User Access

QemuQat

I found my phone on when I had previously powered the device off, and was asleep for a while. While all the auditor logs are fine and the same as the last state, to my knowledgethis wouldn't account for someone who might have known my PIN or have been lucky enough to guess it (6 digits) since these would be authorised user changes.

In that case, where someone might have had access to my device and PIN for a long time window, what risks are there for the device or user space, and what can I check? All the applications seem to be untampered and I didn't have any sensitive information on there besides a VPN credential, but have experienced some bad cybersecurity incidents in the past (of varying sophistication levels) - my main concern is the risk of remote access or logging.

Johnnyloans

QemuQat

settings > apps
a list of apps in order of last use.

Also, get a motion IR camera to watch for anyone touching the phone.

settings > accessibility

settings > apps > special permissions > device admin

2 spots for spying apps to be allowed

littlerack

QemuQat was it on any kind of charging while being OFF?

QemuQat

Johnnyloans Would checking apps in battery usage also suffice, and if someone did something like enabled OEM unlocking, developer options etc etc for a brief period to make changes as the user before relocking this would show in the auditor logs despite authorised user access, right? And Im guessing since you just suggested checking apps there aren't many other attack surfaces.

And sorry to bombard you with other questions, but is it easy to get motion IR cameras that are covert with on-device storage? I'm very limited in what other devices I have and access to secure networks at this time.

Johnnyloans

QemuQat Would checking apps in battery usage also suffice

Ya thats a great option.
You can go to system usage then see the screen time

OEM unlocking is to flash another operating system and wipe out your data.

Actually IR is pretty bad but doable. A nightlight with a camera is better. Would need one that is motion activated to filter out hours of nothing happening.

I doubt anything bad happened to you but hopefully you'll find solace :)

Novalissoide

QemuQat Would checking apps in battery usage also suffice,

I would advice against relying on battery stats for tampering forensics, its just not made for this purpose, not conclusive enough.

QemuQat if someone did something like enabled OEM unlocking, developer options etc etc for a brief period to make changes as the user before relocking this would show in the auditor logs despite authorised user access

No.

I recommend this app
https://codeberg.org/y20k/stayput/releases

Just keep your phone plugged in when sleeping, arm the app.

QemuQat

Johnnyloans Okay, thank you.

Datasapiens

do you have autoreboot set up?

QemuQat

Datasapiens oh, yeah. That might explain it. I always assumed autoreboot would only work if the phone was on though? Like if it was on for, say, 12 or 18 hours, it would reboot.

QemuQat

littlerack no, just in a faraday bag on a chair. Not charging, and I was very sure I powered it off.

Datasapiens

QemuQat I don't know, it is just a guess 🙂