Android Device Manager is an app service from Google that allows a stolen phone to be remotely located, locked and/or erased. It is a useful app that can act as a first line of defence to protect one’s private data when a mobile phone or tablet with an internet connection is stolen. That being said, the app has some limitations and considerable security flaws which, if addressed, could make it a killer app.
Here are my suggestions for 6 features that could improve the Android Device Manager for scenarios where a phone has been stolen rather than being lost or misplaced:
1. Require logging in to use it
In Android Device Manager’s current state, if a phone is stolen, the thief can just open the app on the stolen phone and maliciously erase all of the victim’s other Android devices running the app. To prevent this, the app should only be accessible by logging in. Additionally it should not allow a user to login with his own account into his device, which brings me to my next point:
2. Let user login with another account
Logging in to Android Device Manager with your primary account that you use on your phone defeats the purpose of recovering the phone and erasing it should it get stolen (unless you have access to a desktop computer or another device and you login to the web interface of the service). If I have a friend wih an Android Phone, I should have the ability to briefly log in to my account from his phone and check the position of my stolen phone from his device manager. This way the victim still has the ability to wipe or lock the lost or stolen phone even if he does not have a second android device or access to a PC.
3. Make it a sysem app so that it cannot be uninstalled easily
A tech-savvy thief can simply uninstall the Android device manager app and after that there is no way of tracking your expensive stolen phone. If it was converted into a system app, then there would be no way of uninstaling the app without first rooting the device.
Limitations: a tech-savvy thief would probably just delete your Google account and replace it with his. After that you can just kiss goodbye to your phone because Android Device Manager is entirely dependent on your Google account. The thief could Which brings me to another point:
4. Check IMEI and log it so that if thief wipes phone he can still be caught
As mentioned in the limitations to point #3, it might make sense to explore an alternative way of locating the devce instead of being entirely dependent on the phone having a data connection and being logged in to a specific Google account. Things such as the IMEI of the phone, the MAC address of its WiFi or Bluetooth radios, serial number, etc could be logged and used to track the device in case the thief changes to his own Google account or factory-resets the phone.
5. Enforce a lock screen policy for devices running the Android Device Manager
Although this is written as the last point, it is probably one of the most important in ensuring the integrity of your private data when your phone gets stolen. A locked screen ensures that you have a first line of defence and will discourage the majority of petty thieves. They will not be able to use the phone to make calls but your data connection will remain on since they cannot change settings to turn off the data connection.
Limitations: unfortunately, the clever thief can still turn off the phone despite the screen being locked by long pressing the power button. They could also put the phone into airport mode, thereby disabling the data connection until they get to a computer where they can factory reset the phone via ADB (if it is enabled).
6. Include ability to erase SD card
Most non-Nexus Android devices still use microSD cards for memory expansion. Unfortunately, this is where the most important data such as photos, documents, videos, and other sensitive files are saved. It is therefore very important to have the ability to erase external memory remotely when a stolen device is located. The current implementation of Android Device Manager only erases internal memory.
It is important to note that all these suggestions, if implemented, can deter petty thieves, but there is nothing that will stop a professional phone thief from getting away with your phone and your data. Here is why:
– Despite having a lockscreen password, the phone can be turned off or put into airport mode using the power button.
-After turning off the phone, the thief can boot into recovery and factory reset the phone, thereby deleting the lockscreen password and creating a new Google account. He still has access to the data on the SDCard.
– If the phone has ADB enabled and/or “Allow installation of apps from unknown sources” enabled, he can basically do whatever he wants with the phone and the data on it if he is technically competent.
It might also be a good idea if Android Device Manager had the ability to disable ADB when the phone is not connected to USB and request a password to enable ADB when the phone gets connected to the USB.
Android Device Manager still remains a useful app, but mostly for misplaced or lost phones that have not yet gotten into the wrong hands yet. In this scenario, the owner can just lock or wipe the phone as a precaution.