Android Security – Giving Google Your Phone Number
While setting up my Android account on my phone, I am asked
If you like, you can add this phone's number to your account ....
..for example you number will be used to:
Reset your password if you forget it ...
How is that in any way secure? So if someone picks up my phone and requests a password reset, it will be sent straight into their hands? By default, notification content is displayed on the lock screen, and that would include a short password reset SMS.
Now, I realise that physically losing your hardware is never a good thing from a security perspective, but let's look at some of the measures that are in place to protect you in the event that your device does fall into the wrong hands:
- Users are encouraged to set a lock screen during setup
- Account password is never stored on device, tokens are used instead
- By default, debugging and bootloader unlock are disabled, and screen unlock is required to enable them
- Even when debugging is enabled, screen unlock required to add new debugging client
- Unlocking bootloader causes factory reset
All of the above seem to be undermined by the fact that with the default settings, you can display a password reset token on the lock screen.
Surely Google aren't that stupid? What am I missing here?
