Updated: Think your Android smartphone with fingerprint scanner is safe from thieves? Think again

Fingerprint scanners have slowly but surely become a desirable feature in any high-class smartphone. They offer users a quick unlock while providing a stable security wall for any snoopers that may want to dig around the handset, and they discourage thieves, as a fingerprint-secured smartphone is perceived as useless unless in the hands of its owner. Unfortunately, when it comes to most Android smartphones, the latter is more of a myth than actual reality.

When Apple introduced the Touch ID sensor, which essentially popularised the use of biometric scanners on a smartphone, it combined it with the strong iCloud Account Lock feature. As a result, any stolen iPhone (provided, it’s running a more current version of iOS) is essentially turned into a paperweight if it’s not unlocked by its owner. Thanks to the closed system that iOS is, getting past the security is impossible for a layman, and seems to be an endeavour with inconsistent results for hackers. Even authorities confirmed that thieves have become more and more discouraged to snatch iPhones. In reality, iCloud Account Lock works in the same manner even if one only uses a PIN code or password as their main locking feature, but since Touch ID is so widely used, it became synonymous with the strong security.

A lot of Android smartphones also have a fingerprint scanner, and the sense of security it provides has also migrated to the Android user base, but in most cases – it’s a false one.

Android is a very open platform, which gives its users access to a lot of nooks and crannies that iOS does not. This is generally considered a plus, as it gives the user a lot of control over their own gadget and that’s cool, but it can be a double-edged sword at times. In our case here, the culprit is the modders’ beloved Recovery Mode – a “behind-the-curtains” boot menu, which allows users to manually flash system ROMs, wipe the phone’s cache, or clear all of its data. And by all of its data, we also mean all of its security settings – it basically reverts it back to factory-default state.

Update: Avid readers have pointed out to us that Samsung has an Activation Lock feature in place. It's a bit out of the way and required us to find and turn it on manually, but it's there. You need to go into Settings -> Security and turn on Activation Lock. This feature did not allow us to use a freshly reset Galaxy Note Edge, running on Android 5.1.1, even if we didn't connect it to the Internet after resetting, so props to Samsung for that. While there are a couple of ways to go around it, they are certainly not obvious, and this is a step in the right direction. Android is supposed to have an Activation Lock of its own since the 5.1 update, which should work similarly, but we haven't been able to get it to work automatically on the various handsets we tested this with. It requires the user to manually access the Android Device Manager, but seeing that it may take you a while between getting your phone stolen and accessing a computer – that's just not good enough.

So, while a potential thief will most probably not have access to the data on your Android smartphone, they can certainly access Recovery Mode, wipe it clean, and use it as their own / resell it. From that point on, you can't track the handset through the Android device manager, nor remotely control it in any way. In contrast – Apple's iCloud Account Lock will not let anyone through (backdoors in older iOS versions can sometimes be found, so it's preferable to always be up to the newest version), which makes the device unusable and significantly lowers its resale value. You will be able to track its location whenever it is on, and even when the thief turns it off — or if its battery dies — it will use its final seconds of on time to send out an updated location to the cloud.

This is not to say "iOS good, Android bad!", but do consider it as a public service announcement – if you’ve been having peace of mind, thinking that locking your Android smartphone will essentially make it worthless for potential thieves, this is probably false, unless they are really thick or easily discouraged (also, unable to use Google). It's great that Androids are getting an Activation Lock, but in our experience – it's a bit forgiving and out-of-the-way in its current state.



1. Planterz

Posts: 2120; Member since: Apr 30, 2012

This article is pointless.

11. EcoCare

Posts: 444; Member since: Jul 30, 2014

How so? Care to elaborate?

17. Awalker

Posts: 1977; Member since: Aug 15, 2013

Because most people know that already.

22. EcoCare

Posts: 444; Member since: Jul 30, 2014

You might need statistical data to make that conclusion. Only a handful of my friends heard the term "recovery mode" (and they still don't know the purpose). That doesn't make this article pointless.

25. Finalflash

Posts: 4063; Member since: Jul 23, 2013

It's not only pointless but pretty much a travesty as a public service announcement as well. Why would you even need to reset the iPhone when all you need to do is get through the persons pin. There was even an article here a while ago that you can get through the iPhones pin protection in a few hours. On top of that most Android phones have locked bootloaders and do not even give access to the recovery menu. Finally, it has been proven time and again that all closed systems get broken and the method of breaking remains undetected because only the hackers know of it. Open source gets analysed everyday by millions of well intentioned individuals who report vulnerabilities to those that can fix it. That 1 million dollar bounty bug won't be found by Apple for years and then what's the point of all that pretend security.

42. Wiencon

Posts: 2278; Member since: Aug 06, 2014

I just showed it to my friends on LG G3 and no one knew about it. And they are IT students

47. TechieXP1969

Posts: 14967; Member since: Sep 25, 2013

So! What does that have to do with anything. Hey guess what, I can fine lots of people who can't list the 7 wonders of the world. That doesn't make my point any more or less pointless.

54. Awalker

Posts: 1977; Member since: Aug 15, 2013

You can probably guess the purpose by the name of the mode. In my custom rom flashing days I used it all the time. Have any of your friends used a Windows PC? It's the same concept.

61. Hexa-core

Posts: 2131; Member since: Aug 11, 2015

Oh yeah, it sure is.

27. jove39

Posts: 2146; Member since: Oct 18, 2011

For starters - if your device is locked and you haven't enabled ADB, how thief would restart your device in recovery mode? My OPO won't even show recovery mode option when locked. And with locked bootloader, you can't inst

31. paul.k

Posts: 294; Member since: Jul 17, 2014

Why are you even talking about bootloader? Turn off your OPO (you can turn off a phone without needing to unlock it - just hold down power). When it's off, hold down Power and Volume down. When you see the 1+ logo, let go of both buttons. You are now in Recovery Mode (NOT bootloader). From here, you can choose "Wipe data / Factory reset". Voila!

43. RoboticEngi

Posts: 1251; Member since: Dec 03, 2014

And so what? When they try to enable the device, they still need to go through activation...........

48. TechieXP1969

Posts: 14967; Member since: Sep 25, 2013

You just don't get it do you? Google offers activation lock to your Google account. It is part of the options during phone setup. Samsung also offers activation lock to your Samsung account. The only downside is even though both methods are offered during setup of Galaxy phones, it is allowed to be skipped. I think that one of the 2 methods should be forced to be used by the user. In other words, the user who bought the phone phone, while setting up must chose an activation locked method. Either the device must be locked with your Google login/password or Samsung's. The reason is simple. PEOPLE ARE CARELESS AND STUPID. I dont mean that in a bad way. Users on a tendency to never read prompts on computers and device. They just click and click and click passed stuff they feel is not important when it is. This makes them careless and stupid. People are also too lazy to read a simply short verbage that says this method of protection is to help secure your device in the event it is lost or stolen. What do people typically do? SKIP. The thing is though, Android phones were less likely to get stolen based on facts because, thieves can sell a hot iPhone right away do to its market penetration and black market awareness. But here where I live in Chicago, people are having any type of phone stolen and activation lock wont prevent them from selling it, it will simply burn the idiot who bought it.

58. jove39

Posts: 2146; Member since: Oct 18, 2011

Right...open access to recovery leave phone vulnerable.

69. HighOnAndroidFTW

Posts: 185; Member since: Apr 26, 2015

And you can do the same with apple devices with iTunes on a computer. Have done it several times for people that handed over locked iphones and wanted them wiped for resale. And you can crank the pin with a program fairly quick. So your article is doo-doo.. Not to mention your oh so godly Icloud got hacked and tons of people's private stuff released to the public remember that? I don't remember that happening with Gmail cloud backup services ; ) GG

75. xfire99

Posts: 1205; Member since: Mar 14, 2012

Have ever heard about Google require full disk encryption from Android 6.0? Which I doubt you know about it, since u not mention anywhere in the article. They tried already with Android 5.0, but it slows the phone down and solved with little impact with android 6.0. So what can a thief do with a full encrypted phone in recovery mode?

33. lolatfailphones

Posts: 224; Member since: Apr 08, 2013

Lmfao collect your L on your way out

45. TechieXP1969

Posts: 14967; Member since: Sep 25, 2013

Because the info is wrong. Its simply another attempt to lie and make some stupid peopel think iOS is better. IOS is the least secure mobile platform which has been validated by companies who aren't in Apple's pockets. in 2015, Apple has top fix what was listed as iOS having more vulnerabilities vs Windows and Android COMBINED. It's been also noted that iOS applications are more vulnerable vs Android or even Windows. These are facts you can Google -https://www.google.com/#q=ios+vulnerabilities+vs+android+vs+windows+2015 PA hadn't to long ago had an article showing this fact Remember how last year, iOS was hit with a simple hack using a text message that contain foreign characters? Within days the iOS fingerprint reader was hacked and circumvented. Even now you can still bypass the fingerprint reader and change the DNS server info and reach other servers and perform a list of functions without ever logging into the phone. I have NEVER seen that happen on Android or Windows Mobile/Phone and I am not saying it can't be done. http://www.ibtimes.co.uk/iphone-6-touch-id-fingerprint-scanner-hacked-days-after-launch-1466843 I personally haven't use other Android brands of phones, so I cannot speak on what activation locking methods they may have. But Samsung phones have offered activation lock to your account since 2014 based on the first time I recall using it which was on the Note 4. It also is available on any Samsung Galaxy device that runs Android 5.x or higher. The article is only 100% true, if the user has a brand of phone where powering it off allows a thief to be able to wipe the device, and the owner never setup some type of activation lock method. However, this issue only effects older phones. Any device that has a fingerprint reader and runs Android 5.x, offers some type of secondary activation lock method. In fact you can also activation Lock your device to your Google account.

63. Hexa-core

Posts: 2131; Member since: Aug 11, 2015

Well pointed out. iOS isn't as secure as PA and other iBiased firms claim it to be!

70. EcoCare

Posts: 444; Member since: Jul 30, 2014

See, it's not totally pointless. The fact that not all Android phones run 5.1 or higher and there are more brands than Samsung and Nexus, and not all phones are bootloader-locked makes this article has some points.

68. Planterz

Posts: 2120; Member since: Apr 30, 2012

It's pointless because the fingerprint sensor is merely just another PIN/password/face unlock. A more secure one, yes. Patterns and PINs can be watched and imitated, and you can face unlock a phone by putting a picture of that person in front of it. Patterns can even be traced by copying the fingerprint smear, especially if it's an older phone where the oliophobic coating has worn away. I doubt anyone (nobody with half a brain, anyway) will actually think that the fingerprint sensor magically makes a phone any more impossible to steal, wipe, and resell unless some sort of lockdown or killswitch was implemented. Not on an Android, anyway.

2. shaineql

Posts: 522; Member since: Apr 28, 2014

Double edged sword indeed. The only way to have apple like security is to make it so nobudy can "fix" "access" some of the functions not even manufacturer.

3. shaineql

Posts: 522; Member since: Apr 28, 2014

If HTC customer service can reset your password so can anyone else. Unlike with applr once you reach that point where you cant recover your password not even apple care can help because they cant. Not even when supreme court demands it becsuse software isnt built like that. Personaly i see that as bad thing, id rather be able to reset my device ehrnever i want .

4. Sidewinder

Posts: 515; Member since: Jan 15, 2015

I don't need a phone with fort Knox like security. Just need a basic security to keep some private content out of view of some curious eyes like friends and family. Pin based security will do just fine for me and the addition of a finger print sensor just makes the whole unlocking procedure more easy without the hassles of typing the pun everyone and having to remember it actually.

8. Wiencon

Posts: 2278; Member since: Aug 06, 2014

Tou missed the point

5. joey_sfb

Posts: 6794; Member since: Mar 29, 2012

Thief are also less likely to steal an Android phone as most are very cheap anyway. They rather buy one themselves at $150 e.g Xiaomi Redmi 3 Pro. I am also not comfortable with my Bio signature captured as a form of authentication as I could change my password but not my Bio data.

35. lolatfailphones

Posts: 224; Member since: Apr 08, 2013

Worse butthurt excuse ever. Doesn't matter if it cost $150 the thief is still getting it from you for free smh

55. Awalker

Posts: 1977; Member since: Aug 15, 2013

I see that as one of the benefits of having a 6P. Most thieves are not looking to steal my device. They want iPhones.

72. DurTeeDee

Posts: 151; Member since: Sep 05, 2014

They want your phone because it is big and on TV

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.