SEARCH

How-To Geek

HTG Explains: The Security Risks of Unlocking Your Android Phone’s Bootloader

android-unlocked-padlock-when-booting

Android geeks often unlock their bootloaders to root their devices and install custom ROMs. But there’s a reason devices come with locked bootloaders – unlocking your bootloader creates security risks.

We’re not advising against rooting and using custom ROMs if that’s really what you want to do, but you should be aware of the risks. For the same reason Android doesn’t come rooted, it doesn’t come unlocked – with more power comes more risks.

Why Android Bootloaders Come Locked

Android devices come with locked bootloaders for a reason. It’s not just that carriers and manufacturers want to own your hardware and prevent you from installing custom ROMS on it – although they do – there are good security reasons. Even Google’s Nexus line of devices, intended as developer devices, have locked bootloaders.

A device with a locked bootloader will only boot the operating system currently on it. You can’t install a custom operating system – the bootloader will refuse to load it.

If your device’s bootloader is unlocked, you will see an unlocked padlock icon on the screen during the start of the boot process.

Android Wipes Itself When You Unlock Your Bootloader

If you have a Nexus device like a Nexus 4 or Nexus 7, there’s a quick, official way to unlock your bootloader. As part of this process, Android wipes all data on your device. You get a device with an unlocked bootloader, but one that has none of your data on it. You can then install a custom ROM.

This is obnoxious to people who just want to root their device without going through a long setup process, but it’s an important security precaution. Your PIN or password protects access to your Android device, and unlocking the bootloader opens holes that allow people with physical access to your device to bypass your PIN or password.

Bypassing Your PIN or Password

If your Android phone has a standard locked bootloader when a thief gets their hands on it, they won’t be able to access the device’s data without knowing its PIN or password. (Of course, a very determined thief could crack open the phone and remove the storage to read it in another device.)

If your Android phone or tablet’s bootloader is unlocked when a thief gets their hands on it, they could reboot your device into its bootloader and boot your custom recovery environment (or flash a custom recovery and then boot that). From the recovery mode, they could use the adb command to access all the data on your device. This bypasses any PIN or password used to secure your device

If you’re unlocking your device and want to protect against this, you could choose to enable Android’s encryption feature. This would ensure your data is stored in an encrypted form, so people wouldn’t be able to access your data without your encryption passphrase. However, even encryption can’t protect your data perfectly.

Bypassing Encryption With a Freezer

If your Android phone or tablet is running when a thief gets their hands on it, they could theoretically put the phone in the freezer for an hour before flashing a new operating system on it. We covered this when we explained how freezers and cold temperatures can bypass encryption – essentially, the encryption key remains in your device’s RAM for much longer if the RAM is cooled, and it can be extracted before it disappears.

In this case, an attack was carried out against a Galaxy Nexus that was placed in the freezer and researchers were able to recover its encryption key. This attack was only successful because the Galaxy Nexus in question had an unlocked bootloader, so the researchers could flash an operating system onto it and use the new OS to dump the contents of the device’s RAM. If the Galaxy Nexus had a locked boot loader, this attack would not have been possible. It could theoretically still be possible to crack open the phone, remove its RAM, and read it in another device, but that becomes much more complicated.

encrypting-an-android-phone


Of course, you probably don’t need to worry about this too much. If you’re an Android geek installing custom ROMs and rooting your device for your own use, you probably aren’t going to be the target of a determined and skilled thief who wants to access the data on your device. If your device is stolen, it’s probably by someone who just wants to wipe the device and sell it.

However, Android’s boot loader comes locked for a reason. With Android phones being used by businesses and governments, a locked boot loader provides additional security protection against corporate espionage and other governments’ spies should a phone become stolen or lost.

Image Credit: Johan Larsson on Flickr

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.

  • Published 04/4/13

Enter Your Email Here to Get Access for Free:

Go check your email!