With Android 5.1, Google revealed that it was releasing a new feature for handsets called Device Protection. This anti-theft feature makes it basically impossible for a thief to use your phone in the event it is stolen and wiped. First things first, though: how do you get this feature?

Right now (as in, at the time of this article), there is a single device with the feature currently enabled: the Nexus 6. The Nexus 9 will get device protection as well, but its Android 5.1 update has not yet rolled out. Nexus 4, 5, 7 (2012 and 2013), and 10 will not receive the factory reset Device Protection feature. Allegedly, no phone or tablet that did not ship with Android 5.1 or higher out of the box will receive the factory reset protection feature (again, except Nexus 6 and Nexus 9), at least according to Google at this time.

However, Google's support site says the info applies to devices that have 5.0 or higher preinstalled (as in shipped with), though, so it's not clear if devices that shipped with 5.0 and then later upgrade to 5.1 (or higher) will then get it. Google didn't provide a satisfactory response to this question, unfortunately. We'll see how it ends up going down when 5.0 hardware starts getting 5.1 updates.

With that in mind, how do you use this tool, and how protected does it keep you?

Activating and using Device Protection

Activating Device Protection actually requires almost nothing from you. Here are the prerequisites for it to function, though:

  • Eligible device (see above)
  • Secured lock screen (PIN, pattern, or password all work)
  • Signed into at least one Google account on the device

If you already meet these requirements and are running Android 5.1 on a Nexus 6 or Nexus 9, congratulations, you already have Device Protection. But how do you know you have it? There actually aren't any management settings for Device Protection anywhere exposed to the user, so figuring out how to check the status of the feature on your device isn't immediately obvious.

The easiest way to check is just to go to security options in settings, and then switch your lock screen from a secure to non-secure (swipe or none) mode. At this point, you should get a dialog that looks like this.

Screenshot_2015-03-12-12-07-55

However, not fully-supported devices will also see this message. Nexus 4, 5, 7 (2012 and 2013), and 10 should all show this prompt, but according to Google none of those devices will have Device Protection's factory reset protection. Device Protection is a larger suite of features (Google isn't saying what that suite includes, maybe they mean trusted BT / face unlock too), but the primary feature is obviously the anti-theft stuff, which you will not get if you don't have a Nexus 6 or 9, or a device that shipped with Android 5.1 (maybe 5.0, but we don't know for sure). (Side note: this does not appear to include Android One devices, either.) So, yes, you will see this prompt on older Nexus or GPE devices, but no, that does not mean you have Device Protection's factory reset protection feature. This feature is only available, for the moment, on Nexus 6 and 9, and Google is saying it will not trickle down to older devices.

If you don't get that dialog, you probably don't have Device Protection or have unlocked the bootloader of your device.

How does Device Protection protect my device?

Let's break this down into subsections, because there are multiple ways in which Device Protection can keep you secure.

What if someone steals my phone and tries to wipe it?

Put simply, Device Protection makes wiping your phone after it is stolen or otherwise taken out of your custody a bad idea for would-be thieves. A factory reset initiated from recovery on a device with Device Protection will successfully erase the device, but at that point something new happens: in order to boot the OS, Android will require you to connect to the internet and then enter the account password of the last Google account on the Android device. If you have multiple accounts on the device, it should default to the "primary" Google account on your device, which is typically the one you signed into first. Regardless of which it chooses, you should know the passwords to all your synced Google accounts if you want to use Device Protection.

DSC07392

Basically, Android is likely storing a cryptographic key (or something similar) on a secure area of the device which survives resets that is decrypted by a key sent from Google (an internet connection is required to re-authorize the device) once you submit your login credentials. If the thief can't enter the account password, the device will never fully boot, making the stolen hardware worthless for anything but spare parts (and who wants used phone parts?).

What if my phone is stolen and the thief can get past the lockscreen?

Let's say a thief steals your device but the lock screen isn't active (eg, you were using trusted Bluetooth when it was snatched or a long screen lock timeout). Can't the thief just go in and remove your Google accounts, thereby disabling Device Protection? Nope. While the device will allow you to remove all but one Google account in settings without any sort of extra authorization, when you attempt to remove the last Google account on the phone or tablet, you will be asked to verify your PIN, pattern, or password.

DSC07390

Any phone or tablet with Device Protection will also require you to enter that PIN, pattern, or password any time you want to add a new Google account to the device (or initiate a factory reset from inside the OS). This is so that a thief can't add their own Google account to the device and then remove yours so that they know the Device Protection password.

The downside, of course, is that a thief still has access to all your stuff as long as they don't let the screen lock, which is bad, and could allow them to do things like reset your Google password since your mobile phone is likely the device you've linked to Google for 2-factor password recovery authentication. This leads us to the next "what-if."

What if a thief knows my Google password / successfully resets it?

This is obviously a worst-case scenario, but Google does give you some protection here. The moment your Google account password is changed, Device Protection starts a 72-hour timer on your protected device. For that 72 hours, if the device is wiped, the account in question cannot be used to sign into / unlock the phone. Here, by the way, is what the sign-in UI after a wipe now looks like (this example uses 2-factor authentication).

This may sound a bit random, but remember: removing a Google account from the device itself (and thus disabling protection) requires your PIN, pattern, or lock screen password. A thief is unlikely to guess this (if they do, you're, as we say in the business, screwed). This means if a thief changes your Google password, you'll have 72 hours to get control of your account back and prevent them from signing into the wiped phone. If they successfully sign in after a wipe, Device Protection is disabled, so this three-day buffer is potentially quite important.

Does Device Protection help me get my phone back?

No. Android Device Manager is still the tracking and remote wipe tool (web interface here) you should use for this, and Device Protection does not actively integrate with this service so far as I can tell. And yes, If you wipe your phone in ADM, you will still not be able to locate it after the reset completes. Device Protection will survive a remote wipe, but Android Device Manger still will not, and you will lose your phone's location. Additionally, if a thief performs a factory reset from recovery, Android Device Manager will not survive that, either.

Device Protection is a deterrent and lockout tool, it does not provide any location or remote access functionality.

Does Device Protection work if I have an unlocked bootloader?

Edit: It's not clear. It appears that even with an unlocked bootloader, Device Protection still functions (even if you get a scary message saying OEM Unlock will disable it). I think the rub here is that if you do run with an unlocked bootloader, Google is basically saying all bets are off in regard to efficacy or survivability of Device Protection features. You're on your own. It may work just fine, but a potentially very savvy thief may be able to exploit the fact that you are running custom firmware or using other system modifications.

If you check the "OEM Unlock" box in settings, this should disable Device Protection completely. If you unlock your bootloader, but this box isn't checked, Device Protection may still work. We're getting conflicting information, so more testing needs to be done.

No. Enabling the "OEM Unlock" checkbox on your device or otherwise unlocking the bootloader will disable Device Protection. This is, in theory, because an unlocked bootloader could allow a thief to flash over the OS with a new ROM / recovery / bootloader and thus disable or overwrite the Device Protection feature in the process. So, if you want a secure phone, don't unlock your bootloader - that seems to be what Google is saying, and has generally said for some time now.

So, is Device Protection actually any good, then?

Device Protection supplements the existing Android security features (Android Device Manager) nicely in that its existence should be a much stronger deterrent to phone thieves. However, it still does require you use a secure lock screen, and many people don't. So those devices will still be unprotected, sadly. It kind of baffles me that Google can't simply use your Google account password as the authenticator for removing Google accounts or performing factory resets as opposed to forcing you into a PIN/pattern/password lock, but that's probably because they want you securing the lock screen (and thus your data) in the first place.

If you have any more questions or comments to add about Device Protection, let us know below! We'd be happy to answer questions and to address any issues or add info you may have.