Hi all,
I recently rooted my HTC Hero. I was a little disappointed to find out how insecure the result is. There is a sudo-like app called superuser that behaves as a basic gate-keeper. Any other app that wants something done as root asks the superuser app to do it. The superuser app checks its list of allowed apps, and if the app isn't listed then the user is asked.
The problem is that there is no password. This means that if you have a rooted phone, anyone who plays
with your phone can quickly get a root shell (go to one of your shell apps, su and click 'allow', then
you have a root shell). They can then use the installed sqlite3 app to, for example, get your Google password.
Ugh.
The MoDaCo Hero 3.1 rom also makes the usb shell (accessed through adb shell) default to a root shell.
Now, it is clear that if someone has physical access to your device then they have your data. Even if you have a stock phone, they could root it and then go looking through your data. But in this case the attack goes from rooting the phone (which requires multiple reboots, takes at least 10 minutes, and leaves an obvious trace) to running a few shell commands (limited more by typing speed than anything else).
Anyway, as mitigation I decided to enable the pattern based lock screen. But that is annoying. I use widgets on my home screen to get information regularly, and constantly entering the pattern is slow. (It is also not wonderfully secure, in that your finger leaves greasy trails on the screen and they show up fairly clearly if you hold the phone at the right angle in the light.)
I spent a while looking for a lock screen replacement app that allowed me to place widgets on the lock screen. I couldn't find one that I liked. The two best were Flyscreen and Executive Assistant, but neither of them was perfect.
I then stumbled across the fact that the default HTC Lockscreen can be made transparent. A standard HTC phone
allows you to personalise the lock screen wallpaper. By default it saves a jpeg file to use as the lockscreen in
/data/misc/lockscreen/lock_screen_port (note that the trailing .jpg is not there). Luckily, the app can use
more than just jpegs. If you put a png file there, the lock screen will happily use it, and png files have
an alpha channel - transparency. You can have anything from a totally clear lock screen to a 50% dimmed
lock screen, or anything else.
My new lock screen image is completely transparent except for a brief "If found please contact" message. This means that when the phone awakens, I can see the last used screen behind the lock screen. As long as I hit 'home' before I switch off my device, I get my standard home screen, with its useful widgets showing right through my lock screen. I also get all the normal HTC additions like Music controls on the lock screen, etc. When I touch the screen and start dragging down to unlock, the patten unlock view immediately appears.
Thanks to the xda developers for pointing me in the initial direction for this (they recommended deleting the
/system/etc/lockscreen/port directory to get a completely transparent lock screen). It was starting from that
approach (which requires modifying your system image), that I discovered the lock_screen_port file above that
is accessible without modifying your system image (although it might still require root permissions to modify).