Remove Google Account After Factory Reset (2019)(support.google.com)
support.google.com
Remove Google Account After Factory Reset (2019)
https://support.google.com/accounts/thread/5783037/remove-google-account-after-factory-reset?hl=en
71 comments
"This is a good thing. Combined with remote lock, it renders stolen devices useless."
My personal opinions on this:
Factory reset should mean 'just like when it came out of the factory brand new'. So no hidden keys, certificates, connections, locks or other dependencies. Either change the definition or do not call it factory reset. If people will not be able to factory reset a device, please explicitly state so in the TOS.
Rendering stolen devices useless may be a good thing security wise, but it is horrible for things like the ability to recycle and reuse. There are tons of procedures to make pretty sure devices are wiped completely from any sort of data. Why is this not enough?
I have had to destroy thousands of devices that could have a happy second (completely unsupported and no warranty whatosever) life at various projects. I'm not proud of it.
My personal opinions on this:
Factory reset should mean 'just like when it came out of the factory brand new'. So no hidden keys, certificates, connections, locks or other dependencies. Either change the definition or do not call it factory reset. If people will not be able to factory reset a device, please explicitly state so in the TOS.
Rendering stolen devices useless may be a good thing security wise, but it is horrible for things like the ability to recycle and reuse. There are tons of procedures to make pretty sure devices are wiped completely from any sort of data. Why is this not enough?
I have had to destroy thousands of devices that could have a happy second (completely unsupported and no warranty whatosever) life at various projects. I'm not proud of it.
> There are tons of procedures to make pretty sure devices are wiped completely from any sort of data. Why is this not enough?
It sucks, but it's not enough because it doesn't remove the incentive to steal the device in the first place. If you want someone to plonk down $2k for a fancy phone, you'd better be able to (a) convince them that they'll be able to re-sell it for a good chunk of that amount, and (b) at the same time reassure them that there's no point anyone stealing their expensive new toy, which means they aren't just painting a giant target on their head.
If the thousands of devices you mention were legitimately obtained, why were they locked with account credentials that you didn't have? Or were they recovered from dumped recycling or something?
It sucks, but it's not enough because it doesn't remove the incentive to steal the device in the first place. If you want someone to plonk down $2k for a fancy phone, you'd better be able to (a) convince them that they'll be able to re-sell it for a good chunk of that amount, and (b) at the same time reassure them that there's no point anyone stealing their expensive new toy, which means they aren't just painting a giant target on their head.
If the thousands of devices you mention were legitimately obtained, why were they locked with account credentials that you didn't have? Or were they recovered from dumped recycling or something?
"If the thousands of devices you mention were legitimately obtained, why were they locked with account credentials that you didn't have? Or were they recovered from dumped recycling or something?" Oh that was not only smartphones, but also data carriers like harddisks and usb sticks. Apologies for not clarifying.
Nevertheless valid points indeed. Regarding smartphones people just forgot or died. Most of them 'assumed IT would have some way of recovering them so they did not bother'.
Nevertheless valid points indeed. Regarding smartphones people just forgot or died. Most of them 'assumed IT would have some way of recovering them so they did not bother'.
Oh, right yeah that makes sense. And a moment after I posted I remembered the "donate your old phone" bins that many mobile phone shops had last time I was phone shopping. I'd imagine most people dropping their 3-year-old iPhone into one of those wouldn't bother to disassociate their account with it before they hit reset and chucked it in.
>If you want someone to plonk down $2k for a fancy phone
Which phone is this?
Which phone is this?
While I suspect this is a slight exaggeration, a 1 TB iPhone 13 Pro Max w/ 2 years of AppleCare+ (with Theft and Loss), as well as tax (for me in the US, at least) runs $1,980.08. It's $1,599 without the add-ons.
Now convert that to Australian dollars and you've got a phone that costs more than some gaming laptops.
Factory reset through the Android UI removes the locks and is just like from factory. Factory reset by booting the device to recovery mode does not. That's what FRP is all about.
No, it's not a good thing.
The Factory Reset process is defective. It SHOULD ask the user if they are selling, giving away, or otherwise disposing of the device; or otherwise just want to remove that device from their account.
The Factory Reset process is defective. It SHOULD ask the user if they are selling, giving away, or otherwise disposing of the device; or otherwise just want to remove that device from their account.
It does. "Erase all content and settings" prompts the user to enter their password to disable Find My iPhone, and if you do it through iTunes, once the phone reboots into the clean OS it prompts on the computer to type the credentials in. You could refuse to type the credentials in leaving it locked, but Apple is pretty informative throughout the process. (You can also remove it from Find My iPhone on the web and it unlocks the device even if you don't have it anymore)
Note that Android doesn't ask the same thing (and especially not if you initiate factory reset from the bootloader, as tech folks are prone to do).
This works well because pickpockets are well known for their inability to tell lies, and would always answer truthfully.
Sarcasm accepted, but you can require the account password to proceed with the reset when the user makes that choice.
It does. That is exactly what it does.
Good to know; but why are you and @swiftcoder saying apparently different things? [0]
I’m on iOS, so I can’t test this myself.
[0] https://news.ycombinator.com/item?id=30777197
I’m on iOS, so I can’t test this myself.
[0] https://news.ycombinator.com/item?id=30777197
He's talking about Android, I'm talking about iOS. I don't know what Android does, and I'm sure that it's device-specific anyway, unlike iPhones.
Ah, I thought what I was responding to was talking about Android. I can see now this was not necessarily the case.
Really depends if it really is a good thing. Stolen devices are an edge case and devices bricked because of such protection are probably numerous.
Stolen devices are an edge case because it removes the incentive to steal the devices. Back when mobile phones first started becoming popular they were an equally popular smash-and-grab item. Now? Not so much.
Devices are (and have been) stolen and sold to strip them for parts. The value may be lower, but it’s nowhere close to zero.
But most phones don't have physical reset buttons, so all of them have this kind of protection without the shenanigans of account de-association.
Are there any extant android devices that can't be factory reset from the bootloader menu?
> This is a good thing. Combined with remote lock, it renders stolen devices useless.
I’ve heard a long, long time ago that the market for stolen devices had switched to stripping them for parts rather than selling them as working replacement devices. From that perspective, activation locks don’t help much. For thieves, even if some parts won’t work, any gain is better than nothing.
I’ve heard a long, long time ago that the market for stolen devices had switched to stripping them for parts rather than selling them as working replacement devices. From that perspective, activation locks don’t help much. For thieves, even if some parts won’t work, any gain is better than nothing.
I disagree, it sounds like if you steal a device, the best you can do is part it out because of the activation lock. That raises the barrier to entry (must be able to part out the device or add a middle man), lowers the margin per device , making the endeavor much less attractive overall. I'd be willing to wager this reduces stolen devices in aggregate.
> This is a good thing. Combined with remote lock, it renders stolen devices useless.
Perhaps for consumer use.
However, we're talking about business use of these devices, but it is clear that these devices are not made for this context where in most cases you don't want the devices tied to a specific person (but rather a specific role).
Using Apple and Google devices for work just sucks.
Perhaps for consumer use.
However, we're talking about business use of these devices, but it is clear that these devices are not made for this context where in most cases you don't want the devices tied to a specific person (but rather a specific role).
Using Apple and Google devices for work just sucks.
> This is a good thing. Combined with remote lock, it renders stolen devices useless.
Of course it's not a good thing. What Apple can do to someone else at your request, they can do to you on their own initiative.
Of course it's not a good thing. What Apple can do to someone else at your request, they can do to you on their own initiative.
Yes. And your cellular provider could send text messages "from" you. Your email host could randomly delete all your emails. Your credit card provider could buy stuff on your account.
But they don't because they're all enormous companies with thousands of employees. The negative PR would be instant and overwhelming, and the sheer amount of staff would render trying to do it secretly, ineffective.
There is cautious, and there is paranoid.
But they don't because they're all enormous companies with thousands of employees. The negative PR would be instant and overwhelming, and the sheer amount of staff would render trying to do it secretly, ineffective.
There is cautious, and there is paranoid.
> Your credit card provider could buy stuff on your account.
This example is unlike the others; your credit card provider already buys everything that goes on your account. For that to make any sense, they'd need to convince you to pay them "back".
> But they don't because they're all enormous companies with thousands of employees. The negative PR would be instant and overwhelming, and the sheer amount of staff would render trying to do it secretly, ineffective.
And this is just untrue. Nobody even remembers Amazon retroactively deleting sold copies of 1984 from their customers' internet-connected Kindles. We're swimming in devices that the manufacturer won't let us access right now, but the PR hit from doing what they're already doing is too large for them to... continue doing it?
This example is unlike the others; your credit card provider already buys everything that goes on your account. For that to make any sense, they'd need to convince you to pay them "back".
> But they don't because they're all enormous companies with thousands of employees. The negative PR would be instant and overwhelming, and the sheer amount of staff would render trying to do it secretly, ineffective.
And this is just untrue. Nobody even remembers Amazon retroactively deleting sold copies of 1984 from their customers' internet-connected Kindles. We're swimming in devices that the manufacturer won't let us access right now, but the PR hit from doing what they're already doing is too large for them to... continue doing it?
> And this is just untrue. Nobody even remembers Amazon retroactively deleting sold copies of 1984 from their customers' internet-connected Kindles.
I do. And the answer to "Am I the only one who..." is always "no".
Hell, it's even on Wikipedia:
https://en.wikipedia.org/wiki/Amazon_Kindle#Removal_of_Ninet...
I do. And the answer to "Am I the only one who..." is always "no".
Hell, it's even on Wikipedia:
https://en.wikipedia.org/wiki/Amazon_Kindle#Removal_of_Ninet...
Credit card providers not only do not buy anything that goes on your account, they do not pay for anything that goes on your account. They transfer funds for purchases that you make, and make payments on your behalf. As such they are neither the buyer nor the payor in any credit card transaction.
They are the payor in every credit card transaction. Merchants aren't waiting for you to pay your credit card bill. The provider gets paid back when you do that.
That's why it's called a "credit" card.
That's why it's called a "credit" card.
This is semantics, but the payor in a commercial transaction is normally considered to be the customer / purchaser regardless of whether anyone anywhere extends credit to them. It is their name on the account.
The credit card issuer doesn't appear in the vendor's accounting system, they count the payment as having been made by the customer purchaser. It is only for relatively limited purposes (ones that approximately no one ever thinks about) that the credit card issuer is considered the payor. The merchant vendors generally don't care, don't know, and don't record. As if they are going to care whether the customer uses a Capital One credit card or one issued by his or her local bank.
The credit card issuer doesn't appear in the vendor's accounting system, they count the payment as having been made by the customer purchaser. It is only for relatively limited purposes (ones that approximately no one ever thinks about) that the credit card issuer is considered the payor. The merchant vendors generally don't care, don't know, and don't record. As if they are going to care whether the customer uses a Capital One credit card or one issued by his or her local bank.
Couldn't this be done using a reset password shipped with the phone? There is no reason to involve a third party at all.
How would the phone check whether it's stolen, without a third party, and without the user knowing the password (or lock screen pattern)?
[deleted]
The thief wouldn't have the reset password?
After two or three years, neither would the owner.
Edit: More seriously, if they took this approach, people would regularly lose their codes, which would necessitate a backup means of obtaining it. Which would no doubt require the purchaser log into their Google account. And we're back at square one.
Edit: More seriously, if they took this approach, people would regularly lose their codes, which would necessitate a backup means of obtaining it. Which would no doubt require the purchaser log into their Google account. And we're back at square one.
> After two or three years, neither would the owner.
It might surprise you, but back before games where always online everyone had to keep track of license keys. Still have a box with all of them. Only those that required feedback from activation servers are now useless because the companies killed the servers.
It might surprise you, but back before games where always online everyone had to keep track of license keys. Still have a box with all of them. Only those that required feedback from activation servers are now useless because the companies killed the servers.
And I misplaced a few CD keys over the years, and sometimes even repurchased the game for $20-50.
Modern phones are closer to $1000.
Modern phones are closer to $1000.
Some I still have, too. But even back then, I just looked for a key online, than bothered searching. That was way quicker ... you didn't even had to go to any dark sites. Google showed them right upfront.
(for single player games)
(for single player games)
What if this was a dark pattern implemented so that people will generate more useless phones and will have to purchase new ones all the time?
Company-owned devices can be provisioned in "fully-managed mode" a.k.a. "device owner mode". Sounds like they didn't do that?
https://developers.google.com/android/work/requirements/full... https://developers.google.com/android/work/play/emm-api/prov...
https://developers.google.com/android/work/requirements/full... https://developers.google.com/android/work/play/emm-api/prov...
From the OP's replies, it doesn't look like they did anything except hand a phone in a box to an employee.
This is a theft prevention feature, the same as Apples 'icloud lock'
It works very well to prevent theft. Phone models locked in this way are barely worth anything on markets of stolen goods.
Unfortunately some devices have exploits which allow relatively easy unlocking, and those models are still stolen quite a lot.
It works very well to prevent theft. Phone models locked in this way are barely worth anything on markets of stolen goods.
Unfortunately some devices have exploits which allow relatively easy unlocking, and those models are still stolen quite a lot.
Could you cite a source regarding the claim that "it works well to prevent theft"?
Not disputing your claim, just finding it difficult to find evidence either way.
Not disputing your claim, just finding it difficult to find evidence either way.
> Global Drop In Smartphone Thefts Following Introduction Of Kill Switch[.] New Data Reveal Thefts Down 40% In London; 22 % In San Francisco; And 16% In New York City
https://ag.ny.gov/press-release/2015/ag-schneiderman-london-...
https://ag.ny.gov/press-release/2015/ag-schneiderman-london-...
Can you report your previous employees to the police for theft of company property then?
No, it's a feature to prevent non-controlled second hand markets.
Theft is just the marketing gimmick
Theft is just the marketing gimmick
That seems like an uncharitable take. It is entirely possible to re-sell a modern phone, and this happens quite often. Before selling the previous owner must sign out of the device's cloud account and perform a factory reset.
Differentiating between the intentional re-selling of the device, and the selling of a stolen device does seem like a tricky problem, and personally I think this solution seems reasonable. If the device manufacturers are at fault of something it would be poor UX for not making this more clear, otherwise I believe these companies are acting honestly here.
Differentiating between the intentional re-selling of the device, and the selling of a stolen device does seem like a tricky problem, and personally I think this solution seems reasonable. If the device manufacturers are at fault of something it would be poor UX for not making this more clear, otherwise I believe these companies are acting honestly here.
Why can't they implement a second factor of auth to determine the phone's real owner? Or is that deliberately avoided to prevent victims of theft being put under duress?
I mean, we have that. It's called an imei and you can't change it.
All that would be needed is for anyone selling a phone to provide the imei and some id to a govt service to assert that they are the current owner and intend to sell it for x price on y day. If you don't do this check and buy a phone, you're held liable if it is stolen. If you do, and it passes but later turns out to be stolen, automatically reimburse the buyer when you return it to the owner and make the seller liable to cover all associated costs in addition to the handling stolen property.
Most of this is already implemented for cars via vin, and doesn't require that an unelected central power has carte blanche to do whatever they want to it at any time.
All that would be needed is for anyone selling a phone to provide the imei and some id to a govt service to assert that they are the current owner and intend to sell it for x price on y day. If you don't do this check and buy a phone, you're held liable if it is stolen. If you do, and it passes but later turns out to be stolen, automatically reimburse the buyer when you return it to the owner and make the seller liable to cover all associated costs in addition to the handling stolen property.
Most of this is already implemented for cars via vin, and doesn't require that an unelected central power has carte blanche to do whatever they want to it at any time.
You can't change it, but you can find it inside the phone, no?
That's...the point?
Have a central database of registered owners.
Allow current owner to assert that they own a given imei in a way that the buyer can check on said database.
Register the transfer of ownership during sale.
Have a central database of registered owners.
Allow current owner to assert that they own a given imei in a way that the buyer can check on said database.
Register the transfer of ownership during sale.
Never put a managed work account on a private device.
The inverse is also true, have strong policies that prevent private accounts on work devices.
Work have zero right to your private data, and you really really don't want to take any liability for work data.
The inverse is also true, have strong policies that prevent private accounts on work devices.
Work have zero right to your private data, and you really really don't want to take any liability for work data.
I have a perfectly good phone that’s bricked because of this. It really seems like there’s nothing you can do.
I work in an area of refurbishing phones, this is something I deal with sometimes.
Often times we receive phones that are completely locked, but depending on the version, you can bypass it by using Android manipulation tricks. If a phone has FRP (factory reset protection) enabled, then it is locked to the original account, and the phone setup process, even after a factory reset, is a lot different. The phone requires that WiFi is enabled and connected to a network, as opposed to optional, and that the original account owner signs into it in order to set it up.
The bypass trick is going into either emergency phone call mode, or by going into TalkBack settings and bringing up the global context menu to do what I call are break-outs. You can dial an emergency phone number (I hate doing this) and hop to the Bluetooth Android settings, which then lets you navigate to Backup&Reset, and from that you can completely wipe the phone and get rid of FRP. You must enter the settings before the phone hangs up.
Or you can go into TalkBack, activate it, go through help docs, and try to find a help doc that links you to an exterior site like YouTube through Chrome (not the app). From the browser, download any kind of APK, then head into APK installation settings where you have to grant security permissions to install APKs from unknown sources, which then takes you to Android settings, which you can then do a full factory reset to remove FRP.
I've also seen on Android 8 or newer that you can use the Google assistant type-text modes to do break-outs as well from inside the locked phone setup process. YMMV, but these are things I've done in practice on some slightly older phones.
Often times we receive phones that are completely locked, but depending on the version, you can bypass it by using Android manipulation tricks. If a phone has FRP (factory reset protection) enabled, then it is locked to the original account, and the phone setup process, even after a factory reset, is a lot different. The phone requires that WiFi is enabled and connected to a network, as opposed to optional, and that the original account owner signs into it in order to set it up.
The bypass trick is going into either emergency phone call mode, or by going into TalkBack settings and bringing up the global context menu to do what I call are break-outs. You can dial an emergency phone number (I hate doing this) and hop to the Bluetooth Android settings, which then lets you navigate to Backup&Reset, and from that you can completely wipe the phone and get rid of FRP. You must enter the settings before the phone hangs up.
Or you can go into TalkBack, activate it, go through help docs, and try to find a help doc that links you to an exterior site like YouTube through Chrome (not the app). From the browser, download any kind of APK, then head into APK installation settings where you have to grant security permissions to install APKs from unknown sources, which then takes you to Android settings, which you can then do a full factory reset to remove FRP.
I've also seen on Android 8 or newer that you can use the Google assistant type-text modes to do break-outs as well from inside the locked phone setup process. YMMV, but these are things I've done in practice on some slightly older phones.
Same here, which is why I posted this. Absolute shame.
If it's a corporate device, managed by Google Workspace then you can bypass this anyway.
"Allows the specified administrator accounts to sign in to a company-owned device after it’s reset to its factory settings. Who can sign in after a factory reset depends on how the device is company-owned and its management client"
[0] - https://support.google.com/a/answer/6328708?hl=en_GB#dev_fac...
"Allows the specified administrator accounts to sign in to a company-owned device after it’s reset to its factory settings. Who can sign in after a factory reset depends on how the device is company-owned and its management client"
[0] - https://support.google.com/a/answer/6328708?hl=en_GB#dev_fac...
Note this is about the device protection feature.
But I still wonder why this is implementen on a factory reset. The only thing I can think of is to discourage theft.
But I still wonder why this is implementen on a factory reset. The only thing I can think of is to discourage theft.
This does not prevent anything. I've had to deal with this with corporate phones from old employees. I can take the phone to any of the nearest phone repair shops and they can remove all google protections after factory reset for less than 20eur per phone.
(2019)
The amount of these devices going into the trash is shameful and unnecessary.
Vendors like Apple should be required to take back phones and devices that are in such a locked state for free. They should then unlock devices that can be sold as refurbished, used or even part out the devices.
Vendors like Apple should be required to take back phones and devices that are in such a locked state for free. They should then unlock devices that can be sold as refurbished, used or even part out the devices.
I have often assumed that the reason that the iPhone SE has never had a design refresh is because it enables them to continue recycling significant amounts of materials from traded-in/recycled iPhone 6, 6S, 7 and 8.
If look at Apple's trade-in program, they'll accept any phone in any state (even broken phones from competitors) and recycle them. Pretty sure this is a legal requirement in several jurisdictions.
With a trade in you get money for the device, hence you need to own it. I want phones that have been lost or stolen to be recycled with Apple not compensating anyone for bringing them in.
If you go through the trade-in evaluation online, and say that the device is smashed or doesn't boot up, they'll offer to recycle it for you at their cost.
[deleted]
[deleted]
This is a good thing. Combined with remote lock, it renders stolen devices useless.