Android's SafetyNet API already prevents devices with unlocked bootloaders from accessing certain apps, including some games and financial apps, although there is a way to bypass this check. A future update (hardware attestation for SafetyNet) is expected to remove this workaround:
Even if you'll never touch a phone with a Google logo, Daniel does such an excellent job at explaining applied (in)security information that the website is worth every second you spend there.
> An attacker who can logically gain access to the memory of a device following boot and first unlock can directly access encrypted data and keys.
To (over?) simplify things: If you have already unlocked your phone at least once, even if it is currently locked (which is probably >99% of the time) your phones data is not protected as these repeated statements of "your data is encrypted at rest!" imply.
10 comments
[ 3.3 ms ] story [ 41.5 ms ] threadhttps://www.xda-developers.com/safetynet-hardware-attestatio...
https://www.xda-developers.com/safetynet-hardware-attestatio...
This is because the app developers don't want their apps running on rooted devices.
If you want your app to be sideloaded or to run on rooted devices, and your app isn't obvious malware, Android allows that.
> Threats: Physical Access -> Mitigations: Protected Storage - Secure storage (that is, encryption of data-at-rest) for data contained on the device
From https://securephones.io/main.pdf
> An attacker who can logically gain access to the memory of a device following boot and first unlock can directly access encrypted data and keys.
To (over?) simplify things: If you have already unlocked your phone at least once, even if it is currently locked (which is probably >99% of the time) your phones data is not protected as these repeated statements of "your data is encrypted at rest!" imply.