Android phone bricked by "security feature"?

[Energize]

So a colleague who I ordered a corporate phone for, has after factory resetting her phone apparently forgotten the google account she used when originally setting the phone up, the phone now appears to be basically bricked by this Android "security feature". The phone just keeps asking for the original google account associated with the phone in order to start it, this just seems like the stupidest "feature" I have ever come across and apparently according to another colleague has resulted in the business writing off over £1k worth of phones this year alone due to other colleagues doing the same thing. This is costing the business far more than the occasional theft of phones.

Is there absolutely no way to get into the phone with adb to unlock it?

And of greater concern is my personal phone, in case for some reason I can no longer get into the google account associated with my phone, that will be a £400 phone written off. Is there no way to remove this odious "feature" from my Android 9 phone?

 

[Energize]

If the IT department handled the primary accounts on those phones, that wouldn't happen. Well, unless they forget the details too. You'd think after the first one they'd probably try to make sure that didn't happen again:/

Unfortunately IT is outsourced to another organisation so what happens is that phones are just shipped to us and users are left to set them up themselves using guidance notes from the IT portal which of course no one ever reads. I work for a very large employer so issues like this are often not communicated from one department to another.

I always try to ensure that users create a google account using their corporate email address just in case they forget their password etc, but I never actually realised that google intentionally bricked phones if users forgot their google account!

 

[Energize]

During account setup through accessbility settings you can start a YouTube clip and open YouTube's terms and conditions in a browser. Once you've launched Chrome there are various APKs you can download to create a new Google account and gain access.

Does this work with the latest version of Android? I've just setup a phone to re-familiarise myself with the process of setting up the work phones and I can't believe there is absolutely no warning whatsoever about FRP or an option to switch it off, it's a fail-deadly mechanism they don't even tell you about!

I have to say my estimation of Google and the Android operating system has diminished over the years and I think I might put a different OS on my next phone.

 

[Energize]

iOS?! Err, that's not what I was thinking of. There are a lot of now mature linux based OS available for phones that don't have the hindrances of Android or iOS.

To be honest you really wouldnt want a security feature to be easy to break anyway, i mean its not as if its not there on purpose lol.

No, but you would want it to be well documented and upfront, not hidden in the background and only discovered after the user has reset their phone...

Good luck with that, iOS is the same. All you have to do is not forget the account you used on the phone and it wouldn't be an issue. It should be easy ...

Except for when the service doesn't work properly... No one should be dependent on a 3rd party service for their phone to boot, it's very dangerous, if Googles server's have a problem (yet again) it renders your own personal device unusable.

 

[Energize]

If you consider having no popular apps as less of a hindrance than remembering the password of the account you set up a phone with for security reasons then all power to you. Not sure how well that will go down with your colleagues though.

My colleagues? What do my colleagues have to do with my personal phone?

Many of the Android Apps will run on a linux variant in any case.

 

[Energize]

Sorry, I assumed as you were talking about colleagues phones that you worked in IT department or something and were looking for a better solution for others.

Seeing that it's your own phone, I don't see the benefit of moving to a non standard 3rd party OS. Some apps will work, many won't. So many apps these days rely on Google Play Services, and even if you can sideload GPS it's a lot more of a ballache keeping things up to date and praying nothing goes wrong rather than worrying about when you want to factory reset your device. Just remember your password? Seems a lot easier.

All my apps have a Linux equivalent or already have been compiled for Linux, web browser, media player, telegram, file explorer, ftp server etc. so I won't have any issues in that respect.

It's not simply about FRP I want to move away from Android because what was once a really open platform is becoming more closed and controlling of your device that it becomes a pia when trying to do some basic things.

I think your angst is incorrectly directed at Google, surely your colleagues should take some responsibility if they're setting up accounts with details they have no chance of remembering?

Would you blame a bank for stopping an online transaction because you couldn't remember the 2nd, 5th & 7th letters of your memorable key word?

That's a false analogy, everyone knows that banks block failed logins or pin numbers as a security feature. No standard user knows about FRP being installed on the phone and therefore does not take the necessary precautions. Furthermore when we are talking about a bank we are dealing with their systems, in the case of FRP we are talking about a personal device that the user should have master/root control over.

So because your colleagues are stupid enough to lock themselves out of their accounts, you're going to install another OS on your phone that removes a layer of security? Sounds like cutting your nose off to spite your face.

No, I'm installing another OS for a variety of reasons. Android just no longer meets my requirements anymore.

 

[Energize]

Joe blogs shouldn't have root access to his phone. That's crazy, that's saying all phone should be shipped with no security in place.

No it isn't, what an authoritarian attitude!

I think your want to move away from android is really a separate issue. Your problem here in this thread is a corperate phone that wasn't managed properly and apparently was set up by somebody who cant remember their own gmail address. Somebody there is responsible for this, it's not FRPs fault. Nobody should be setting anything up if they cant handle basic requirements like that.

Yes the corporate phone should have been managed differently in hindsight, but with no warning about FRP, how was the end user supposed to act appropriately?

The simple fact of the matter is that there is simply no excuse for installing FRP with no warning and without the users consent.

 

[Energize]

Root access from the go is giving everything running under your account access to everything else. It's absolutely crazy to suggest that's how phones should ship. This isn't authoritarian all and I'm puzzled why you are now trying to attack my views on FRP rather than concentrate on the real issue. I'm not playing this game with you, been there and done that before so good luck sorting this for your IT department but I'm bowing out.

There are manufacturers like OnePlus which ship phones rooted, hasn't caused a doomsday scenario yet.

It's not a stupid security feature at all. It's stop people from stealing phones and then just being able to wipe them and use them. If your colleague logs into the account they used on the phone then they can remove the device and it will work. This is purely the fault of your colleague for not doing things correctly.

I never said it was a stupid security feature, it's potentially a great feature for those that want it, the issue is that it's slipped in through the back door and the user only finds out about it when they forget the random gmail account they created at startup 3 years ago.

It is not purely the fault of my colleague, there is an obviously bad software design choice here of not informing the user of FRP when setting up the device.

There is some fault on the user side yes, but you can't pass this off as just user error when that user was never informed about FRP and the need to keep a record of the account details.

 

[Energize]

Which phones do they ship rooted? I didn't get that option with my OnePlus 6T.

A lot of my most used apps would stop working if I had a rooted phone, and I haven't felt the need for root access for years now. What do people use it for now? It was handy with custom ROMs for updating drivers and other things, but that was back in the days when custom ROMs were a lot better than standard ROMs. I can't see what OnePlus would gain by selling phones pre-rooted? Is FRP disabled too?

When I got my OnePlus 3 it was pre rooted out of the factory. I don't see why your apps would stop working, certainly none of mine have a problem with a rooted phone.

Having a rooted phone is very useful for removing the spyware-esque crap most manufactures put onto the phone, and I need it for certain folder access.

 

[Energize]

Are you sure your OnePlus 3 had root access from the factory? It wouldn't have been certified by Google.

Apps I use that check for root:
Santander (and all banking apps)
Sky Go (and most streaming apps)
Any kind of NFC payment app
Many smarthome apps

Loads of everyday apps check for root access these days.

What folder access do you need out of interest and why? I'd call myself quite a power user but I've not needed su access for years now.

It uses Oxygen OS so google certification is not really an issue.

Banking apps work fine if you use things like Magisk or RootCloak. I'm shocked people use SkyGo, but hey whatever floats your boat.

I do development work so I need access to all the folders on the device, I also want to remove the bloatware that is shipped with Android.

 

[Energize]

It's definitely an issue. The OnePlus 3 was actually the first phone to be properly sold via a mainstream mobile operator in the UK. It was absolutely certified by Google or they wouldn't have been able to sell it with any Google apps on there via any channel. If it was rooted from the factory, then that's a pretty big security issue and a massive certification issue, where did you buy it from?

I bought it from the OnePlus website.

In any case this is digressing somewhat from the original issue. Google made a change to the OS that they didn't tell users about, so a users expectation from previous versions of android would naturally be that remembering the google account didn't matter. Google then did not warn the user upon setup or provide an option to turn FRP off so it resulted in a nearly bricked phone in this case that thankfully I was able to recover with an APK, Google have a lot to answer for, it's not simple "user error".

I just want an easy life where I know how my phone is going to function and behave and Android no longer fits the bill when it's slipping in "features" via the backdoor. So it's definitely something I will be moving away from, never mind the privacy concerns surrounding Google at this point in time.

 

[Energize]

If that's the case there is a bigger issue and you should send it back, because that isn't an official or certified OnePlus firmware you have. Who knows what else could be installed on there if someone rooted it before it went out. As a Linux user you should probably understand and be a bit worried that someone has had root access to your device and done god knows what.

That phone has since been wiped had multiple custom OS's on it and was recently sold on Ebay so I'm not concerned.

 

[Energize]

I just want an easy life, a device that I know I can factory reset whatever happens to it.

I don't need to know my computers password to reformat my computer, the same should apply to a phone.

If the device is encrypted FRP does nothing for data security, if your phone is nicked and the thief can't factory reset it, your phone is still nicked at the end of the day so what purpose does it actually serve?

 

[Energize]

You can. Remove the account from the phone before you factory reset like the phone tells you to. It's easy. FRP is activated only when you reset via recovery mode and if you're using that then you should really be capable of remembering an email address.

The whole point of using recovery mode is that you can restore a device that isn't working correctly, which is precisely the situation when you are most likely to encounter problems which would prevent you signing into the google account.

Windows doesn't have this flaw, so there's no reason for Android to.

 

[Energize]

The point of using recovery in this context is to restore a device that doesnt boot. Factory reset through settings is for a device that isnt working correctly.

Look, FRP is only a problem if you forget your email address. Otherwise it does exactly what it's supposed to. Theres no excuse for setting up a device with an email account you cant remember or be bothered to note down somewhere. It's just nonsense and theres no excuse for it.im sorry you feel that way about FRP but in my view your opinion is illogical. FRP would never affect you because I doubt you'd forget your details, right? Why so negative then? Very strange opinion.

Well no, because faulty network connectivity is a reason you might factory reset a device.

As a software designer I'm highly against undocumented features that go against the expected behaviour from the user.

It simply makes no logical sense to have a system that cripples the users device with no user warning, that's bad software design pure and simple. What reason would you possibly have for not informing a user at setup that FRP was in effect? Simply none at all. This is simply blaming the user for bad software design.

It's a fallacy to suggest I should have no negative opinion of something because it wouldn't directly affect me.

 

[Energize]

Apple doesn't warn about activation lock either, so why would Google?

Google accounts have multiple recovery options, it's the users fault if they didn't set them up or take note of any of the details.

Ah, the two wrongs make a right fallacy.

 

[Energize]

Which can be done through settings and without going near recovery.

It wouldn't have occurred to me to go through settings prior to this incident because there is no warning about FRP, at installation or at the factory reset prompt and it's more expedient to factory reset a glitchy phone through the bootloader from past experience, and judging by the number of phones bricked at one company alone it seems no one else has a second thought about it either because earlier versions of Android led users to expect this not to be a problem.

Why? You bought your own devices in to the discussion. As I recall, you want to move away from android because of features like this - features that wont ever stop you doing anything. It doesnt make sense. But then again nothing much in this thread does.

Why?! Why would someone care about someone being negatively affected by something, are you for real?

It's definitely a new one on me for somebody moaning about a security feature designed to stop people from just being able to steal and wipe a phone and use it straight away

Well that is certainly a naive view. What it's designed to do and what it actually does are two different things. I know that this has cost many users their phones, while I would be willing to bet it has not saved a single one from being stolen considering that just by following a youtube video you can bypass it.

You don't see me complaining about other security software like say Windows Bitlocker because A) it actually works, and B) there is a warning spelled out to users as clear as day.

It's a rational criticism of FRP to say that users are not adequately warned about it at setup or factory reset and that it is ineffective because it isn't well known enough to be a theft deterrent and it is easy to bypass for those that do know about it. On the other hand it is irrational to blame the user for a newly introduced undocumented feature that "broke" their £800 phone. Even if you are a fan of Android you can't justify the shortcomings of this "feature".