With Android Lollipop … I repeat, Android 5.1, Google revealed that it was releasing a new feature for handsets called Device Protection. This anti-theft feature makes it basically impossible for a thief to use your phone in the event it is stolen and wiped.
Eventhough this protection feature is default from Google on all 5.1 releases from the source code, but not all custom rom implement it. I always try my best to enable this feature by default, but sometimes, missing libraries, hacked Google framework by vendor or my lack of knowledge on some soc chipset is one of many reason why the device protection cannot be achieved. Otherwise, it should be already ready to use.
Activating and using Device Protection
Activating Device Protection actually requires almost nothing from you. Here are the prerequisites for it to function, though:
- Android 5.1 and Device Protection framework is installed
- Secured lock screen (PIN, pattern, or password all work)
- Signed into at least one Google account on the device
If you already meet these requirements and are running Android 5.1 with Device Protection framework enabled, congratulations, you already have Device Protection. But how do you know you have it? There actually aren’t any management settings for Device Protection anywhere exposed to the user, so figuring out how to check the status of the feature on your device isn’t immediately obvious.
The easiest way to check is just to go to security options in settings, and then switch your lock screen from a secure to non-secure (swipe or none) mode. At this point, you should get a dialog that looks like this.
If you don’t get that dialog, you probably don’t have Device Protection enabled.
How does Device Protection protect my device?
Let’s break this down into subsections, because there are multiple ways in which Device Protection can keep you secure.
What if I Factory Reset the device to flash a new custom rom ?
Many user ask this, why after flashing a new custom rom the Setup Wizard screen always prompt with Google account login and it needs an internet connection to go through? When there is no simcard (no 3G data), the wifi network chooser cannot be skipped. is this normal ?
YES, that is normal and expected. Simply put, if you already had a Google account on the device and you factory resetting it without deleting the account first, then you are considered by the device as a thief. Why? This is part of device protection mechanism by Google against the thief that try to resetting the device from recovery or re-flashing it with stock rom. Not even custom rom can bypass this protection mechanism since it will put some flag on protected area on the device and cannot be erased easily and always try to re-authenticate with Google server once you resetting it.
So, If you’re coming from stock rom with already logged in your Google account and then factory resetting the device to flash a new custom rom, you will need to supply the last Google account and password to get in, period.
Otherwise, you can delete your google account first (sure it needs to release the protection lock) before flashing the new custom rom and you will not be prompted with that and the Setup Wizard will not demanding an internet connection. Same thing if you want to sell the device someday, remove all the google account on the device or you will get many phone call from the buyer since he/she cannot use the device because they can never pass the Setup Wizard screen.
What if I Factory Reset the device because I forgot my google password or the lock pattern ?
Well, in this case it will make no differences between you and the thief. The thief also doesn’t know the owner password and they do really hope factory resetting the device will erase everything so they can use the stolen device for their purpose.
C’mon dude, this is 2016, you must be smarter than that, do you ? 🙂 Nobody will believe you with that kind of dumb alibi, everybody know the motive. 🙂
Okay, so, if you really the owner, consider resetting your google password from web, otherwise … deadend.
Read also this below article I took from androidpolice blog, they explain much much better in details than me :
What if someone steals my phone and tries to wipe it?
Put simply, Device Protection makes wiping your phone after it is stolen or otherwise taken out of your custody a bad idea for would-be thieves. A factory reset initiated from recovery on a device with Device Protection will successfully erase the device, but at that point something new happens: in order to boot the OS, Android will require you to connect to the internet and then enter the account password of the last Google account on the Android device. If you have multiple accounts on the device, it should default to the “primary” Google account on your device, which is typically the one you signed into first. Regardless of which it chooses, you should know the passwords to all your synced Google accounts if you want to use Device Protection.
Basically, Android is likely storing a cryptographic key (or something similar) on a secure area of the device which survives resets that is decrypted by a key sent from Google (an internet connection is required to re-authorize the device) once you submit your login credentials. If the thief can’t enter the account password, the device will never fully boot, making the stolen hardware worthless for anything but spare parts (and who wants used phone parts?).
What if my phone is stolen and the thief can get past the lockscreen?
Let’s say a thief steals your device but the lock screen isn’t active (eg, you were using trusted Bluetooth when it was snatched or a long screen lock timeout). Can’t the thief just go in and remove your Google accounts, thereby disabling Device Protection? Nope. While the device will allow you to remove all but one Google account in settings without any sort of extra authorization, when you attempt to remove the last Google account on the phone or tablet, you will be asked to verify your PIN, pattern, or password.
Any phone or tablet with Device Protection will also require you to enter that PIN, pattern, or password any time you want to add a new Google account to the device (or initiate a factory reset from inside the OS). This is so that a thief can’t add their own Google account to the device and then remove yours so that they know the Device Protection password.
The downside, of course, is that a thief still has access to all your stuff as long as they don’t let the screen lock, which is bad, and could allow them to do things like reset your Google password since your mobile phone is likely the device you’ve linked to Google for 2-factor password recovery authentication. This leads us to the next “what-if.”
What if a thief knows my Google password / successfully resets it?
This is obviously a worst-case scenario, but Google does give you some protection here. The moment your Google account password is changed, Device Protection starts a 72-hour timer on your protected device. For that 72 hours, if the device is wiped, the account in question cannot be used to sign into / unlock the phone. Here, by the way, is what the sign-in UI after a wipe now looks like (this example uses 2-factor authentication).
This may sound a bit random, but remember: removing a Google account from the device itself (and thus disabling protection) requires your PIN, pattern, or lock screen password. A thief is unlikely to guess this (if they do, you’re, as we say in the business, screwed). This means if a thief changes your Google password, you’ll have 72 hours to get control of your account back and prevent them from signing into the wiped phone. If they successfully sign in after a wipe, Device Protection is disabled, so this three-day buffer is potentially quite important.
Does Device Protection help me get my phone back?
No. Android Device Manager is still the tracking and remote wipe tool (web interface here) you should use for this, and Device Protection does not actively integrate with this service so far as I can tell. And yes, If you wipe your phone in ADM, you will still not be able to locate it after the reset completes. Device Protection will survive a remote wipe, but Android Device Manger still will not, and you will lose your phone’s location. Additionally, if a thief performs a factory reset from recovery, Android Device Manager will not survive that, either.
Device Protection is a deterrent and lockout tool, it does not provide any location or remote access functionality.
So, is Device Protection actually any good, then?
Device Protection supplements the existing Android security features (Android Device Manager) nicely in that its existence should be a much stronger deterrent to phone thieves. However, it still does require you use a secure lock screen, and many people don’t. So those devices will still be unprotected, sadly. It kind of baffles me that Google can’t simply use your Google account password as the authenticator for removing Google accounts or performing factory resets as opposed to forcing you into a PIN/pattern/password lock, but that’s probably because they want you securing the lock screen (and thus your data) in the first place.