Security → Smart Phone PIN not enough, What a Suprise

Hi, I have a Smart Phone running Android and I stumbled on this yesterday.

So here we go:

My phone set to be locked with a PIN code, but issue I had is when after plugging in the device to my computer by NOT even entering my PIN to unlock my phone, I could still manage to look at my files. Now, this can be prevented unless the owner of the device disables the ASK ME option, or set the device storage option to Charge Only rather than Disk drive or Mass Storage under Connect to My PC under Settings.

I was kind of freaked by this.

So my conclusion was, that even if this particular Smart Phone device is locked any theft would purchase a USB cable for that model, plug it in, and without entering the PIN, they can look at the files stored on there from any PC or computer.

SO, two options: Encrypt or disable the Ask Me check box and set to use Charge Only instead of Disk drive as being the default for connecting to a PC with USB cable.

Or....DUHHHH...Dont loose the device in the first place.

My phone doesn't connect as a drive until I tell it to.

Just tried my AT&T Galaxy S III running stock Android 4.1.1. It does connect the phone to the PC but does not show any folders or files until unlocked.

Yes, that behavior changed with the advent of 4.0 Ice Cream Sandwich.

In earlier versions of Android you had direct block-level file system access to the SDCard via USB Mass Storage support. But starting with ICS access to the SDCard (virtual or otherwise) was changed to MTP (Media Transfer Protocol).

When you plug the phone in it will show up in Windows Explorer but will not show anything until you unlock the phone. Even if the phone does eventually lock itself you still have access because once granted, it stays granted until you unplug and replug in it.

Scary stuff. I said to myself that this is not good. Something is def. wrong here. So this has been a security concern all along? Correct?

Well, dont loose the phone or Encrypt the files along with the SD card. Or, signing up for a centralized remote wipe and remote lock will also help. Better yet, dont store any sensitive file on the phone.

I am not seeing this on a Nexus 4 (android 4.2.2)

Plug into computer with passcode on... Windows states "This folder is empty"

Enter passcode and then it will let me browse "internal storage".

What version of android are you running? What make/model/carrier of android phone is it?

NM read post above. Guess they fixed this particular issue.

The internal memory I can see, but blocking access to the SD card is pointless because you can just pull it and use a $1.99 microSD to USB card reader.

/M

My Android 2.x phone doesn't appear to expose anything to Windows even without a phone lock Not that I've made detailed, in-depth investigation, it just does not appear as a connected device. I have to poke the connect button to do it.

Clearly this issue was introduced later.

Or maybe specific to a carrier build.

In the era of modern technology especially after 9/11 many people are very concerned and worried about loss of privacy across the board in most areas of their life.

I've all ways said of all the various exposures one's smartphone is the single biggest gateway and exposure in one device or one gateway than anything else.

I hate to say this but once someone has physical access to a device, all bets are off. Once a bad guy gains physical access to the device that device is as good as p0wned.

Please Clarify! For the phone whose files became accessible via Windows even with a screen lock, was this with the SD Card Encryption turned on?