For the last 2 weeks, I've been testing a pre-release version of Theft Aware 2.0 - an app that occupies a spot in the familiar Android Security category, alongside WaveSecure, Lookout, and others. And yet, Theft Aware stands so much taller compared to them that they become small, almost invisible, dots. I could hardly contain my excitement and fascination with Theft Aware, but first, I needed to get answers to all of my questions and pass the info to all of you.
The main reason I'm fascinated with Theft Aware is its superb integration with rooted phones. The benefits of Theft Aware's elevated security features on rooted phones are so great that, in my opinion, rooting is worth it (if you've haven't done so yet) just to get the full TA experience. In fact, I would put it in the same class as Android WiFi Tether and SetCPU - that's how excited I am.
There is a lot of information, so please bear with me. I recommend you read it in full to get the grasp of just what TA's main developer, Reinhard Holzner, has accomplished.
Before I jump into the walk-through, I want to highlight the top Theft Aware features, starting with the most important ones (marking those possible only with rooted phones accordingly). Note that because I'm reviewing the version running on a rooted phone, your mileage may vary, especially if you don't have root:
- (root) TA installs itself into the system partition, even on phones with NAND protection, meaning it will not be affected by even full system wipes/resets. The only way to get TA off the phone is by deleting the app via adb, if you know exactly what you're looking for (more on this later), or by flashing a new ROM.
- (root) I never thought I'd say this, but phones with locked NAND, like the EVO 4G, actually benefit from the read-only nature of their system partition - in this case, the only way to remove Theft Aware is by doing so from recovery via adb.
- (root) That's right - TA can install itself using the update.zip method - the same method used by the OS to upgrade itself. The app generates and signs a custom update.zip package on the fly during installation or writing secure settings. Can you say "brilliant?"
- (root) Moreover, it detects and integrates with ROM Manager to make installation (i.e. flashing the update.zip) a snap.
- (root) The app is completely invisible not just in the app launcher (any app can do that already), but also in the app manager (Settings > Applications > Manage).
- (root) Moreover, if a thief starts Theft Aware and finds it in the "currently running apps" section of the app manager, he or she will not only fail to uninstall it (see above for why), but also won't be able to delete any of its settings by pressing "Clear Data" - all settings are written to /system the same way as the app itself and are wipe-proof.
The above features immediately captured my attention, but the list doesn't stop there. We're just getting started.
- TA does not require a data connection to operate - all controls are done using SMS (more info below), which works anywhere you have reception.
- There are a variety of remote commands TA can receive and understand via this SMS mechanism. For example, WIPE, LOCK, UNLOCK, SIREN, setting of any option, and even custom commands you can make yourself by programming your own Android activities or services. There is also one more command that deserves its own special bullet point. It's up next.
- You can make the phone secretly dial you and spy on the thief by listening in on the surroundings. This command is called CALL, and it's pure genius.
- Since the app disappears from the list, the only way to get into it is by dialing a special code that you set yourself during the setup phase. For example, if you set your code to 2222, you go to the Dialer app, press 2222, Call, and voila - Theft Aware starts up. This code authenticates all SMS control messages from the previous step, by the way, so don't let anyone find it out.
- (root) TA can install itself as a special device admin, which is a feature introduced in Android 2.2 that allows full wipe, including emails, texts, apps, and anything data-related, including your SD card. On non-rooted phones, this gets rid of Theft Aware as well, but on rooted devices, the app survives.
- During the installation, TA asks you if you want to customize its application name, so that an unsuspecting thief would never even think twice about something like "EVO 4G camera driver." This doesn't yet change the internal package name, but Theft Aware's developer liked the idea and is thinking of doing this in the future. This feature doesn't really matter on rooted phones, by the way, as, if you remember, TA is completely invisible there.
- For phones with SIM cards, tracking and locking can be initiated on SIM change, rather than manually.
The rest of the features are not as mind blowing, but they do deserve a mention nonetheless:
- GPS is enabled automatically + GPS icon hides while the app is determining the phone's position (root is required for this on some phones, as it doesn't work without root 100% of the time).
- Ability to lock either all phone settings or just the program manager. I actually changed it to lock all settings, and then spent 2 days wondering why the heck I couldn't load the phone's Settings screen at all (oops!). This is an extra precaution, to be used by the most paranoid among us.
- Application updates are presented only if a trusted SIM card is present. It is recommended to disable these for phones without SIM cards, like those on the Sprint network, to avoid giving a thief any hints.
- Version 2.0 underwent 5 months of beta testing, just so you know how polished the functionality is.
- The company blog contains useful things, such as this detailed list of all permissions used by the app - something I appreciated a lot: http://theftaware.blogspot.com/2010/09/theft-aware-permissions.html
What an impressive list, isn't it? Enough with the features, however. Let me show you what Theft Aware looks like and how it performed in my testing.
Theft Aware integrates deep into your Android device and sits there, invisibly and securely, listening for incoming SMS messages containing application directives. This behavior is radically different from software like Lookout or WaveSecure, which provide you with an online interface and an account - just read this account of a severe vulnerability in WaveSecure to understand why that may be a bad idea. Theft Aware's strength is its independence on the presence of an Internet connection, relying exclusively on SMS messaging. No accounts are created and no data is stored on remote servers.
A lot of hard work went into making the installation, which happens to be one of the most important steps in Theft Aware, streamlined and robust. Here is what it looks like:
In the screens above, as you can see, the Theft Aware installer went through the steps of securely installing the app to the /system partition (it could write directly, as I'm fully rooted), customizing its name, entering stealth mode, and setting up a personalized pin code, used later on for program access and SMS authentication.
Upon the first reboot, Theft Aware completely disappeared from all app lists, just as promised. In order to pull it up, I opened the Dialer, punched in my secret PIN, and pressed Dial. Theft Aware sprung into action and showed me its settings screens. Before that, however, it offered to become a device admin, which is a new feature in Froyo, giving full wipe capabilities. Kind of scared, I accepted the prompts:
The settings screens follow:
In the settings, I could enter 2 phone numbers and optionally lock down communication to Theft Aware to only these recognized numbers, for additional security. I could also customize the lock message, the sound, map type, and various other options. Pressing Menu > Advanced exposed a testing menu, including theft event simulation, lock simulation, and sending of a test SMS message.
To test the most interesting functionality, I started by sending the device a LOCK command. The lock feature, as it turned out, was bulletproof and did not give into anything but the actual PIN code. I tried every button on the phone, including the volume keys. Restarting also didn't help - the siren kicked right back in upon reboot. Here's what this whole circus looked like:
The 2nd feature I tested was the one that kept me the most intrigued since the beginning - the call spy. After sending the CALL command from my wife's Palm Pre, I indeed received a phone call from the EVO and could hear everything that was going on the other end. Brilliant.
There were only 2 hiccups, which, unfortunately, cannot be currently worked around:
- Throughout the spy phone call, the EVO seemed completely dead - the screen turned off and none of the buttons could turn it back on. It was basically a dud, which is a lot better than showing the dialer app, but could still alert or puzzle a thief.
- If I put the EVO next to my ear, I could hear what was going on the other end - the communication was 2-way, and EVO's earpiece volume was not muted. You should definitely be aware of this and mute yourself, because a thief could hear you. Moreover, when I intentionally denied the call to see what would happen, I distinctly heard the voicemail greeting coming out of the EVO's earpiece speaker.
All in all, a pass with flying colors.
The last command I tried was UPDATE, which is supposed to send the current info about the missing device, including its current tower and exact location. The only complaint I had, and I am blaming the Pre here, was that the info SMS was received in 3 separate chunks, even though most smartphones nowadays can decipher and put together a multi-part message longer than 160 characters. After some assembling, the url to the map showed my location with very precise accuracy of 6 meters.
A fun fact: according to Theft Aware, there is a semi-secret way of determining the device's position even if GPS could not be activated. The method is based on deciphering the cell tower information and is not very accurate, but better than nothing nonetheless.
Wipe, And Other Features
I have not tested wipe and the rest of the features, such as getting contacts or SMS history, because, even though I have nandroid backups, I didn't feel like spending half an hour restoring. I am pretty confident that those all work as expected.
During my testing, the app notified me of an update, which was performed internally and without any problems.
Note: rooted phone owners need to restart their devices after a successful update.
With all the amazing upsides listed above, there must be some downsides as well, right?
- Theft Aware is not open source. Understandably, it's a commercial product with lots and lots of love poured into it, so getting access to the code is out of the question.
- The level of integration is so deep, especially with root, that it could get kind of scary. There is no way to tell what the app is really doing, other than to sniff all the traffic, if any, which I have not done. We have to trust the app's creators, but then again, we have to do so with most apps out there. After doing some research and talking to the company's CEO, I found it to be quite legitimate - ITAgents is a GmbH (our equivalent of an LLC) registered in 2004 in Austria by Reinhard Holzner. In addition, the company has been doing business with many happy Symbian users for years now, before conquering Android.
- The license, which is 10 Euros, is not a downside on its own. However, the fact that it's tied to a physical device (using its IMEI) and not a user is a bit of a downside. This means if my EVO breaks or if I lose it, the replacement phone would need its own license.
Documentation And Support
Theft Aware comes with an excellent user guide, which includes all supported control commands. You can find the v2.0 document right here.
A support forum where you can post questions is available here.
Download Theft Aware from TheftAware.com or from the Market by using the following QR code:
The app is shareware, which means you need to acquire a 10 Euro license after the trial period, which you can do from here.
Wow, this review turned out to be a lot longer than I expected it to be (it took 5+ hours to write), and after interacting with Theft Aware for over a week, I feel like it has almost become a part of my family.
What Theft Aware developers have accomplished here is something no other security app out there has, in my opinion - a robust, stealthy app, with levels of system integration so deep that I am afraid I wouldn't be able to find it one day myself.
With the app living invisibly on my phone, I have full confidence that, unless stolen by a pro, I will be able to not only to recover the device, but also find the perp and have him arrested.
P.S. Maybe if you ask nicely, we'll even do a giveaway.