So, after all of the work I've done I figured I'd post my findings here as there are others in the same situation with their own devices accessing corporate networks.
Before I start, some notes.
You will likely have to do a wipe, sorry but after you'll be good to go for awhile.
I've been having issues with Airwatch MDM since its inception at my place of employment. I prefer to do a few root level things such as the tethering hack for Sprint, changing my MAC and backups.
Found a few things with Airwatch MDM so far - It looks for certain APKs but doesn't try to SU Access. Some of the apks it hits on of course is SuperSU/Superuser and oddly enough, APPquarantine (There were some subversion methods used by this).
So, I found that getting past Airwatch while having root, is *impossible*, I've been reading and keeping up with anything Airwatch related on here and the net in general.
BUT... Temporarily rooting/unrooting isn't out of the question. If you've never unlocked your bootloader, you will have to wipe, sorry. So far, getting root has been done with TWRP and utilizing SuperSU - this will not work with Superuser.
On a clean install - do what you normally need to do to install/enroll airwatch without root at first. Likely it will be the encryption and setting a password (protip: You can change it back to pin after full registration and Airwatch does NOT catch it.) Go ahead and get it all registered, enrolled and the good stuff. Make sure you are getting your email and everything through.
One you've established this - go ahead and root using SuperSU.
Airwatch will flip its flags and you will now have a compromised device BUT - you now have root.
What did I do with this? I added a new entry to the "global" table called "tether_dun_required" with a value of 0 in the /data/data/com.android.providers.settings/databases/settings.db file with SQLLife Editor.
Sprint tethering works with a rooted device, doh.
Here is the fun part.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Use this - reboot - enroll back into Airwatch - walla - You now have a Airwatch compliant phone with the tethering addition that required root.
All you have to do to get back to this is flash SuperSU - rinse and repeat.
I know SuperSU's method is known but on the Airwatch subversion, not so much. This may work for other MDM software.
bypass Airwatch
Hi,
I'm a new XDA user, I need your support for an issue related to airwatch, sure you know it very well...
I hope this position is correct for my question....
I'm an employee in a commercial company. I received a samsung S4 with the company SIM, with installed airwatch + notes traveller for reading emails, calendars and so on...
I have also my personal phone, with my personal SIM; it is a bluebo B6000 (chinaphone 5.7" quadcore, not bad!) that is dual sim
What I'm tryng to do is having just one Smartphone to bring back with me every day. So I want to leave the S4 in a drawer and use my bluebo B6000 both for work and personal use (I Know you think I'm crazy to choose B6000 Vs a brand new SG S4, but having 1 device is much better for me!)
Now the problem... AIRWATCH.... I want to make believe to airwach that the B6000 is a galaxy S4...
...what does airwach control? and what I've done to get this:
- phone model --> modified in build.prop file wit the one of galaxy S4
- IMEI --> modified with mobile uncle... but....dual sim = two IMEI... Are these IMEI in the same register position of a normal single SIM?
- root --> I've made all the changes above, and after I've unrooted the phone... Did I had to make a full wipe before unrooting??
nevertheless, the result is the phone is 'compromised'...
I'm missing some airwatch control.... but I can figure out which one!
Any Idea to help me??
Thanks a lot!
PS: Sorry for my bad english
what the heck is airwatch?? never even heard of it..
Have you tried to use Xposed framework with the RootCloak module installed? This "should" hide root from Airwatch.
No Luck
Mordeth_0 said:
Have you tried to use Xposed framework with the RootCloak module installed? This "should" hide root from Airwatch.
Click to expand...
Click to collapse
Well, i tried RootCloak module. No luck. This Airwatch seems to be very intelligent.
For those wondering; AirWatch is a really crappy Enterprise email system that employers use for email data security. Much like "Good For Enterprise", but less features and more battery drain. My company switched from Good for Enterprise to AirWatch because the licenses are much cheaper.
I am running Lollipop Dream by @upndwn4par (fully rooted; T-Mobile service) and just created a new user on the device. Set up a new Gmail account, and voila; my primary user account has full root, all my goodies, and the secondary user account has AirWatch. It does show the device as "compromised", but I don't own this phone so I don't care. I get all my work email and still have my root setup on the primary user account. I also noticed that the LED indicator works to notify me of emails regardless of which account is active on the device.
It does suck having to switch back and forth, but I'm at least glad to be able to still use this device with my favourite ROM and root level apks. Also, to anyone who had suggested it, I don't believe Xposed works on Lollipop, but someone smarter than me can expound on that topic...
orlzzt said:
For those wondering; AirWatch is a really crappy Enterprise email system that employers use for email data security. Much like "Good For Enterprise", but less features and more battery drain. My company switched from Good for Enterprise to AirWatch because the licenses are much cheaper.
I am running Lollipop Dream by @upndwn4par (fully rooted; T-Mobile service) and just created a new user on the device. Set up a new Gmail account, and voila; my primary user account has full root, all my goodies, and the secondary user account has AirWatch. It does show the device as "compromised", but I don't own this phone so I don't care. I get all my work email and still have my root setup on the primary user account. I also noticed that the LED indicator works to notify me of emails regardless of which account is active on the device.
It does suck having to switch back and forth, but I'm at least glad to be able to still use this device with my favourite ROM and root level apks. Also, to anyone who had suggested it, I don't believe Xposed works on Lollipop, but someone smarter than me can expound on that topic...
Click to expand...
Click to collapse
Pretty cool trick.
My employer uses TouchDown for work email. Not cheap, but the app doesn't care about root, etc.
And yeah, no Xposed for Lollipop yet. Hopefully someday...
Any updates on rooting after installing AirWatch?
orlzzt said:
For those wondering; AirWatch is a really crappy Enterprise email system that employers use for email data security. Much like "Good For Enterprise", but less features and more battery drain. My company switched from Good for Enterprise to AirWatch because the licenses are much cheaper.
Click to expand...
Click to collapse
Actually, Airwatch is a Mobile Device Management suite, used by enterprise IT departments to manage their devices. More specifically, their security. What you're doing is bypassing their security measures this way.
NeoS said:
Actually, Airwatch is a Mobile Device Management suite, used by enterprise IT departments to manage their devices. More specifically, their security. What you're doing is bypassing their security measures this way.
Click to expand...
Click to collapse
Yes, I stand corrected. I was unfamiliar with the term "MDM", but I have been educated. In any event, I am not able to keep my Nexus 5 rooted any longer due to the AirWatch security. If anyone figures out a way to beat it. I will buy you a "Pliny the Elder".
AFAIK, in Android, under settings > security > Device management (sp?) you can see Airwatch there. If you're lucky, the Admin hasn't set the policy to grey out the option to disable it.
NeoS said:
AFAIK, in Android, under settings > security > Device management (sp?) you can see Airwatch there. If you're lucky, the Admin hasn't set the policy to grey out the option to disable it.
Click to expand...
Click to collapse
I would imagine that doing so would cause AW to fail.
Yeah, I have the Droid Turbo and it came with Airwatch installed. I was used to Touchdown where I had my device rooted and never had an issue. I had this Droid temp rooted with Kingroot for less then a week before it deactivated my account. IT called me up like I just hacked into the company data base. He refused to give me the QR Code (for obvious reasons) but my OCD is not happy and I want to root this thing more now than ever. There is a bootloader unlock that just came out but I know if I do this again and they catch it I'll be written up. So as of right now is there any kind of work around without wipe? And does anyone have any additional info on Airwatch?
Any updates on this, was just forced to install this airwatch.......
orlzzt said:
For those wondering; AirWatch is a really crappy Enterprise email system that employers use for email data security. Much like "Good For Enterprise", but less features and more battery drain. My company switched from Good for Enterprise to AirWatch because the licenses are much cheaper.
I am running Lollipop Dream by @upndwn4par (fully rooted; T-Mobile service) and just created a new user on the device. Set up a new Gmail account, and voila; my primary user account has full root, all my goodies, and the secondary user account has AirWatch. It does show the device as "compromised", but I don't own this phone so I don't care. I get all my work email and still have my root setup on the primary user account. I also noticed that the LED indicator works to notify me of emails regardless of which account is active on the device.
It does suck having to switch back and forth, but I'm at least glad to be able to still use this device with my favourite ROM and root level apks. Also, to anyone who had suggested it, I don't believe Xposed works on Lollipop, but someone smarter than me can expound on that topic...
Click to expand...
Click to collapse
Hi Thanks will try this. However, I have one question. When you said that your device shows as "compromised", does it still allow you to access the mails? My understanding was that once the phone is compromised, you cannot have any level of access?
cluttered_butter said:
Hi Thanks will try this. However, I have one question. When you said that your device shows as "compromised", does it still allow you to access the mails? My understanding was that once the phone is compromised, you cannot have any level of access?
Click to expand...
Click to collapse
After my company fully installed the AirWatch program, it would not allow me to use the device. I had to unroot and return to stock. This is the "beauty" of Air Watch.
I miss Good.
orlzzt said:
After my company fully installed the AirWatch program, it would not allow me to use the device. I had to unroot and return to stock. This is the "beauty" of Air Watch.
I miss Good.
Click to expand...
Click to collapse
That is sad. I'd rather just keep away from Airwatch than compromise root!
Is there any way to use this to enable NFC if the AirWatch security policy denies it? It sounds like that's essentially what OP did to enable tethering, I just don't know how to make it work with NFC. I somehow had NFC working with AirWatch (as well as USB debugging), but alas, I had to wipe my phone and I lost that ability when I put AirWatch back on.
Hi,
My company started using AirWatch MDM to allow corporate mail access.
I really need the access but I really want to stay with my rooted ROM as well (Galaxy S7 SuperMan, but its a global problem).
I tried to install unWatch xposed module but with no luck.
I tried RootCloak Plus but with no luck.
Please, how to solve this issue?
My new company uses Maas 360 MDM and I was facing the same issues. I've basically had to end up using a non-rooted / locked bootloader phone. So far its been not as bad as I thought it would have been (but yes, I do miss certain things).
Related
Hey all. I tried syncing my university outlook account to my phone and the server requested literally FULL CONTROL over the device. I'm talking everything from camera functions to having the ability to erase my phones data.
Naturally, this poses as somewhat of a threat to me but I really need that account on my device. Does anyone know how to revoke the outlook server's administrative rights, perhaps via app ops?
QUICK UPDATE: it's asking me to encrypt my phone or else the native email app which I synced it to will not run. Can anyone stop this as well?
Sent from my SM-G900A using XDA Free mobile app
abraxo said:
Hey all. I tried syncing my university outlook account to my phone and the server requested literally FULL CONTROL over the device. I'm talking everything from camera functions to having the ability to erase my phones data.
Naturally, this poses as somewhat of a threat to me but I really need that account on my device. Does anyone know how to revoke the outlook server's administrative rights, perhaps via app ops?
QUICK UPDATE: it's asking me to encrypt my phone or else the native email app which I synced it to will not run. Can anyone stop this as well?
Sent from my SM-G900A using XDA Free mobile app
Click to expand...
Click to collapse
these policies are set by the university exchange administrators and can be over-wrote by mods (However, i highly recomend against it, some mods just aren't worth the security holes they create) I know it sounds like big brother taking over but it is the responsibility of the exchange admin to maintain security control over the exchange environment. if you were to remove the security and something detrimental happened i.e. the U got hacked and it was traced back to your account well the results would be not in your favor.
that being said the control and requirements are granular to an extent your exchange admin should remove the ability to control any aspect of your device except the specific email account you are reffering to.
cstayton said:
these policies are set by the university exchange administrators and can be over-wrote by mods (However, i highly recomend against it, some mods just aren't worth the security holes they create) I know it sounds like big brother taking over but it is the responsibility of the exchange admin to maintain security control over the exchange environment. if you were to remove the security and something detrimental happened i.e. the U got hacked and it was traced back to your account well the results would be not in your favor.
that being said the control and requirements are granular to an extent your exchange admin should remove the ability to control any aspect of your device except the specific email account you are reffering to.
Click to expand...
Click to collapse
But would you say it is worth encrypting the device? Way I see it, there isn't too big of a difference between a pass code and encryption except for the fact that you can't undo the latter without a factory reset. Is there a way to at least bypass that or do you recommend going through with the device encryption anyway?
Sent from my SM-G900A using XDA Free mobile app
abraxo said:
But would you say it is worth encrypting the device? Way I see it, there isn't too big of a difference between a pass code and encryption except for the fact that you can't undo the latter without a factory reset. Is there a way to at least bypass that or do you recommend going through with the device encryption anyway?
Sent from my SM-G900A using XDA Free mobile app
Click to expand...
Click to collapse
are they requiring device encryption or email encryption? the law firm where i work requires that all email on the device be encrypted but do not enforce device encryption.
My personal opinion is im fine with the email encryption but when they tell me my whole device requires it thats where they cross the line, access to my email is not that crucial that im willing to encrypt my whole device.
ultimately the decision is yours.
I know nothing about any of this so bare with me guys/gals please. Just need help once and ill remove my account. If any of you feel like im wasting your time then please tell me and ill remove my post. Thankyou and i hope someone will give me an idea of whats going on.
Friends ex girlfriend is remotely accessing his phone from her computer, she can lock him out and write text out of format on the lock screen. She has deleted everything on his phone 8 times in the past hour. The Verizon recovery app has been disabled, we went into the Verizon store and changed EVERYTHING, number, passwords, made sure if she ever called in wanting info she couldn't get it. There is no way she figured out any of the passwords, she doesn't have access to any of his accounts, gmails facebook etc... i thought for sure she was using the recovery app but that's impossible cause no account has been created to access to his phone. Idk guys like i said im not an expert one thing that has me most skeptical she can write whatever she wants, whatever color, on his phone on any spot on the screen. Its completely out of set text formations on the lock screen looks like doodles i guess. Just curious if you guys have have ever heard of anything like this happening before. Thanks and i apologize if this shouldn't be here just on a desperate attempt to figure this out. Verizon is completely stumped they have no idea how she does it, even the main tech guy at the store (idk his credentials) cant figure it out.
From what I've seen so far, Android Device Manager (part of Google's setup) can do remote wipes. as can Motorola ID. I imagine both of these may "automatically setup" when you re-activate the phone. Beyond that, you'd need an app to perform such changes, I'd think.
Also, if he's on a joint-account with his exGF, and if she has access to the account, VZ may be doing this without the store-people knowing it?
schwinn8 said:
From what I've seen so far, Android Device Manager (part of Google's setup) can do remote wipes. as can Motorola ID. I imagine both of these may "automatically setup" when you re-activate the phone. Beyond that, you'd need an app to perform such changes, I'd think.
Also, if he's on a joint-account with his exGF, and if she has access to the account, VZ may be doing this without the store-people knowing it?
Click to expand...
Click to collapse
If it's Android Device Manager, maybe it would be sufficient to just change the Google login password?
Yeah, he changed his Google password right?
schwinn8 said:
From what I've seen so far, Android Device Manager (part of Google's setup) can do remote wipes. as can Motorola ID. I imagine both of these may "automatically setup" when you re-activate the phone. Beyond that, you'd need an app to perform such changes, I'd think.
Also, if he's on a joint-account with his exGF, and if she has access to the account, VZ may be doing this without the store-people knowing it?
Click to expand...
Click to collapse
He was on a joint account but upon breakin up with her he took her phone, cancelled it, removed her from the account changed his passwords to facebook and google and everything else. Just for the guy to call in and request info he has to answer 5+ extra security questions before hes allowed any info. But ill check out the ADV maybe thats it. Thankyou
Hey guys,
Just wondering if anyone else has this issue and if there is a fix? I use Royal Bank in Canada and they have finally released the wallet option, however, my phone is rooted and so the wallet function is disabled. I've tried a few of the hide root apps found on the play store but nothing seems to have worked so far. Has anyone found a way around this aside from removing root?
Thanks!
I would guess that this is the same principle as Android Pay, which won't work unless you have a *completely* stock device with no alterations at all. I've heard of "hide root" functions but I would guess (again... ) that with something as critical as payments the payment validation process would be built smart enough to detect them.
Me, I'm old school. If you can't scratch a window with it, it's not money. The idea of trusting my bank account to an NFC device that anyone can read in my pocket gives me the creeps.
dahawthorne said:
I would guess that this is the same principle as Android Pay, which won't work unless you have a *completely* stock device with no alterations at all. I've heard of "hide root" functions but I would guess (again... ) that with something as critical as payments the payment validation process would be built smart enough to detect them.
Me, I'm old school. If you can't scratch a window with it, it's not money. The idea of trusting my bank account to an NFC device that anyone can read in my pocket gives me the creeps.
Click to expand...
Click to collapse
If its in your pocket, the NFC chip is *turned off*.
Thanks, doitright. How does that work? I've had a brief look for an automated disabling of NFC but can't see one, whereas there are articles about the risks of drive-by theft.
(By the way, I'm a big fan of your systemless root. Fantastic job. I saw one visual glitch, but everything else is perfect so far.)
Root cloak for Xposed worked for the past year but there has been a major overhaul of the app (in Canada) and now RBC wallet is a separate app. I have tried root cloak and systemless root without binding xbin to system and so far nothing. Getting "will not work with this phone" on opening app. Anyone got the new app working?
I have noticed that my important email has been compromised. I've seen logins from the US (I've never been in the US) and even parts of Sweden that I have not visited (and by a browser that I've never used, so it's not me).
I am really surprised by this considering I use 2-factor authentication on it and my Note 8 doesn't even have Google authenticator visible. It is installed but I've hid it and use it by going to app store and searching for it.
All my important websites are protected by 2-factor authenticator. Except for my phone. I have BitDefender antivirus but I am not sure if this is enough.
I need something really strong to protect my phone from people accessing it and its apps. Mainly a protection against keyloggers.
My phone is rooted if that makes any difference.
Also, I don't mind if it costs money. I will pay well for top notch protection.
Nebell said:
I have noticed that my important email has been compromised. I've seen logins from the US (I've never been in the US) and even parts of Sweden that I have not visited (and by a browser that I've never used, so it's not me).
I am really surprised by this considering I use 2-factor authentication on it and my Note 8 doesn't even have Google authenticator visible. It is installed but I've hid it and use it by going to app store and searching for it.
All my important websites are protected by 2-factor authenticator. Except for my phone. I have BitDefender antivirus but I am not sure if this is enough.
I need something really strong to protect my phone from people accessing it and its apps. Mainly a protection against keyloggers.
My phone is rooted if that makes any difference.
Also, I don't mind if it costs money. I will pay well for top notch protection.
Click to expand...
Click to collapse
If it wasn't rooted I would just encrypt the sd card, make sure you have a good pattern/password and use Secure Folder for anything more sensitive. Between all that, bitdefender, and 2-factor authentication on accounts where possible, the only other thing I can think of is using a VPN when connecting to public wifi. Of course root breaks Knox though, so that changes things here for Secure Folder, etc. Maybe there are some other security apps you could use instead for sensitive stuff, as well as a firewall app, but root does run counter to maximum security.
Nebell said:
I have noticed that my important email has been compromised. I've seen logins from the US (I've never been in the US) and even parts of Sweden that I have not visited (and by a browser that I've never used, so it's not me).
I am really surprised by this considering I use 2-factor authentication on it and my Note 8 doesn't even have Google authenticator visible. It is installed but I've hid it and use it by going to app store and searching for it.
All my important websites are protected by 2-factor authenticator. Except for my phone. I have BitDefender antivirus but I am not sure if this is enough.
I need something really strong to protect my phone from people accessing it and its apps. Mainly a protection against keyloggers.
My phone is rooted if that makes any difference.
Also, I don't mind if it costs money. I will pay well for top notch protection.
Click to expand...
Click to collapse
Rooted phone = lack of security!
As soon as a phone is rooted there is little security as all the inbuilt security (safe folder & knox) are gone and banking apps won't work!
Sent from my SM-N9500 using Tapatalk
sefrcoko said:
If it wasn't rooted I would just encrypt the sd card, make sure you have a good pattern/password and use Secure Folder for anything more sensitive. Between all that, bitdefender, and 2-factor authentication on accounts where possible, the only other thing I can think of is using a VPN when connecting to public wifi. Of course root breaks Knox though, so that changes things here for Secure Folder, etc. Maybe there are some other security apps you could use instead for sensitive stuff, as well as a firewall app, but root does run counter to maximum security.
Click to expand...
Click to collapse
Thanks. I guess I already have enough security. I was baffled that my e-mail was compromised. Maybe it was, maybe it wasn't. I noticed no change to any of my files etc. But it does show suspicious logins from countries I have never been to.
robmeik said:
Rooted phone = lack of security!
As soon as a phone is rooted there is little security as all the inbuilt security (safe folder & knox) are gone and banking apps won't work!
Sent from my SM-N9500 using Tapatalk
Click to expand...
Click to collapse
Yeah thanks for the obvious pointer. But rooting a phone is a must. Also, all my banking apps work just fine. I am not dependant on Samsung.
As was mentioned earlier, use a VPN when using the internet. It does protect your IP and is handy to get to content you can't access from your country..
Nebell said:
Thanks. I guess I already have enough security. I was baffled that my e-mail was compromised. Maybe it was, maybe it wasn't. I noticed no change to any of my files etc. But it does show suspicious logins from countries I have never been to.
Click to expand...
Click to collapse
I assume you have already done this, but I would immediately change my password to that account (along with any other accounts that share the same password), even though you have rwo-factor authentication. Unless you logged in while on VPN or proxy, suspicious logins from other countries you haven't visited sounds like a red flag.
sefrcoko said:
I assume you have already done this, but I would immediately change my password to that account (along with any other accounts that share the same password), even though you have rwo-factor authentication. Unless you logged in while on VPN or proxy, suspicious logins from other countries you haven't visited sounds like a red flag.
Click to expand...
Click to collapse
I changed every important website to a password that is so hard to type I need to do it carefully every time. I got in contact with Fastmail (who btw is an awesome e-mail service, although paid) and they said that my phone is compromised.
Damnit.
I use my phone far more than my computers. They also suggested that I use a password manager but if my phone is compromised so easily then I probably am better off just getting better protection for my phone.
Nebell said:
I changed every important website to a password that is so hard to type I need to do it carefully every time. I got in contact with Fastmail (who btw is an awesome e-mail service, although paid) and they said that my phone is compromised.
Damnit.
I use my phone far more than my computers. They also suggested that I use a password manager but if my phone is compromised so easily then I probably am better off just getting better protection for my phone.
Click to expand...
Click to collapse
Damn that really sucks...sorry yo hear that. Hmm at this point I would backup photos, etc, flash stock firmware, and start fresh. Be careful with what you reinstall, as one of those apps/mods may possibly be the culprit.
@Nebell are you using sms to get your 2step-authentication code? maybe all your sms are being forwarded (via some malware app). You should be using a firewall if you are rooted.
Lots of apps have permission to access sms text messages and even send it.
Before i side load any apps, i use virustotal.com , go to website, upload APK file and if malware then install (if you must have it) but block it using firewall, any other red flags, then find another apk version or similar app.
Let Fastmail know of your breach and they can check which other devices or websites are registered/ linked to your account.
I suggest you backup your data, virus scan it all on a PC, wipe your android phone and start fresh. I use backup-your-mobile by Artur, to export my calendar, contacts, sms, call logs, etc. it works quite good.
good luck mate.
I think it might have been a false positive.
I reset my phone to factory settings and changed all passwords and suddenly "Ashburn US" login kept getting failed attempts on my email. But as soon as I reinstalled Edison Mail app and logged in, the success login from Ashburn US resumed.
It must somehow be connected to that app. I've sent a message to Edison and asked them if they are associated with that location. Maybe their server is located there or something, but I will wait and see what they reply before I take next action.
The fact that makes me believe this was a false positive is that I never noticed anyone reading my email or actually trying to do something, and I do have sensitive stuff in there.
My Pixel 3 is having power button/battery-life issues, so I took advantage of the inflated Google trade-in values and pre-ordered the 7 (ugh, hope it goes better than the 6 launch, especially since with my trade-in I'll be stuck if I have issues).
My Pixel and Pixel 3, I unlocked the bootloader and rooted, but with the Pixel 3, seemed like I was spending more and more time trying to read and make sure that I was going to be able to get the updates installed and re-root with Magisk, and still be able to pass SafetyNet and Play store certification with a different kernel, such that I was skipping updates because I just didn't have time.
My main reason for rooting these days was to use AdAway and to freeze apps that I wasn't using regularly (like Uber, Lyft, store apps needed to get coupons but rarely used which I didn't want waking up and siphoning data in the background) with Titanium Backup. And to migrate a few apps and app data using Titanium Backup (though I think most apps/data transferred successfully using the Pixel transfer wizard when I went Pixel->Pixel 3?- can't remember the last time I had to do this, after 3 years on the P3)
When setting up the P7, I'm thinking about not unlocking the bootloader and just trying to use an adblock DNS, but wonder if anyone else is having similar thoughts? Have you been able to backup/restore apps and app data when necessary using ADB or Helium? Do you freeze apps or just uninstall ?
If I have forgotten some other reason why I really needed to be rooted with unlocked BL, do you think I'll be able to take an ADB backup, unlock BL and wipe and restore all apps/data?
Would be interested to know what everyone else is planning on doing...
Nateg900t said:
My Pixel 3 is having power button/battery-life issues, so I took advantage of the inflated Google trade-in values and pre-ordered the 7 (ugh, hope it goes better than the 6 launch, especially since with my trade-in I'll be stuck if I have issues).
My Pixel and Pixel 3, I unlocked the bootloader and rooted, but with the Pixel 3, seemed like I was spending more and more time trying to read and make sure that I was going to be able to get the updates installed and re-root with Magisk, and still be able to pass SafetyNet and Play store certification with a different kernel, such that I was skipping updates because I just didn't have time.
My main reason for rooting these days was to use AdAway and to freeze apps that I wasn't using regularly (like Uber, Lyft, store apps needed to get coupons but rarely used which I didn't want waking up and siphoning data in the background) with Titanium Backup. And to migrate a few apps and app data using Titanium Backup (though I think most apps/data transferred successfully using the Pixel transfer wizard when I went Pixel->Pixel 3?- can't remember the last time I had to do this, after 3 years on the P3)
When setting up the P7, I'm thinking about not unlocking the bootloader and just trying to use an adblock DNS, but wonder if anyone else is having similar thoughts? Have you been able to backup/restore apps and app data when necessary using ADB or Helium? Do you freeze apps or just uninstall ?
If I have forgotten some other reason why I really needed to be rooted with unlocked BL, do you think I'll be able to take an ADB backup, unlock BL and wipe and restore all apps/data?
Would be interested to know what everyone else is planning on doing...
Click to expand...
Click to collapse
The very first thing I will do is unlock the bootloader and root. Not really a hassle for me and I don't use banking apps.
Lughnasadh said:
The very first thing I will do is unlock the bootloader and root. Not really a hassle for me and I don't use banking apps.
Click to expand...
Click to collapse
What are your biggest reasons to root? I don't mind just using banking websites, and I suppose I could do check deposits with a different device like an iPad... Back in the day was also using Xprivacy but now there is more control over app permissions too. Just trying to decide if there's still a reason to go through the hassle for my use cases.
Nateg900t said:
What are your biggest reasons to root? I don't mind just using banking websites, and I suppose I could do check deposits with a different device like an iPad... Back in the day was also using Xprivacy but now there is more control over app permissions too. Just trying to decide if there's still a reason to go through the hassle for my use cases.
Click to expand...
Click to collapse
Adaway root version
YouTube & YouTube Music Vanced
Substratum
Repainter
JamesDSP
Pixel Launcher Mod
Shortcutter app
Swift Backup
App Manager
To name a few..
Thanks, from your list Adaway root is the big pull for me.
Nateg900t said:
Thanks, from your list Adaway root is the big pull for me.
Click to expand...
Click to collapse
How about a VPN with ad blocking? Kill two birds..Proton is awesome for me. Do a backup, save it then try without root for a bit. You can't stand it then root.
bobby janow said:
How about a VPN with ad blocking? Kill two birds..Proton is awesome for me. Do a backup, save it then try without root for a bit. You can't stand it then root.
Click to expand...
Click to collapse
Have thought about that- use a VPN to a VPS when traveling on wifi, and a VPN to access my home network, but don't like the idea of leaving it connected all the time (battery drain, keeping the radios active to keep the connection) or the idea of having to constantly connect/disconnect it when I want to use the phone. And I would have to create new profiles for adblock to use on mobile while maintaining no-adblock for other devices.
That's why DNS or Adaway hosts seems like the best options for me.
I think I might do your idea of starting without and see how it works. Just looking for any reports from others who have been able to successfully fully backup and restore apps/data to unlock the bootloader. If I have to setup everything from scratch, it's a larger barrier to doing the BL unlock later.
I unlock the bootloader right away so I can use the Android Flash Tool for quick updates via my work computer. I don't like waiting for OTA updates and the optimization process that follows. Root and AdAway is another benefit, also better theme possibilities.
Nateg900t said:
What are your biggest reasons to root? I don't mind just using banking websites, and I suppose I could do check deposits with a different device like an iPad... Back in the day was also using Xprivacy but now there is more control over app permissions too. Just trying to decide if there's still a reason to go through the hassle for my use cases.
Click to expand...
Click to collapse
I used to root for the adblocking, but found setting the private dns to dns.adguard.com is just as effective. As for backups, I used Titanium Backup, but have found Google's backup is just as effective. For those apps not installed from the play store, I use swift backup running on top of Shizuku. For ad-free Youtube, you can find a modified youtube (vanced) apk, but as always, modified apks come with risks.
mruno said:
I used to root for the adblocking, but found setting the private dns to dns.adguard.com is just as effective. As for backups, I used Titanium Backup, but have found Google's backup is just as effective. For those apps not installed from the play store, I use swift backup running on top of Shizuku. For ad-free Youtube, you can find a modified youtube (vanced) apk, but as always, modified apks come with risks.
Click to expand...
Click to collapse
Thanks for sharing your experience! Have been reading more about the private DNS options, just trying to figure out whether connecting to my OpenVPN profiles will override the phone settings and cause me to have to change server config settings in OpenVPN server (seems like OpenVPN will override if doing server push, and the iOS and Android OpenVPN clients don't listen to the pull-filter commands to ignore server config DNS which would be needed to allow non-adguard profile option with a client profile instead of running a second server instance on a different port). I'm probably just going to have to experiment and figure out some combination of settings that allows me to use adguard Private DNS when on mobile/wifi when not using VPN, and also adguard Private DNS when on my own VPN, with the option to use a non-adguard DNS profile if something isn't working/loading and I need to disable the adguard.
Was also reading about using Shizuku and Hail to freeze/disable apps without root, which is my other biggest use-case.
Have a family YoutubeMusic account that costs $2.50/month and includes no-ad Youtube, so thankfully don't have to worry about Youtube ads.
chopt51 said:
I unlock the bootloader right away so I can use the Android Flash Tool for quick updates via my work computer. I don't like waiting for OTA updates and the optimization process that follows. Root and AdAway is another benefit, also better theme possibilities.
Click to expand...
Click to collapse
Do you play the game of trying to maintain Gpay compatibility and Play store certification to install Netflix and other apps, or that's just not something that matters for your use case?
Nateg900t said:
Do you play the game of trying to maintain Gpay compatibility and Play store certification to install Netflix and other apps, or that's just not something that matters for your use case?
Click to expand...
Click to collapse
I honestly don't have to worry about those instances. My use might be different than others.
I'm thinking about getting a Pixel 7 (non Pro), and if I get one I'll keep the BL locked I guess. Right now I got a Realme GT2 Pro, and it's locked running stock color OS. I got a virtual credit card and various banking apps, so I don't want to mess around anymore. For blocking unwanted stuff I use personalDNSfilter (got that running on my PC and my smartphone and it's great) and adblocking browsers. During the last years I used less custom ROMs and kernels, because I don't need that stuff anymore. It rather annoyed me testing ROMs and getting problems because of root.
Immediately unlock the bootloader and leave it unlocked. You can decide to go with root at any time it suits you after that without losing all your data -- can be as simple as fastboot'ing the modified boot image, and as temporary as its gone the next time you reboot.
96carboard said:
Immediately unlock the bootloader and leave it unlocked. You can decide to go with root at any time it suits you after that without losing all your data -- can be as simple as fastboot'ing the modified boot image, and as temporary as its gone the next time you reboot.
Click to expand...
Click to collapse
I haven't unlocked for some time and when I did I didn't use GP or my banking apps. Does Pay and all banking apps work with an unlocked bootloader. Perhaps before telling someone to immediately unlock the bootloader you could inform them of the drawbacks as well as the benefits you provided. Maybe suggest a few articles on the security risks of an unlocked bootloader as a start. The person you are quoting has numerous financial apps on the device and is security conscience. Blanket statements of "immediately unlock the bootloader and leave it unlocked" can be shortsighted for some people.
bobby janow said:
I haven't unlocked for some time and when I did I didn't use GP or my banking apps. Does Pay and all banking apps work with an unlocked bootloader. Perhaps before telling someone to immediately unlock the bootloader you could inform them of the drawbacks as well as the benefits you provided. Maybe suggest a few articles on the security risks of an unlocked bootloader as a start. The person you are quoting has numerous financial apps on the device and is security conscience. Blanket statements of "immediately unlock the bootloader and leave it unlocked" can be shortsighted for some people.
Click to expand...
Click to collapse
Everything will work perfectly with an unlocked bootloader. It will just give you an annoying warning screen briefly when powering on.
If you want to know about security risks, they're fairly small, and ONLY apply if your phone is handled physically by someone untrusted for an extended period of time, in which the only thing they could actually do is install a modified boot image. Under those circumstances, the device security has to be assumed compromised whether the bootloader is unlocked or not.
An unlocked bootloader will NOT allow a 3rd party to access data on the device, since it is encrypted and requires your security code to unlock.
Now, you can actually tell if they've rebooted the device, which they would HAVE to do in order to install a different boot image; the unlock screen (which they are NOT able to modify without resulting in boot failure) will tell you!
And I absolutely disagree that it is shortsighted to advise immediate unlocking. Nothing of real benefit comes from having a locked bootloader. Any sense of security you gain from it is smoke and mirrors. It can only be tampered with if someone has physical access, and if somebody has physical access, it has to be assumed compromised regardless of whether it is unlocked or not. If anything, your security is improved because it is now on your mind that it could potentially be tampered with, and you are reminded of it with the id10t warning every time it reboots.
96carboard said:
Everything will work perfectly with an unlocked bootloader. It will just give you an annoying warning screen briefly when powering on.
If you want to know about security risks, they're fairly small, and ONLY apply if your phone is handled physically by someone untrusted for an extended period of time, in which the only thing they could actually do is install a modified boot image. Under those circumstances, the device security has to be assumed compromised whether the bootloader is unlocked or not.
An unlocked bootloader will NOT allow a 3rd party to access data on the device, since it is encrypted and requires your security code to unlock.
Now, you can actually tell if they've rebooted the device, which they would HAVE to do in order to install a different boot image; the unlock screen (which they are NOT able to modify without resulting in boot failure) will tell you!
And I absolutely disagree that it is shortsighted to advise immediate unlocking. Nothing of real benefit comes from having a locked bootloader. Any sense of security you gain from it is smoke and mirrors. It can only be tampered with if someone has physical access, and if somebody has physical access, it has to be assumed compromised regardless of whether it is unlocked or not. If anything, your security is improved because it is now on your mind that it could potentially be tampered with, and you are reminded of it with the id10t warning every time it reboots.
Click to expand...
Click to collapse
Everything will not work perfectly. Let's be honest here. Look it up, some banking apps work mine doesn't. Pay will work one day and not the next. And if your bank finds out your account was hacked and your phone is unlocked and/or bypasses bank security protocols who will pay for the missing funds when they find out?
A missing device can be booted into a custom recovery and adb commands will be available to take everything on your device bypassing any security you have. With a locked bootloader that is not possible. So if you know your phone can be compromised you feel more secure? That is ludicrous and really doesn't make sense. I mean talk about smoke and mirrors.
Now that being said there are a lot of folks in your camp that say you're living a pipe dream if you think the phone is more easily hacked or info stolen. I understand that argument entirely and it's possibly correct to a certain degree. But to summarily say immediately unlock your bootloader if you don't plan on rooting because.. well just in case, is really disingenuous to a great many individuals. At the very least look up some articles on why to keep your bootloader locked, especially for someone that hasn't done it in some time, if ever. The beauty of Android is the possibility if you so desire. Just be conscience of the advice you give. Many years ago Chainfire said in his blog that if you have an unlocked bootloader and have financial apps on your device you're asking for trouble and you might want to rethink that. (not in so many words) That weekend I locked my bootloader and never looked back. I haven't missed anything.. well other than flashing MVK kernel for my 6a. ;-) But then I'd need root and that brings a host of other issues.
Good points about unlocked BL. Every phone I've had with an unlocked bootloader, I also had root. If I have an unlocked bootloader but run a stock image, I see bobby and 96cardboard are offering different reports of whether that will result in apps like banking apps, Play Store certification, and GPay deciding that they won't allow normal functioning. Anyone else have recent experience on this?
If I can run stock with unlocked bootloader, then I might be more in the camp to have the unlocked BL but not root, at least initially. I like the idea that if somehow an update or some other Android bug borks the OS and/or boot partitions, I could potentially fastboot install a stock copy of the OS and have a chance of recovering my data, whereas with the locked bootloader, it seems the options are limited/none, correct (sorry, haven't had to try and recovery from that situation in the past, so maybe I just don't know/understand the tools available)? I just know from past experience that it seemed like an unlocked bootloader was required and also know that unlocking wipes all data in the process. Not sure if there's a reliable way to get a phone to back up user data to a computer via ADB that can be restored even when the OS isn't working, but also don't have experience trying to use ADB backup with a functioning phone (used to do nandroid backups and they saved my butt a time or two).
@Nateg900t You're not going to trash the os with an update. You might with root if you don't know what the new root process is. But why not just make a backup with an app or two and keep it offline. No adb needed. And copy your important pics too. But I do understand what possibilities there are with an unlocked bl.
What I sometimes do is make a full Google backup and an SMS, call log backup. Then I'll flip the OEM switch just in case I need to unlock. I actually have it flipped now because I'm on QPR1 b2. Now that can bork something. If I needed to wipe I could recover about 90+% within about 30 minutes. If you want to bl lock due to some app or something then a full wipe is needed. Oh how I miss nandroid backups.
Keep asking your questions all over and make an informed decision. Enjoy the device it's pretty awesome.
Ahh, good call on flipping the oem unlock switch.
What app are you using to make app backups? Helium? I don't do full Google backup because I don't pay for extra cloud storage. But I was going to try making the full adb backup and seeing if I can use that and restore my old pixel 3 (once it is transfered to the new 7, just before I wipe it for trade in... At that point it won't matter if the restore doesn't work and it will be nice to test and get the experience for backing up the 7 via adb..
For pics, already using an app that uploads pics to my NAS each night overnight.
Going to give private dns via adguard a try instead of adaway and with that and backup/restore capabilities, I think that will cover my root needs these days.