We rent an Android smartphone for repair: security issues

Based on materials Android Central

At the end of 2020, game designer Jane McGonigal stated that after she sent her Pixel 5a in for repair, someone hacked into the device, accessed her Gmail, Drive, spare email account and Dropbox, among other files. , while warning emails were redirected to the spam folder. In an interview with the publication TheVerge in December 2021 she talked about the fact that the smartphone was configured with a remote wipe of information, which was supposed to happen as soon as the device connected to the Internet. But someone still managed to bypass this reliable protection.

This frightening security breach has left a lot of people wondering if it’s even safer to have your Android phone repaired.

A Google spokesperson later stated: “After careful investigation, we can confirm that the problem experienced by the user was not related to the RMA of the device” (RMA, Return Merchandise Authorization – returning low-quality or defective products to the manufacturer for repair, exchange or offset ).

So in theory, you can still assume that it is safe to take your smartphone for repair to the manufacturer or an authorized third-party seller. However, the described incident highlighted the importance of resetting an Android smartphone to factory settings before taking it in for repair, if possible.

It’s easy for an attacker to use a Faraday cage to block access to the Internet or cellular, thus buying them time to crack your password and gain access to your files before the remote wipe takes effect. Since he has your phone in his hands and has access to your mailbox, you can usually bypass two-factor authentication and gain full access to the contents of the smartphone. Of course, most service center specialists would never do this. However, we are talking about a potential risk.

So how do you prepare a broken or damaged Android phone for repair?

If the damage that the device received is not critical and you have saved access to its contents, then preparing the smartphone for repair is very simple. First of all, you should create a smartphone backup: synchronize your photo archive, save files to the cloud, backup your contacts, correspondence, applications, settings and everything that is of value to you.

Do you have an eSIM? If so, keep in mind that a factory reset may or may not remove it, and you don’t want an attacker to gain access to it. You will need to delete your eSIM profile, either manually or during a reboot.

Then you should roll back the smartphone to factory settings. If you still have full access to your device, it will take a couple of minutes – look in the settings and find the item you need. It all depends on which shell is used in your Android smartphone.

Finally, remove the SIM card from the device. It’s easy to forget about this, and in theory, someone could do you any harm by sticking a SIM card in another phone and using it to pass two-factor authentication using SMS, even if you erased all the data in the smartphone. Online accounts that do not use two-factor authentication, unfortunately, will remain vulnerable.

That’s all, you can hand over the device for service. If you did everything right, there should be no data left on your smartphone that could be stolen. Starting with Android 7, this OS uses file system-level encryption, which is extremely difficult to bypass. A factory reset should make data recovery next to impossible, even with a dedicated app.

Another small but important note: as soon as your smartphone is returned to you, do not forget to perform a factory reset again before starting the setup process. It’s unlikely that a repair technician might put malware on a smartphone before returning it to you, and a hard reset is guaranteed to remove it. In terms of security, there are no extra measures.

What to do if your Android phone is too damaged to factory reset?

It may happen that the screen of the smartphone is so damaged that it is impossible to operate the menu. In such a situation, or if your device refuses to turn on at all, it is much more difficult to protect your data from intruders. But all is not lost, and you have more options than you think.

Let’s say your phone turns on but you can’t use the touch screen. In this case, you can use a USB hub by connecting a keyboard and mouse to the phone through it. This will give you access to all the settings of your smartphone and will be able to do everything described above – backup and reset to factory settings.

If you’re having trouble accessing your smartphone’s OS at all, you can try resetting it to factory settings via recovery mode. To do this, first, you need to turn off the device. If for some reason you cannot turn it off, then let it completely discharge, then connect it to the power supply, let it be connected to the network, but turned off. You will then need to use a certain combination of buttons to enter recovery mode: press the power and volume down buttons on most stock Android devices, or the power and volume up buttons on a Samsung device. You will then be able to navigate to the Wipe Data/Factory Reset selection using the Volume buttons and then pressing the Power button to do so.

The solution above will delete your data and trigger the reset protection. This is a theft prevention measure that prevents attackers from washing and selling stolen phones without access to the corresponding Google account. This means that even an honest repairman will need your Google account password to log into your smartphone for verification purposes. This is not a problem if the damage is purely physical, but it limits the ability to check how well the machine works after repair.

If the smartphone simply does not turn on, no matter what, then you cannot be 100% sure that an attacker will not gain access to your data. In this case, you should start by remotely wiping your phone. Navigate link, select your device and “Clear device”. This will ensure that data is deleted from the smartphone as soon as it connects to the Internet.

Unfortunately, as we see in McGonigal’s case, this doesn’t always work. Even before your smartphone needs to be repaired, it’s a good idea to create a strong password that isn’t easy to crack after a few tries. But once the attackers do this, they will have access to any password managers on your phone, as well as to your mailbox where confirmations for two-factor authentication come in, and to all personal photos or files.

From this point of view, the problem we are talking about simply becomes a matter of trust. If you send your phone directly to Google, Samsung or another manufacturer for repair, or go to an authorized service center, it is unlikely that they will try to access your files, reputation is more expensive. So remote cleaning remains the way out.

Another way out is to make an appointment at a service center and ask an employee to fix it in front of you so that there is no way to try to do something secretly from you. However, you may be told that SC policy does not include repairs in front of outsiders. And, of course, this is not an option for those who have to send their smartphone somewhere for repair.

All in all, if you’re choosing between repairing a smartphone that’s too badly damaged to be cleaned and reset, or just buying a new one, the choice is yours to take the risk or not. In 99% of cases, no one will have either the desire or the ability to interfere with remote data erasure. On the other hand, you simply cannot guarantee that this will not happen.

Have you had to take your smartphone to the SC or send it for repair by mail? What have you done to protect your data? Share your stories.

Source: Mobile-review.com — Все о мобильной технике и технологиях by mobile-review.com.

*The article has been translated based on the content of Mobile-review.com — Все о мобильной технике и технологиях by mobile-review.com. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!