Android Marshmallow's Factory Reset Protection may be useless on your smartphone
Last year, Google introduced a kill switch in Android to prevent lost or stolen handsets from being reused. Formally known as Factory Reset Protection, this security feature has been designed to, among other things, only allow the intended owner to use the device after a factory reset has been performed. In theory, it is a great idea, so much so that some markets have actually made a kill switch mandatory, in an attempt to deter smartphone theft.
In practice, however, Factory Reset Protection is not as effective as you might expect -- it can be bypassed on the latest version of Android, 6.0.1 Marshmallow, and in the latest Android N preview.
The process of bypassing Factory Reset Protection involves quite a few steps, but it can be easily replicated by anyone with a couple of minutes to spare and, of course, a device running Android Marshmallow or N. It has been proved to work on a Nexus 6P, but it may also work on other smartphones.
The Factory Reset Protection bypass has been initially shown to work on Android 6.0 Marshmallow with the January security update applied, but Android Authority has confirmed that the security bug is still present in the February update.
This is disconcerting, to be honest, because if you remove this feature from the equation, there is nothing stopping a thief or a malicious person from factory resetting your device effectively, and selling it after -- and they are likely to be more skilled and willing to test this than the average person.
Now you may be wondering how this affects Android Marshmallow with the March security update installed. Sadly, I have been unable to test the bypass as the only device that I own with this exact configuration of Android is my 2013 Google Nexus 7. The bypass relies on the Messaging and Phone apps to be installed, which is not the case with my tablet.
Google says that the March security update fixes an "Elevation of Privilege Vulnerability in Setup Wizard", which is another integral part of the bypass. However, Google claimed the same thing in the January security update. In both cases, the description of the fix is: "An elevation of privilege vulnerability in the Setup Wizard could enable an attacker with physical access to the device to gain access to device settings and perform a manual device reset. This issue is rated as Moderate severity because it could be used to improperly work around the factory reset protection".
However, even if Google has finally fixed this security bug, there is a very good chance that many users are either stuck with an older monthly security update or they have yet to install the March update. On my Nexus 7, for instance, I only received the latest monthly update a few days ago, even though its roll out started closer to the beginning of the month.
Rootjunky.com, who revealed the bypass, has actually shown how Factory Reset Protection can be bypassed on a number of smartphones from Google, LG and Samsung, so the issue affects quite a few users. In the case on non-Nexus-branded smartphones, things are even more serious because, even if a patch exists, it will usually have to receive carrier approval before being rolled out. And that can take a bit of time.
Another thing that is worth pointing out is that, for instance, Samsung has promised that it will deliver monthly security updates, but at least on my girlfriend's Galaxy S5 the company has failed to keep its word. The device is not carrier-branded nor locked, but the last update released for it dates back to October of last year. (Even worse, it is still stuck on Android Lollipop, which is a year older than Marshmallow.)
This whole thing is a huge mess, as you can see.