My ZTE Axon 7: a warning

[G+_David Vanderstelt]

My ZTE Axon 7: a warning

 

Note that I sent the following email to the aaa@twit.tv email address on November 1st, when apparently a number of other video mail came as well. Maybe it's still in the queue for their video mail, but I offer up this warning to the rest of the AAA community who might be considering an Axon 7, particularly after today's discovery that ZTE was also a customer of the Adups software found sending data to China. If you're thinking of an Axon 7, you might want to hold off until ZTE addresses these issues.

 

Hello again AAA crew! My one-minute video mail is at https://goo.gl/photos/16KpSvKEWqoRjnED6 . It's a story that has not been covered widely, but should be a total show-stopper for anyone considering buying the phone.

 

I picked up an Axon 7 a few months ago at half the price of the Pixel with almost identical specs and promises of Daydream VR readiness, and felt pretty smug about that. I was managing a Cardboard app development project at our university, and the students used it as a development and demo device, for which it worked really well.

 

Now that it's back in my hands, however, I noticed that when I rebooted the phone it didn't require me to enter my password until it hit the lock screen. That seemed rather odd, as I've used full disk encryption with the Nexus 4, 5, 7, and 6P, and while Nougat brings Direct Boot (which also boots all of the way to lock screen to allow notifications,alarms, etc), the Axon 7 is still on Marshmallow. Given the "quality" of the MiFavor skin, I was skeptical that ZTE would have been capable of backporting Direct Boot to Marshmallow.

 

Sure enough, when I dug into the ZTE community forum I found that forum member "peramikic" has confirmed that concern. In short, the Axon 7 uses a default password for full-disk encryption which doesn't change when the user sets a PIN or password; it just stays at default_password. And that pretty much nullifies the point of encryption. This is still the case as of the B29 system update that just rolled out yesterday, and there is no official timeline for when this problem will be addressed (or even if).

 

The details were in a response to a complaint by a forum member who was unable to use their Axon 7 at work because their mobile device management (MDM) system asserted that the phone didn't meet the device protection policy that requires a password at boot--a problem that several others confirmed. The most pertinent points from forum member peramikic's findings are below (FP = fingerprint; FDE = full-disk encryption; https://community.zteusa.com/message/60332#comment-60332?):

 

"""

The more i look into this, there seems to be broken implementation in the security model, probably from FP integration. So far i have noticed following issues:

 

o The FDE password does not change from "default_password" when screen lock security is setup which means the FDE password (and in turn boot protection) is detached from lockscreen security

o The MDM finds that protection policy is not implemented since phone boot protection is missing (this ties into FDE, since the phone would have to prompt the user for pin/password to mount on boot, which it does not)

o The phone can be unlocked with FP after reboot, even though the screen shows that phone must be unlocked with pin/patter/pass after reboot. This is because the phone cannot access the FP data until it's decrypted by the pin/pass/pattern. But the phone auto-decrypts itself since the FDE password is default and in that way bypasses the disk encryption on start.

o Android Pay will not work when unlocking phone with fingerprint, it has to be unlocked via pin/patter (i find that even then if won;t work half the times). This could be because of the implementation of the FP

"""

 

Grim! I don't feel like I can even sell the phone now, because I can't trust that a factory reset will properly wipe any of my data. Please warn the rest of the AAA community about this significant shortcoming of the Axon 7!

 

Yours,

Dan Scott

Sudbury, Canada

https://goo.gl/photos/16KpSvKEWqoRjnED6