(Credit: Google)
MOUNTAIN VIEW, Calif.—With a new set of features coming to most releases of its mobile OS, Google plans to make an Android device much less useful when it’s in the wrong hands—or even in your own hands while you’re under duress.
Android Theft Protection, announced Wednesday at Google I/O, addresses the same unpleasant use case as the Stolen Device Protection Apple shipped with iOS 17.3: A criminal has not only taken your phone but obtained control over it by getting your screen-unlock passcode through surveillance, deceit, or the threat of violence.
And since that code usually also unlocks authentication methods saved on the device, such as in a password manager, a victim’s losses can extend far beyond the loss of an expensive phone.
To deal with the case of a passcode purloined through shoulder surfing or social engineering, Google will ship an update to "select devices later this year" that will require your biometric authentication before changes can be made to such high-leverage settings as disabling theft protection or accessing stored passkeys any time the device is outside your trusted locations.
If somebody has simply snatched your phone while its screen is unlocked, another update will require your passcode or biometric authentication to extend the screen timeout period or disable the Find My Device feature, which lets you remotely wipe a lost phone or tablet.
An additional fix, Theft Detection Lock, will come into play in that theft scenario by using the phone’s accelerometers and other sensors to detect "a common motion associated with theft"—as in, the phone moves suddenly and then is in the possession of somebody running, biking, or driving away—and locking the phone's screen automatically.
And if a thief attempts to take a stolen device offline to defeat Find My Device, a new Offline Device Lock will operate locally to lock the screen automatically. If you can’t remember your Google account password to trigger Find My Device’s remote wipe, you’ll be able to invoke a Remote Lock override from any other device by providing your phone number and answering "a quick security challenge" to get more time to recover those credentials.
The above updates will arrive via updates to Google Play Services, a set of system libraries that Google can patch automatically even on ancient phones; Google only dropped Play Services support for the 2013-vintage Android 4.4 KitKat last July. In this case, the added theft defenses are coming to devices running at least the 4-year-old Android 10.
Android 15 Tackles Social-Engineering Attacks
The upcoming Android 15 will bring two additional lines of defense against device theft. Its version of Android’s factory-reset procedure will block a thief from setting up a reset device from scratch of a device without "your device or Google account credentials," which Google says "renders a stolen device unsellable." And you’ll be able to create a private space, secured with a separate passcode, that secures your most critical apps.
A post on Google’s security blog by Dave Kleidermacher, VP of engineering for Android security and privacy, outlines additional countermeasures in Android 15 for network-level attacks.
One set takes aim at social-engineering attacks that begin with requests to share your screen by automatically hiding notifications that display one-time passwords or codes—which Android 15 will also hide from notifications in general—and blanking the entire shared screen while you enter usernames, passwords, and credit card numbers.
Another set will warn users of compromised cellular networks, either an unencrypted connection to the nearest cell tower or because the phone is now on “a potential false cellular base station or surveillance tool.” Kleidermacher’s post specifies that “at risk-users like journalists or dissidents”—which reads as shorthand for people enrolled in Google’s Advanced Protection Program—will get the latter warning.
Kleidermacher notes that these two features will require “device OEM integration and compatible hardware,” which suggests that future Pixel phones will get them first. Note also that cell site simulators, sometimes called “IMSI catchers,” have a long history of use by law enforcement.
Finally, an update to Google Play Protect will leverage the Private Compute Core on some newer Android phones to perform on-device-only analysis of app behavior to watch for sketchy use of permissions or interactions with other software—if necessary, flagging the app in question for review by Google and warning the user about it. This feature should come to Pixel, Oppo, Honor, Lenovo, OnePlus, Nothing, Transsion, and Sharp devices “later this year,” the post says.
Everything Announced at Google I/O
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
