they could authenticate then sign out of it. There was nothing I could do remotely about it. This is a security issue in itself. Zero reason I shouldn’t be able to use my account remotely to remove or sign that device out. Zero reason I should have to give my password to another human. Except for apple being shit.

          The apple security theater is widely believed but it’s still largely theater.

          Edit: before you tell me I didn’t have to give up my password, understand that I fucking know that. I could’ve driven to the office, told my employer to fuck off, had them ship the laptop, etc… all of which are things that shouldn’t be necessary. I took the least shitty option at the time. Kindly fuck off if you are so dicksloppery on apple that you can’t understand the obvious point: pretending every shit decision is about security doesn’t shield you from all criticism.

          • @[email protected]
            link
            fedilink
            English
            177 months ago

            Your post details how it isn’t possible for IT professionals to wipe a Mac without the consent of the owner’s account. How is that security theater?

            • @[email protected]
              link
              fedilink
              English
              11
              edit-2
              7 months ago

              You missed the part where I had to give my password to another human.

              Also, I wasn’t the owner, they are. Also, again, it makes zero sense to not allow me to sign it out remotely.

              Nothing is secure about a system designed so poorly you have to give out your password. That should never be needed.

              Not to mention, I never wanted or needed to sign in. I was just nagged to do so 100 times so I relented. Nothing about that means I own the device.

              • Fushuan [he/him]
                link
                fedilink
                English
                87 months ago

                I’m with you that you should be able to log out remotely, but this is more of a failure in the IT department. You should have been given a PC with the apple ID already introduced, with your company mail and some password. How would they even access your PC remotely for security udpwtes if they didn’t have access to your appeal id? Right, they didn’t. So they gave a computer they didn’t have remote access to, not properly configured, and then forced you to either move or give private information.

                • @[email protected]
                  link
                  fedilink
                  English
                  77 months ago

                  You are absolutely incorrect. They had remote access and I watched them use it in various ways. When troubleshooting issues they would login and move my mouse and use a virtual keyboard. They could install software remotely on a schedule.

                  Not sure why you’re under the impression that an apple account is required for remote management. There’s probably >5 different popular third party software solutions for that

                  The apple sign in is an extraneous unneeded piece that once they annoy you into it, it then becomes considered a sign of ownership, which I never considered, because why would I?

                  You are right that IT should’ve had a way of dealing with it better, but in their defense this may have been an anti-feature (asking a user to login to iCloud, a service they’ve never used once, is not a feature) added in an update, after they issued the laptop. It’s a small company, so I don’t fault them on it as much as the trillion dollar company with the goal of inflating their iCloud metrics by forcing users to login to it.

                  • Fushuan [he/him]
                    link
                    fedilink
                    English
                    27 months ago

                    Oh, I assumed that you would be forced to type your password or have enough rights to install stuff in a computer, be it in person or remotely, so I assumed that whatever 3rd party program they used required to have enough access, and that apple would use the apple id as a master password, given that it’s what is being used to lock down the device itself.

                    Well, yet another issue with apple lol, why add a ownership id if it’s not even what gives root access. Lmao.

                • @[email protected]
                  link
                  fedilink
                  English
                  47 months ago

                  I don’t have the type of position where that would be needed or considered appropriate. Why should I need to anyhow? A lot of people are missing the point here. Logging into a service (especially one I didn’t want or need but was harassed into doing it) should not unexpectedly be considered proof of ownership.

                  The scenario wasn’t that during os setup I was asked to login. And I wasn’t prompted with a warning that this could happen. What happened was every time I opened system settings for months it wanted me to login to iCloud and no matter how many times I refused it just kept asking.

                  • @[email protected]
                    link
                    fedilink
                    English
                    117 months ago

                    Nah - you’re complaining that you “were forced into handing your password to someone else” when there were at least six ways you could have avoided that:

                    • you gone to the computer,
                    • they send the computer to you,
                    • you remote in to the computer,
                    • you tell them “suck it, you should have blocked iCloud sign-in with MDM” or, as others mentioned,
                    • you sign out before handing the computer back or, my favourite,
                    • don’t sign in to personal accounts on work devices even if they bug you to.

                    Finally, we release devices like this all the time through our ABM account. It takes 5 days maximum. Your IT team led you up the garden path.

              • @[email protected]
                link
                fedilink
                English
                27 months ago

                my account

                I wasn’t the owner

                You are the owner. For Apple, your IT department is the thief.

                • Natanael
                  link
                  fedilink
                  English
                  27 months ago

                  You should finish reading the part where the company owned the device.

                  • @[email protected]
                    link
                    fedilink
                    English
                    27 months ago

                    The owner of the account owns the device. It’s a standard on all smartphones and tablets for the past 10 years.

            • Fushuan [he/him]
              link
              fedilink
              English
              47 months ago

              It’s more about the fact that they didn’t have a webpage in their apple account where they could remotely log out, and the IT department had the physical computer so they had to either move to the department or give the department their personal password, which is bogus. Being able to remotely log out of the computer doesn’t seem to be that big of an ask.

              I get thay the computer should remain locked if there’s no internet, but once the computer gain connectivity it should unlock if it was logged out in the user page.

              • @[email protected]
                link
                fedilink
                English
                27 months ago

                I see what you’re saying. I agree that users should be able to remove device locks remotely. You can with iPhones. Hopefully that moves to all devices.

                I still prefer this to not having the lock at all.

            • Natanael
              link
              fedilink
              English
              27 months ago

              IT was the owner and obviously consented to their own actions.

              You didn’t read the post.

              You pretty much MUST use paid mobile device management tools to set up and administer company owned Apple hardware, and those tools are notoriously annoying and often just bad

                • Natanael
                  link
                  fedilink
                  English
                  17 months ago

                  Read again - for most other devices there are cheap and often some free administration tools that small businesses can use. And for many devices they can just reinstall them. But for Apple devices pretty much everything is expensive or very limited.

          • @[email protected]
            link
            fedilink
            English
            37 months ago

            I get this as being a bit of a hurdle, but wouldn’t a good option in hind sight be to create a separate work related apple account based on your work email? I’ve done that in the past with various companies for iPhones and MacBooks. Makes it cleaner to return the device and doesn’t compromise my personal account should they ultimately need my credentials on the non-owned-by-me device.

            • @[email protected]
              link
              fedilink
              English
              47 months ago

              The thing is, I never expect logging into a service to immediately lock my device to that account. But I’ve since learned not to trust Apple’s login systems for this reason. So yeah, I won’t buy any other apple devices and any work machines will use a work account for everything like that

            • @[email protected]
              link
              fedilink
              English
              37 months ago

              I eventually did do that, but apparently at the time that I was nagged into iCloud for the 1000th time I was quite annoyed and just used my personal account like an idiot.

          • BeardedBlaze
            link
            fedilink
            English
            17 months ago

            Your “IT” could’ve literally do fresh install of MacOS. I’m not a fan of Apple, but that’s just silly.

            • @[email protected]
              link
              fedilink
              English
              27 months ago

              Pretty sure that’s what they were trying to do. I know for sure that on iPhones, if you ever sign in (which I think is required), wiping the phone doesn’t matter, it’s still locked to that account somehow – a ROM chip on the board stores the account info somehow I think? I think their computers work the same way now.

              On other systems, logging in means that: you’ve logged in. And you should be right: wiping the OS should always remove any login/account status. If Apple wants to provide some system like this for people worried about theft, cool, let them opt into it. But don’t force every user to.

        • @[email protected]
          link
          fedilink
          English
          147 months ago

          Edit: just checked. I can completely bypass all my locked down Google Pixel settings to factory reset my phone pretty easily if I press the right keys in the right order. It would be pretty easy to steal and resell my phone.

          Mind to share what “Keys in the right order” are? I mean a link, of course, because in my experience you just can’t do that with a locked bootloader.

          • @[email protected]
            link
            fedilink
            English
            27 months ago

            Enter recovery mode and choose factory reset. The specific key combination for your device may vary.

            • @[email protected]
              link
              fedilink
              English
              27 months ago

              You think we’re still in 2010? It’s been a while since you need to unlock the bootloader first. And no, you can’t do it with the device locked.

            • Quantum Cog
              link
              fedilink
              English
              2
              edit-2
              7 months ago

              This don’t work anymore, now they have frp protection which requires google authentication to the previous account after reset

        • @[email protected]
          link
          fedilink
          English
          137 months ago

          For what it’s worth, they’re trying to fix that with Android 15. Not sure if this is one of the features they’ll also be back porting to older phones too like this article briefly touches on, but either way it sounds like if you factory reset the phone, it can’t be set up again unless they know your login: https://www.wired.com/story/android-15-theft-detection-lock/

          Google says in a blog post, the company is adding four data protection features that can help keep your information locked down. The first stops your phone from being set up after a factory reset, unless the person knows your login details. “This renders a stolen device unsellable, reducing incentives for phone theft,” Google vice president Suzanne Frey writes.

          • Kevin
            link
            fedilink
            English
            97 months ago

            Doesn’t that already exist as the Factory Reset Protection (FRP) partition?

            • Midnight Wolf
              link
              fedilink
              English
              57 months ago

              Yeah, I’ve had to wipe pixel devices the dirty way and it prompts (requires) your credentials to continue. Maybe it’s a pixel exclusive, and others are getting it via a15?

              • Quantum Cog
                link
                fedilink
                English
                27 months ago

                No, its not exclusive. But FRP can be bypassed if you know the right tools.

            • @[email protected]
              link
              fedilink
              English
              27 months ago

              Honestly not too familiar with that. I imagine if they’re touting this as a new thing, FRP either does something different or was lacking compared to this in some way.

              Though it is Google, they could have just killed FRP in favor of this and added messaging features like they do with everything else

        • lurch (he/him)
          link
          fedilink
          English
          107 months ago

          AFAIK you can’t wipe the IMEI and if you report it stolen to providers they will block it from using their networks. (It will only be able to use wifi.)

        • Shadow
          link
          fedilink
          English
          107 months ago

          Same for Samsung afaik. Pop into the bootloader and just wipe everything.

          • lurch (he/him)
            link
            fedilink
            English
            117 months ago

            AFAIK you can’t wipe the IMEI and if you report it stolen to providers they will block it from using their networks. (It will only be able to use wifi.)

          • @[email protected]
            link
            fedilink
            English
            47 months ago

            If recently upgraded an old Samsung tablet (Tab A6 from 2016) to Lineage OS and not only do you have to remove the Google Account before flashing just the TWRP to be able to just start replacing the actual OS, but there is a configuration flag that can only be changed in the stock OS logged in to that Google Account and with Dev Mode enabled to, after you replace the OS, allow the custom OS to actually work (if you don’t do it the device with the custom OS will go into a boot fail loop as soon as you restart it).

            It was actually a PITA to do that upgrade of my own device because of that (I had to reinstall the old OS and log in to the old account just to toggle the “Allow OEM install” option after which I could install Lineage OS … again … without the device going into a boot fail loop on the first restart)

            This is on a Samsung device that’s almost 8 years old so it would be a bit strange if they went back on it since, especially as it’s in the best interest of Samsung to make it hard for people to upgrade their devices away from the enshittified Samsung software.

        • @[email protected]
          link
          fedilink
          English
          8
          edit-2
          7 months ago

          The encryption on Android devices is pretty strong, as long as you use a good screen lock you should be fine. Yes they can reset you phone, but accessing your data is a whole other level.

          If I had illegal shit on my phone, I wouldn’t send it to apple servers by using an iPhone. They are the first who would comply with a surpena. I’d use GrapheneOS on a Pixel and use an obvious duress pin like 1234. If entered it wipes your encryption keys and avoids restoring your data.

          And if it gets stolen, it is gone and I’d get a new one. This is the cost of having proper opsec.

          Edit:

          But I also think that freedom allows for more exploits.

          This is a common misconception called security through obscurity

        • Im pretty sure u cant fuck with a device that has a locked bootloader without unlocking said bootloader which requires u know the password. And u definatly cant recover data without passcode unless u can extract the hash from whatever chip holds it (shouldn’t be possible if u have a tpm) and bruteforce it. Ur data should be encrypted and u shouldn’t be able to tamper with os without unlocking bootloader which once unlocked will wipe all device data. Might be possible if u do some dodgy power injection directly into some of the chips but thats pretty advanced stuff.

      • @[email protected]
        link
        fedilink
        English
        28
        edit-2
        7 months ago

        iPhones don’t do that on their own.

        She said she activated lost mode, so it’s possible/likely she made her contact info available. Asking Siri who the phone belongs to will also give up contact info, but you can change that remotely from the find my phone app.

        I think - being a writer - she sort of set herself up for the interaction so she would have material. No judgment, though. It was an interesting read.

      • @[email protected]
        link
        fedilink
        English
        77 months ago

        As far as I know factory resetting an android phone is relatively easy without having access to the device. But it’s been a while since I’ve looked I hti that.

      • SeaJ
        link
        fedilink
        English
        47 months ago

        You can fairly easily factory reset phones from both. While you can report your phone as stolen and the IMEI will be blacklisted on US carriers, it would probably work fine abroad.

        • @[email protected]
          link
          fedilink
          English
          17 months ago

          For iPhones, if you have Find My turned on, you can’t activate the device without the iCloud password, unless the owner removes the device from their iCloud account. Which is what the scammers are trying to get her to do here.

          • SeaJ
            link
            fedilink
            English
            27 months ago

            Sorry. When I said “both,” I meant Google and Samsung. Apple definitely has better security, ocassionally to an annoying extent.

      • @[email protected]
        link
        fedilink
        English
        377 months ago

        Compared to any android phone the privacy is substantially better. Apple is in the business of selling overpriced phones. Google is in the data collection business.

        • Fushuan [he/him]
          link
          fedilink
          English
          17
          edit-2
          7 months ago

          The issue here is that while baseline apple is more secure than baseline android, a user with knowledge or a guide can improve the android security by a lot, whereas the apple baseline is also the ceiling. There’s stuff you can do with iPhones but if you don’t trust apple, you are kind of fucked.

          Android people that mention security won’t be using a stock phone from the store, they will have disabled stuff, enables alternative stuff, or even installed a completely new android based OS, and this can’t be done with iPhone or iOS.

          • @[email protected]
            link
            fedilink
            English
            157 months ago

            True. But for 99% of people baseline is what they use. Windows can be made very secure by experts but the fact is 99% of people just use windows as is.

            • Fushuan [he/him]
              link
              fedilink
              English
              47 months ago

              100% agree, just take into account that most people you encounter on lemmy, specially on posts about security, are in that 1% that tweak stuff and if you throw blanked statements they will think you are talking to them specifically.

        • Autonomous User
          link
          fedilink
          English
          6
          edit-2
          7 months ago

          Anti-libre software, iOS, bans us from proving its claims. Stop paying Apple to pre-infect our devices and spy on us too.

          My devices need libre software, not a business.

          • @[email protected]
            link
            fedilink
            English
            10
            edit-2
            7 months ago

            You are preaching to the choir.

            When it comes to privacy: GrapheneOS > iOS > android with Google.

            Android itself is good. It’s just android with Google that’s the problem. (Aka 99.999% of all android phones sold outside of China)

        • Natanael
          link
          fedilink
          English
          2
          edit-2
          7 months ago

          If you aren’t using the iOS lockdown mode, it’s not really that much more private. Most stuff is still not encrypted in iCloud without that on, and apps can still track much of what you do, and Apple has their own ad networks.

          Edit: has any of the downvoters actually read Apple’s (public!) security architecture documents?

      • @[email protected]
        link
        fedilink
        English
        357 months ago

        If you’re talking about a stock Android OS on anything other than a Pixel, iOS wins in both regards. Stock on a Pixel, I don’t know that Apple is more secure, but if you’re installing apps via Google Play that use Google Play Services, iOS is certainly more private. Vs GrapheneOS on a Pixel, iOS is less private by far.

        • Autonomous User
          link
          fedilink
          English
          147 months ago

          Apple is more secure… iOS is certainly more private.

          False, anti-libre software bans us from proving it’s claims.

          • @[email protected]
            link
            fedilink
            English
            207 months ago

            You think that Google Play Services is FOSS? Or that the version of Android on Samsung phones (as well as of most other Android phone manufacturers), including all baked in software, is FOSS?

              • @[email protected]
                link
                fedilink
                English
                137 months ago

                And when you’re comparing two closed source options, there are techniques available to evaluate them. Based off the results of people who have published their results from using these techniques, Apple is not as private as they claim. This is most egregious when it comes to first party apps, which is concerning. However, when it comes to using any non-Apple app, they’re much better than Google is when using any non-Google app.

                There’s enough overlap in skillset that pretty much anyone performing those evaluations will likely find it trivial to configure Android to be privacy-respecting - i.e., by using GrapheneOS on a Pixel or some other custom ROM - but most users are not going to do that.

                And if someone is not going to do that, Android is worse for their privacy.

                It doesn’t make sense to say “iPhones are worse at respecting user privacy than Android phones” when by default and in practice for most people, the opposite is true. What we should be saying is “iPhones are better at respecting privacy by default, but if privacy is important to you, the best option is to put in a bit of extra work and install GrapheneOS on a Pixel.”

      • Autonomous User
        link
        fedilink
        English
        47 months ago

        Anti-libre software, iOS, bans us from removing malicous source code. Don’t let this malware infect you.

    • cum
      link
      fedilink
      English
      107 months ago

      What are you talking about, it’s literally the same thing on Android. Also why the shilling out of nowhere?

    • @[email protected]
      link
      fedilink
      English
      87 months ago

      Don’t think Apple security is much better. I’ve read news before about insiders that will unlock stolen phones. They work closely with the criminals and it’s a more “professional” operation. Probably it’s not as easy as doing it for an android but having an iPhone and thinking that if someone steals yours it will just become a paperweight is wrong. Sadly

    • @[email protected]
      link
      fedilink
      English
      17 months ago

      Apple has the benefit of making everything themselves, down to the secure enclave processors and, as of some time also, the processor as a whole. They get to design their hardware, OS, software, ecosystem, all around security and it all plays together nicely.

      If you control everything, you can do whatever you want with it. Android phones being more of a mixed bag of different vendors making different parts of the phone, including the software components, makes this interplay much more difficult. It usually takes android quite some time before they catch up on the latest security concepts.

      • cum
        link
        fedilink
        English
        37 months ago

        It usually takes android quite some time before they catch up on the latest security concepts.

        Android exploits are considered more valuable and expensive because they’re harder to find. I don’t know where you are getting this information other than thinking it sounds correct in your head.