How to Protect Your Smartphone from Data Extraction: Anti-Forensics Guide

By Ava McKinneyOnline Safety

Anti-Forensics: How to Protect Your Smartphone from Data Extraction

Many articles on smartphone security repeat the same basic advice: use a strong lock code, enable fingerprint sensors, disable Smart Lock, turn on two-factor authentication, and update to the latest OS version. While these steps are necessary, they are far from sufficient. Even with a strong lock code, if your phone uses FDE encryption and you haven’t enabled Secure Startup, the encryption may still rely on a default password, making your data vulnerable. Disabling Smart Lock is important, but are you sure your device’s face recognition is secure? Did you know that someone can extract all your cloud passwords from your computer and then reset your phone’s lock code remotely? (This doesn’t work for all devices, but it’s a risk worth knowing about.)

Most importantly, if someone gets your cloud account password (Google, Apple, or Samsung) from your computer, they may not even need your phone—an expert can extract all your data from the cloud, often more than what’s stored on the device itself.

This article skips the usual “set a lock code” or “update your OS” tips (you’ve done that already, right?) and instead explains the full range of “heavy artillery” that law enforcement and forensic experts can use to extract data from your phone. You’ll learn how to better protect your data and understand the risks that remain even if you do everything right.

How Your iPhone Can Be Hacked

The difficulty of hacking an iPhone depends on several factors: the installed iOS version, the complexity of your lock code, and the device’s state (on/off, USB restricted mode, etc.).

iOS Versions Matter

If you’re still on any version of iOS 11, you’re at risk: both brute-force lock code attacks and fast physical data extraction are possible. The complexity of your lock code and the device’s state affect how quickly a brute-force attack can succeed.

  • If the phone is off: Brute-forcing is very slow (one attempt every ten seconds). A six-digit code is strong protection.
  • If the phone is on and has been unlocked at least once: The first 300,000 codes can be tried quickly; a four-digit code can be cracked in about 30 minutes. Use a six-digit code.
  • If you activate SOS mode (holding power and volume): The phone returns to “slow” brute-force mode. Again, a six-digit code is strong protection.

iOS 11.4.1 introduced USB Restricted Mode, which disables USB data access an hour after the last unlock, blocking brute-force attacks. However, rumors suggest forensic tool developers may have found ways around this. The best advice: update to iOS 12 or later.

iOS 12 and Later

Apple closed many vulnerabilities in iOS 12, especially improving USB Restricted Mode. Now, the USB port disables data transfer as soon as you lock the screen (unless you’ve connected to a computer or accessory in the last three days). SOS mode also disables the USB port.

However, some vulnerabilities from iOS 11 persisted up to iOS 12.1.2, allowing full file system access if the phone is unlocked. iOS 12.1.3 fixed some, but only iOS 12.1.4 (the latest at the time of writing) fully protects against known exploits. So, always update to the latest iOS version.

What Happens If Police Get Your Unlocked iPhone?

In most cases, police will simply try to extract as much information as possible from your unlocked phone. They may:

  • Manually browse your social media, messages, SMS/iMessage, and photos.
  • Extract Health app data, which can reveal your movements and activities.

Routine detentions have sometimes led to arrests based on information found on smartphones. The only way to prevent this is to never hand over an unlocked device. You can refuse to unlock your phone (except in certain situations, like at border crossings).

Even with an unlocked screen, without the lock code, police can’t view passwords in Keychain, disable Find My iPhone, reset your iTunes backup password, or connect the phone to a computer. Forensic tools like GrayKey can extract a file system image from devices up to iOS 12.1.3, but iOS 12.1.4 closed this vulnerability (for now).

If you set a backup password and protect it with a Screen Time password, you’re safer. Screen Time isn’t foolproof, but it slows down brute-force attempts to one try per hour after ten failed attempts.

How Your Android Smartphone Can Be Hacked

As with iPhones, police may try to force you to unlock your Android device. If you do, they’ll have access to:

  • All content on your memory card (virtual and physical), including photos and videos
  • Email, messenger chats, SMS texts
  • All passwords saved in Chrome (including your Google Account password—check if it’s there!)
  • Detailed location history
  • Google Fit data
  • Call logs and contacts

Cracking the Lock Code

It’s hard to generalize about hacking Android devices because there are thousands of models, chipsets, and firmware versions. The effectiveness of a lock code depends on the encryption method used:

  • Full Disk Encryption (FDE): Common in older devices, often uses a default password for encryption. However, the encryption key is generated inside the Trusted Execution Environment (TEE) and is unique to each device, making data extraction difficult without specialized tools.
  • File-Based Encryption (FBE): Used in newer devices, encrypts most personal data with your lock code. No Secure Startup mode is needed.

For both FDE with Secure Startup and FBE, cracking the lock code is necessary to decrypt data. Qualcomm’s TrustZone and GateKeeper hardware limit brute-force attempts, making it nearly impossible to quickly guess even a four-digit code, and a six-digit code is even stronger.

Some exploits exist for older Qualcomm processors (up to Snapdragon 821), but they are difficult to use and require custom code for each device. For newer devices (Snapdragon 835 and up) with FBE, no known exploits work, and brute-forcing is extremely slow.

How to Check Your Encryption Type

To check your device’s encryption, run this command via ADB:

$ adb shell getprop ro.crypto.type
  • If it returns file, your device uses FBE.

How to Protect Your Android Device

  • If using FBE: Set a lock code of at least six digits and disable USB Debugging.
  • If using FDE: Enable Secure Startup by removing your current lock code, setting a new one, and confirming Secure Startup when prompted. Also, disable USB Debugging.
  • You generally can’t switch from FDE to FBE except on a few older Google devices.

General Security Recommendations

  • Set a lock code (at least six digits). Check if your device uses FDE or FBE; if FDE, enable Secure Startup.
  • Disable USB Debugging. If it’s on, all other protections are useless.
  • If your phone has an OEM unlock option in Developer Settings and you don’t plan to unlock the bootloader, turn it off.
  • Set your USB connection mode to “Charge only” by default to prevent copying data from a locked phone.
  • Keep your OS and security patches up to date, but be aware that many manufacturers delay updates.
  • Disable all forms of Smart Lock, especially face unlock (unless your phone uses secure 3D scanning).
  • Set your phone to lock immediately after the screen turns off (Settings → Security & Location → Automatically lock → Immediately).
  • Don’t allow installation from unknown sources unless necessary. In Android 8+, manage this per app in Special app access.
  • Review app permissions, especially for apps with access to camera, microphone, contacts, SMS, or location.
  • Don’t store your Google Account password in Chrome—it’s the first place attackers will look.
  • Enable two-factor authentication for your accounts.
  • Check for apps with Device Admin privileges and remove any unnecessary ones.
  • Be aware that some manufacturers include analytics or even backdoors in their firmware. Limit their internet access if possible.

About Delayed Locking

Delayed locking (where the phone doesn’t lock immediately after the screen turns off) greatly reduces security. If you’re stopped by police and your phone is confiscated while still unlocked, all your protections become useless. On iOS, if you use Touch ID or Face ID, the only available option is to lock immediately after the screen turns off. If you disable biometrics, other options become available, but some may be restricted by security policies.

For more advanced anti-forensics tips and updates, check the continuation of this article on the original source.

Leave a Reply