Downsides of showing email address on Android lock screen

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












49















My stock Android 9.0 gives me the option of showing some short text message on the lock screen. I want to add my email address here, so people know how to contact me if they find my phone.



Are there any downsides to this? The address is linked to the Google account that's used on this phone.



I know there are other options for getting my phone back, like find my phone, but I want a method that allows the finder to find me instead of the other way around.










share|improve this question



















  • 9





    Mine shows my other half's cellphone number and my home phone number. Probably slightly more accessible to people - more people have access to a phone than have email.

    – Criggie
    Feb 13 at 10:04











  • I also have the mobile number for my sibling (Including intl country code), as they are rarely with me but know how to contact my other half in case my other half and I are both unreachable.

    – Dean Meehan
    Feb 13 at 10:40






  • 4





    Most new phones have an emergency call feature which gives any user access to some preset emergency contacts. If this fails the find my phone option is by far the easiest if you lose it as you can make it automatically lock and print a message of your choice on the screen.

    – Bex
    Feb 13 at 14:33












  • @Criggie but the police definitely have access to email, so worst case (for someone willing to return it, of course), the police will do it for them.

    – user185163
    Feb 15 at 4:49















49















My stock Android 9.0 gives me the option of showing some short text message on the lock screen. I want to add my email address here, so people know how to contact me if they find my phone.



Are there any downsides to this? The address is linked to the Google account that's used on this phone.



I know there are other options for getting my phone back, like find my phone, but I want a method that allows the finder to find me instead of the other way around.










share|improve this question



















  • 9





    Mine shows my other half's cellphone number and my home phone number. Probably slightly more accessible to people - more people have access to a phone than have email.

    – Criggie
    Feb 13 at 10:04











  • I also have the mobile number for my sibling (Including intl country code), as they are rarely with me but know how to contact my other half in case my other half and I are both unreachable.

    – Dean Meehan
    Feb 13 at 10:40






  • 4





    Most new phones have an emergency call feature which gives any user access to some preset emergency contacts. If this fails the find my phone option is by far the easiest if you lose it as you can make it automatically lock and print a message of your choice on the screen.

    – Bex
    Feb 13 at 14:33












  • @Criggie but the police definitely have access to email, so worst case (for someone willing to return it, of course), the police will do it for them.

    – user185163
    Feb 15 at 4:49













49












49








49


4






My stock Android 9.0 gives me the option of showing some short text message on the lock screen. I want to add my email address here, so people know how to contact me if they find my phone.



Are there any downsides to this? The address is linked to the Google account that's used on this phone.



I know there are other options for getting my phone back, like find my phone, but I want a method that allows the finder to find me instead of the other way around.










share|improve this question
















My stock Android 9.0 gives me the option of showing some short text message on the lock screen. I want to add my email address here, so people know how to contact me if they find my phone.



Are there any downsides to this? The address is linked to the Google account that's used on this phone.



I know there are other options for getting my phone back, like find my phone, but I want a method that allows the finder to find me instead of the other way around.







android device-locking






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 13 at 9:31









schroeder

77.1k30171206




77.1k30171206










asked Feb 13 at 5:22









freekvdfreekvd

34835




34835







  • 9





    Mine shows my other half's cellphone number and my home phone number. Probably slightly more accessible to people - more people have access to a phone than have email.

    – Criggie
    Feb 13 at 10:04











  • I also have the mobile number for my sibling (Including intl country code), as they are rarely with me but know how to contact my other half in case my other half and I are both unreachable.

    – Dean Meehan
    Feb 13 at 10:40






  • 4





    Most new phones have an emergency call feature which gives any user access to some preset emergency contacts. If this fails the find my phone option is by far the easiest if you lose it as you can make it automatically lock and print a message of your choice on the screen.

    – Bex
    Feb 13 at 14:33












  • @Criggie but the police definitely have access to email, so worst case (for someone willing to return it, of course), the police will do it for them.

    – user185163
    Feb 15 at 4:49












  • 9





    Mine shows my other half's cellphone number and my home phone number. Probably slightly more accessible to people - more people have access to a phone than have email.

    – Criggie
    Feb 13 at 10:04











  • I also have the mobile number for my sibling (Including intl country code), as they are rarely with me but know how to contact my other half in case my other half and I are both unreachable.

    – Dean Meehan
    Feb 13 at 10:40






  • 4





    Most new phones have an emergency call feature which gives any user access to some preset emergency contacts. If this fails the find my phone option is by far the easiest if you lose it as you can make it automatically lock and print a message of your choice on the screen.

    – Bex
    Feb 13 at 14:33












  • @Criggie but the police definitely have access to email, so worst case (for someone willing to return it, of course), the police will do it for them.

    – user185163
    Feb 15 at 4:49







9




9





Mine shows my other half's cellphone number and my home phone number. Probably slightly more accessible to people - more people have access to a phone than have email.

– Criggie
Feb 13 at 10:04





Mine shows my other half's cellphone number and my home phone number. Probably slightly more accessible to people - more people have access to a phone than have email.

– Criggie
Feb 13 at 10:04













I also have the mobile number for my sibling (Including intl country code), as they are rarely with me but know how to contact my other half in case my other half and I are both unreachable.

– Dean Meehan
Feb 13 at 10:40





I also have the mobile number for my sibling (Including intl country code), as they are rarely with me but know how to contact my other half in case my other half and I are both unreachable.

– Dean Meehan
Feb 13 at 10:40




4




4





Most new phones have an emergency call feature which gives any user access to some preset emergency contacts. If this fails the find my phone option is by far the easiest if you lose it as you can make it automatically lock and print a message of your choice on the screen.

– Bex
Feb 13 at 14:33






Most new phones have an emergency call feature which gives any user access to some preset emergency contacts. If this fails the find my phone option is by far the easiest if you lose it as you can make it automatically lock and print a message of your choice on the screen.

– Bex
Feb 13 at 14:33














@Criggie but the police definitely have access to email, so worst case (for someone willing to return it, of course), the police will do it for them.

– user185163
Feb 15 at 4:49





@Criggie but the police definitely have access to email, so worst case (for someone willing to return it, of course), the police will do it for them.

– user185163
Feb 15 at 4:49










5 Answers
5






active

oldest

votes


















79














Your email address is generally public knowledge, so disclosing it is often not a big security risk.



But it gets complicated when it's your phone. Because your email address is often used as your username to log into services, and you (should) use your phone as a second factor when logging in, tying those two pieces of data might have unintended consequences. Yes, you (should have already) encrypt your phone and you (should) have a strong password to log into your phone, but there are risks depending on how you implemented everything.



The better option to do what you want is to display a secondary address that you do not use as a username anywhere. This is easy to do and to simply forward all emails from there to your primary address.






share|improve this answer


















  • 28





    +1 for the suggestion of using a secondary address. In addition, the secondary address should not contain your real name as it would be fast to find the public address knowing your name and the location the phone was found/stolen.

    – Esa Jokinen
    Feb 13 at 8:34






  • 6





    I'd also point out that getting into your email account (to read the message about your phone being found) might be complicated by the loss of the phone (as the second factor).

    – Roger Lipscombe
    Feb 13 at 9:21







  • 3





    @EsaJokinen I'm not sure about the value of that. The entire purpose of adding the email address is so that the person can physically interact with the phone owner. Either to hand the phone to the owner or to mail it. Secondarily, if you set up your phone to show notifications, the person with the phone will gather all kinds of personal information. To take advantage of what you suggest, you would also need to employ a few steps of opsec.

    – schroeder
    Feb 13 at 9:21







  • 32





    A friend of mine used to put their mobile phone number on the lock screen, so that anyone who found the phone could call them to let them know and arrange a return. 🤦‍♂️👌😂

    – Lightness Races in Orbit
    Feb 13 at 13:07






  • 5





    We also have to remember that a person returning the phone is probably a different person than the one we are trying to protect our information from. We must think these use cases separately. After the initial contact from someone who has found the phone we can decide what more information we are willing to give, while we can keep everything hidden from the perpetrator.

    – Esa Jokinen
    Feb 13 at 13:26



















12














If the goal is to allow a sincere finder to contact you but prevent leaking any information:



  1. Lock the phone properly (strong password, fingerprint etc.)

  2. Encrypt the contents.

  3. Hide details for notification from the lock screen.

  4. If possible, prevent answering to any phone calls without authentication. That's probably the hardest step to achieve, and anyone who calls you may accidentally reveal your identity, not to mention if a phone call is chosen for a 2FA method.

  5. Use a secondary email address that could not be linked to you.

As in Schroeder's excellent answer, the email address is not the most crucial information a phone could leak. The #5 is only truly useful if you have achieved everything in #1-4, as any of #1-4 can make it trivial to find the information hidden in #5.






share|improve this answer


















  • 1





    Is fingerprint really that good when it's relatively trivial to lift fingerprints, sometimes off the phone itself and create moulds to access the device

    – Expired Data
    Feb 14 at 10:50






  • 2





    Depending on the fingerprint sensor it seems hard to get it to work even with the actual finger. ;) One added layer of security is to use a password for unlocking the phone and the fingerprint sensor for other authentication once the phone is unlocked.

    – Esa Jokinen
    Feb 14 at 10:59


















3














There is a better solution.. Display instead the phone number of the person you want contacted in case of emergency, labeling it clearly 'ICE' (which means 'in case of emergency' to all emergency workers). Then if you get in an accident and are unconscious your person will be contacted a lot faster. And as a side effect if you lose your phone a friend will get quickly notified too






share|improve this answer






























    2














    I would consider that the main risk of placing the email address there is that in case it is lost, it would be a phishing target for unlocking the device.



    This is quite common with Apple devices: iPhone is lost/stolen, and thus the owner locks access to the phone, so it's no longer possible to use this device (unless accessing the Apple account of the owner). However, the message shown for those that find it often includes the email address associated to the account. Thus, what attackers do (actually there are people selling this 'service') is to send a phishing email there claiming to come from Apple and stating that the iPhone has been found, that actually leads to a phishing page from which the credentials of such accounts are harvested for freeing the device.



    I find that the same approach would equally work with an Android phone. If the email address shown is the Google account linked to the device (as it'd be usual to be), phishing the account credentials would allow unlocking the device.



    Using a secondary email address exclusively for that (which should then receive 0 mails, and you may not even look at until you lose your phone), and not linked to the phone, should help.† Although you should be very wary that anything received there should be presumed to be a phishing attempt (note that any notification regarding the lost phone would not be sent there, only a human that had read the message would direct phone-related mails there!).



    † Of course, store the name and password for that email safely, as well as of the primary account where the device backups everything.






    share|improve this answer























    • Some assume every lost phone is stolen. I once found one and was trying to figure out how to contact the owner when she tried to video call me to get the face of "the stealer".

      – Esa Jokinen
      Feb 15 at 16:52


















    0














    Including your email there is a pretty risky move. Imagine you lose the phone and a bad guy finds it:



    • he sees the email and goes to example.com and tries to log in

    • since he doesn't know the password, he chooses to recover the account by sending a token to your (now his) phone

    • the text notification on the phone displays the token since it isn't very long (and you have it configured to show that preview)

    • now he can change the password of example.com and that account is gone

    He can repeat that for other services and cause a lot of damage, so don't include your email. Look at the other answers that provide good advice (in this answer I just wanted to point out how easily things could go wrong).






    share|improve this answer




















    • 1





      This is basically my answer, but your take on it requires a very specific set up for lock screen notifications, how 2FA is used, and how the password reset process works on the site's side....

      – schroeder
      Feb 14 at 13:26











    • @schroeder, exactly, that's why I added the bits related to specific set up for lock screen notifications, how 2FA is used, and how the password reset process works on the site's side, mentioned to look the other answers (including yours) and also told why my answer was estructured that way

      – Felipe Pereira
      Feb 14 at 13:30






    • 2





      In any event, my comment still stands. I'm not sure that this adds anything and it requires a very specific set things to be true to be relevant.

      – schroeder
      Feb 14 at 14:27











    • @schroeder well, you didn't suggested that I reacted to your comment, you just went ahead and stated it by saying Those additions came after my comment., and that isn't true at all, again, the answer wasn't edited after I posted it, there is no way you can have read two versions of it, unless you as a mod can see the draft while I'm writing it. In case you are not sure if this answer adds anything, I elaborated on what you mentioned in might have unintended consequences, it adds a clear example of an exploit against having the email there.

      – Felipe Pereira
      Feb 14 at 14:37






    • 1





      Also not an answer if you refer to another answer which could be modified or deleted in the future.

      – pipe
      Feb 14 at 16:02










    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "162"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f203478%2fdownsides-of-showing-email-address-on-android-lock-screen%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    5 Answers
    5






    active

    oldest

    votes








    5 Answers
    5






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    79














    Your email address is generally public knowledge, so disclosing it is often not a big security risk.



    But it gets complicated when it's your phone. Because your email address is often used as your username to log into services, and you (should) use your phone as a second factor when logging in, tying those two pieces of data might have unintended consequences. Yes, you (should have already) encrypt your phone and you (should) have a strong password to log into your phone, but there are risks depending on how you implemented everything.



    The better option to do what you want is to display a secondary address that you do not use as a username anywhere. This is easy to do and to simply forward all emails from there to your primary address.






    share|improve this answer


















    • 28





      +1 for the suggestion of using a secondary address. In addition, the secondary address should not contain your real name as it would be fast to find the public address knowing your name and the location the phone was found/stolen.

      – Esa Jokinen
      Feb 13 at 8:34






    • 6





      I'd also point out that getting into your email account (to read the message about your phone being found) might be complicated by the loss of the phone (as the second factor).

      – Roger Lipscombe
      Feb 13 at 9:21







    • 3





      @EsaJokinen I'm not sure about the value of that. The entire purpose of adding the email address is so that the person can physically interact with the phone owner. Either to hand the phone to the owner or to mail it. Secondarily, if you set up your phone to show notifications, the person with the phone will gather all kinds of personal information. To take advantage of what you suggest, you would also need to employ a few steps of opsec.

      – schroeder
      Feb 13 at 9:21







    • 32





      A friend of mine used to put their mobile phone number on the lock screen, so that anyone who found the phone could call them to let them know and arrange a return. 🤦‍♂️👌😂

      – Lightness Races in Orbit
      Feb 13 at 13:07






    • 5





      We also have to remember that a person returning the phone is probably a different person than the one we are trying to protect our information from. We must think these use cases separately. After the initial contact from someone who has found the phone we can decide what more information we are willing to give, while we can keep everything hidden from the perpetrator.

      – Esa Jokinen
      Feb 13 at 13:26
















    79














    Your email address is generally public knowledge, so disclosing it is often not a big security risk.



    But it gets complicated when it's your phone. Because your email address is often used as your username to log into services, and you (should) use your phone as a second factor when logging in, tying those two pieces of data might have unintended consequences. Yes, you (should have already) encrypt your phone and you (should) have a strong password to log into your phone, but there are risks depending on how you implemented everything.



    The better option to do what you want is to display a secondary address that you do not use as a username anywhere. This is easy to do and to simply forward all emails from there to your primary address.






    share|improve this answer


















    • 28





      +1 for the suggestion of using a secondary address. In addition, the secondary address should not contain your real name as it would be fast to find the public address knowing your name and the location the phone was found/stolen.

      – Esa Jokinen
      Feb 13 at 8:34






    • 6





      I'd also point out that getting into your email account (to read the message about your phone being found) might be complicated by the loss of the phone (as the second factor).

      – Roger Lipscombe
      Feb 13 at 9:21







    • 3





      @EsaJokinen I'm not sure about the value of that. The entire purpose of adding the email address is so that the person can physically interact with the phone owner. Either to hand the phone to the owner or to mail it. Secondarily, if you set up your phone to show notifications, the person with the phone will gather all kinds of personal information. To take advantage of what you suggest, you would also need to employ a few steps of opsec.

      – schroeder
      Feb 13 at 9:21







    • 32





      A friend of mine used to put their mobile phone number on the lock screen, so that anyone who found the phone could call them to let them know and arrange a return. 🤦‍♂️👌😂

      – Lightness Races in Orbit
      Feb 13 at 13:07






    • 5





      We also have to remember that a person returning the phone is probably a different person than the one we are trying to protect our information from. We must think these use cases separately. After the initial contact from someone who has found the phone we can decide what more information we are willing to give, while we can keep everything hidden from the perpetrator.

      – Esa Jokinen
      Feb 13 at 13:26














    79












    79








    79







    Your email address is generally public knowledge, so disclosing it is often not a big security risk.



    But it gets complicated when it's your phone. Because your email address is often used as your username to log into services, and you (should) use your phone as a second factor when logging in, tying those two pieces of data might have unintended consequences. Yes, you (should have already) encrypt your phone and you (should) have a strong password to log into your phone, but there are risks depending on how you implemented everything.



    The better option to do what you want is to display a secondary address that you do not use as a username anywhere. This is easy to do and to simply forward all emails from there to your primary address.






    share|improve this answer













    Your email address is generally public knowledge, so disclosing it is often not a big security risk.



    But it gets complicated when it's your phone. Because your email address is often used as your username to log into services, and you (should) use your phone as a second factor when logging in, tying those two pieces of data might have unintended consequences. Yes, you (should have already) encrypt your phone and you (should) have a strong password to log into your phone, but there are risks depending on how you implemented everything.



    The better option to do what you want is to display a secondary address that you do not use as a username anywhere. This is easy to do and to simply forward all emails from there to your primary address.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Feb 13 at 8:07









    schroederschroeder

    77.1k30171206




    77.1k30171206







    • 28





      +1 for the suggestion of using a secondary address. In addition, the secondary address should not contain your real name as it would be fast to find the public address knowing your name and the location the phone was found/stolen.

      – Esa Jokinen
      Feb 13 at 8:34






    • 6





      I'd also point out that getting into your email account (to read the message about your phone being found) might be complicated by the loss of the phone (as the second factor).

      – Roger Lipscombe
      Feb 13 at 9:21







    • 3





      @EsaJokinen I'm not sure about the value of that. The entire purpose of adding the email address is so that the person can physically interact with the phone owner. Either to hand the phone to the owner or to mail it. Secondarily, if you set up your phone to show notifications, the person with the phone will gather all kinds of personal information. To take advantage of what you suggest, you would also need to employ a few steps of opsec.

      – schroeder
      Feb 13 at 9:21







    • 32





      A friend of mine used to put their mobile phone number on the lock screen, so that anyone who found the phone could call them to let them know and arrange a return. 🤦‍♂️👌😂

      – Lightness Races in Orbit
      Feb 13 at 13:07






    • 5





      We also have to remember that a person returning the phone is probably a different person than the one we are trying to protect our information from. We must think these use cases separately. After the initial contact from someone who has found the phone we can decide what more information we are willing to give, while we can keep everything hidden from the perpetrator.

      – Esa Jokinen
      Feb 13 at 13:26













    • 28





      +1 for the suggestion of using a secondary address. In addition, the secondary address should not contain your real name as it would be fast to find the public address knowing your name and the location the phone was found/stolen.

      – Esa Jokinen
      Feb 13 at 8:34






    • 6





      I'd also point out that getting into your email account (to read the message about your phone being found) might be complicated by the loss of the phone (as the second factor).

      – Roger Lipscombe
      Feb 13 at 9:21







    • 3





      @EsaJokinen I'm not sure about the value of that. The entire purpose of adding the email address is so that the person can physically interact with the phone owner. Either to hand the phone to the owner or to mail it. Secondarily, if you set up your phone to show notifications, the person with the phone will gather all kinds of personal information. To take advantage of what you suggest, you would also need to employ a few steps of opsec.

      – schroeder
      Feb 13 at 9:21







    • 32





      A friend of mine used to put their mobile phone number on the lock screen, so that anyone who found the phone could call them to let them know and arrange a return. 🤦‍♂️👌😂

      – Lightness Races in Orbit
      Feb 13 at 13:07






    • 5





      We also have to remember that a person returning the phone is probably a different person than the one we are trying to protect our information from. We must think these use cases separately. After the initial contact from someone who has found the phone we can decide what more information we are willing to give, while we can keep everything hidden from the perpetrator.

      – Esa Jokinen
      Feb 13 at 13:26








    28




    28





    +1 for the suggestion of using a secondary address. In addition, the secondary address should not contain your real name as it would be fast to find the public address knowing your name and the location the phone was found/stolen.

    – Esa Jokinen
    Feb 13 at 8:34





    +1 for the suggestion of using a secondary address. In addition, the secondary address should not contain your real name as it would be fast to find the public address knowing your name and the location the phone was found/stolen.

    – Esa Jokinen
    Feb 13 at 8:34




    6




    6





    I'd also point out that getting into your email account (to read the message about your phone being found) might be complicated by the loss of the phone (as the second factor).

    – Roger Lipscombe
    Feb 13 at 9:21






    I'd also point out that getting into your email account (to read the message about your phone being found) might be complicated by the loss of the phone (as the second factor).

    – Roger Lipscombe
    Feb 13 at 9:21





    3




    3





    @EsaJokinen I'm not sure about the value of that. The entire purpose of adding the email address is so that the person can physically interact with the phone owner. Either to hand the phone to the owner or to mail it. Secondarily, if you set up your phone to show notifications, the person with the phone will gather all kinds of personal information. To take advantage of what you suggest, you would also need to employ a few steps of opsec.

    – schroeder
    Feb 13 at 9:21






    @EsaJokinen I'm not sure about the value of that. The entire purpose of adding the email address is so that the person can physically interact with the phone owner. Either to hand the phone to the owner or to mail it. Secondarily, if you set up your phone to show notifications, the person with the phone will gather all kinds of personal information. To take advantage of what you suggest, you would also need to employ a few steps of opsec.

    – schroeder
    Feb 13 at 9:21





    32




    32





    A friend of mine used to put their mobile phone number on the lock screen, so that anyone who found the phone could call them to let them know and arrange a return. 🤦‍♂️👌😂

    – Lightness Races in Orbit
    Feb 13 at 13:07





    A friend of mine used to put their mobile phone number on the lock screen, so that anyone who found the phone could call them to let them know and arrange a return. 🤦‍♂️👌😂

    – Lightness Races in Orbit
    Feb 13 at 13:07




    5




    5





    We also have to remember that a person returning the phone is probably a different person than the one we are trying to protect our information from. We must think these use cases separately. After the initial contact from someone who has found the phone we can decide what more information we are willing to give, while we can keep everything hidden from the perpetrator.

    – Esa Jokinen
    Feb 13 at 13:26






    We also have to remember that a person returning the phone is probably a different person than the one we are trying to protect our information from. We must think these use cases separately. After the initial contact from someone who has found the phone we can decide what more information we are willing to give, while we can keep everything hidden from the perpetrator.

    – Esa Jokinen
    Feb 13 at 13:26














    12














    If the goal is to allow a sincere finder to contact you but prevent leaking any information:



    1. Lock the phone properly (strong password, fingerprint etc.)

    2. Encrypt the contents.

    3. Hide details for notification from the lock screen.

    4. If possible, prevent answering to any phone calls without authentication. That's probably the hardest step to achieve, and anyone who calls you may accidentally reveal your identity, not to mention if a phone call is chosen for a 2FA method.

    5. Use a secondary email address that could not be linked to you.

    As in Schroeder's excellent answer, the email address is not the most crucial information a phone could leak. The #5 is only truly useful if you have achieved everything in #1-4, as any of #1-4 can make it trivial to find the information hidden in #5.






    share|improve this answer


















    • 1





      Is fingerprint really that good when it's relatively trivial to lift fingerprints, sometimes off the phone itself and create moulds to access the device

      – Expired Data
      Feb 14 at 10:50






    • 2





      Depending on the fingerprint sensor it seems hard to get it to work even with the actual finger. ;) One added layer of security is to use a password for unlocking the phone and the fingerprint sensor for other authentication once the phone is unlocked.

      – Esa Jokinen
      Feb 14 at 10:59















    12














    If the goal is to allow a sincere finder to contact you but prevent leaking any information:



    1. Lock the phone properly (strong password, fingerprint etc.)

    2. Encrypt the contents.

    3. Hide details for notification from the lock screen.

    4. If possible, prevent answering to any phone calls without authentication. That's probably the hardest step to achieve, and anyone who calls you may accidentally reveal your identity, not to mention if a phone call is chosen for a 2FA method.

    5. Use a secondary email address that could not be linked to you.

    As in Schroeder's excellent answer, the email address is not the most crucial information a phone could leak. The #5 is only truly useful if you have achieved everything in #1-4, as any of #1-4 can make it trivial to find the information hidden in #5.






    share|improve this answer


















    • 1





      Is fingerprint really that good when it's relatively trivial to lift fingerprints, sometimes off the phone itself and create moulds to access the device

      – Expired Data
      Feb 14 at 10:50






    • 2





      Depending on the fingerprint sensor it seems hard to get it to work even with the actual finger. ;) One added layer of security is to use a password for unlocking the phone and the fingerprint sensor for other authentication once the phone is unlocked.

      – Esa Jokinen
      Feb 14 at 10:59













    12












    12








    12







    If the goal is to allow a sincere finder to contact you but prevent leaking any information:



    1. Lock the phone properly (strong password, fingerprint etc.)

    2. Encrypt the contents.

    3. Hide details for notification from the lock screen.

    4. If possible, prevent answering to any phone calls without authentication. That's probably the hardest step to achieve, and anyone who calls you may accidentally reveal your identity, not to mention if a phone call is chosen for a 2FA method.

    5. Use a secondary email address that could not be linked to you.

    As in Schroeder's excellent answer, the email address is not the most crucial information a phone could leak. The #5 is only truly useful if you have achieved everything in #1-4, as any of #1-4 can make it trivial to find the information hidden in #5.






    share|improve this answer













    If the goal is to allow a sincere finder to contact you but prevent leaking any information:



    1. Lock the phone properly (strong password, fingerprint etc.)

    2. Encrypt the contents.

    3. Hide details for notification from the lock screen.

    4. If possible, prevent answering to any phone calls without authentication. That's probably the hardest step to achieve, and anyone who calls you may accidentally reveal your identity, not to mention if a phone call is chosen for a 2FA method.

    5. Use a secondary email address that could not be linked to you.

    As in Schroeder's excellent answer, the email address is not the most crucial information a phone could leak. The #5 is only truly useful if you have achieved everything in #1-4, as any of #1-4 can make it trivial to find the information hidden in #5.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Feb 13 at 10:08









    Esa JokinenEsa Jokinen

    2,123614




    2,123614







    • 1





      Is fingerprint really that good when it's relatively trivial to lift fingerprints, sometimes off the phone itself and create moulds to access the device

      – Expired Data
      Feb 14 at 10:50






    • 2





      Depending on the fingerprint sensor it seems hard to get it to work even with the actual finger. ;) One added layer of security is to use a password for unlocking the phone and the fingerprint sensor for other authentication once the phone is unlocked.

      – Esa Jokinen
      Feb 14 at 10:59












    • 1





      Is fingerprint really that good when it's relatively trivial to lift fingerprints, sometimes off the phone itself and create moulds to access the device

      – Expired Data
      Feb 14 at 10:50






    • 2





      Depending on the fingerprint sensor it seems hard to get it to work even with the actual finger. ;) One added layer of security is to use a password for unlocking the phone and the fingerprint sensor for other authentication once the phone is unlocked.

      – Esa Jokinen
      Feb 14 at 10:59







    1




    1





    Is fingerprint really that good when it's relatively trivial to lift fingerprints, sometimes off the phone itself and create moulds to access the device

    – Expired Data
    Feb 14 at 10:50





    Is fingerprint really that good when it's relatively trivial to lift fingerprints, sometimes off the phone itself and create moulds to access the device

    – Expired Data
    Feb 14 at 10:50




    2




    2





    Depending on the fingerprint sensor it seems hard to get it to work even with the actual finger. ;) One added layer of security is to use a password for unlocking the phone and the fingerprint sensor for other authentication once the phone is unlocked.

    – Esa Jokinen
    Feb 14 at 10:59





    Depending on the fingerprint sensor it seems hard to get it to work even with the actual finger. ;) One added layer of security is to use a password for unlocking the phone and the fingerprint sensor for other authentication once the phone is unlocked.

    – Esa Jokinen
    Feb 14 at 10:59











    3














    There is a better solution.. Display instead the phone number of the person you want contacted in case of emergency, labeling it clearly 'ICE' (which means 'in case of emergency' to all emergency workers). Then if you get in an accident and are unconscious your person will be contacted a lot faster. And as a side effect if you lose your phone a friend will get quickly notified too






    share|improve this answer



























      3














      There is a better solution.. Display instead the phone number of the person you want contacted in case of emergency, labeling it clearly 'ICE' (which means 'in case of emergency' to all emergency workers). Then if you get in an accident and are unconscious your person will be contacted a lot faster. And as a side effect if you lose your phone a friend will get quickly notified too






      share|improve this answer

























        3












        3








        3







        There is a better solution.. Display instead the phone number of the person you want contacted in case of emergency, labeling it clearly 'ICE' (which means 'in case of emergency' to all emergency workers). Then if you get in an accident and are unconscious your person will be contacted a lot faster. And as a side effect if you lose your phone a friend will get quickly notified too






        share|improve this answer













        There is a better solution.. Display instead the phone number of the person you want contacted in case of emergency, labeling it clearly 'ICE' (which means 'in case of emergency' to all emergency workers). Then if you get in an accident and are unconscious your person will be contacted a lot faster. And as a side effect if you lose your phone a friend will get quickly notified too







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Feb 14 at 19:29









        George MGeorge M

        1314




        1314





















            2














            I would consider that the main risk of placing the email address there is that in case it is lost, it would be a phishing target for unlocking the device.



            This is quite common with Apple devices: iPhone is lost/stolen, and thus the owner locks access to the phone, so it's no longer possible to use this device (unless accessing the Apple account of the owner). However, the message shown for those that find it often includes the email address associated to the account. Thus, what attackers do (actually there are people selling this 'service') is to send a phishing email there claiming to come from Apple and stating that the iPhone has been found, that actually leads to a phishing page from which the credentials of such accounts are harvested for freeing the device.



            I find that the same approach would equally work with an Android phone. If the email address shown is the Google account linked to the device (as it'd be usual to be), phishing the account credentials would allow unlocking the device.



            Using a secondary email address exclusively for that (which should then receive 0 mails, and you may not even look at until you lose your phone), and not linked to the phone, should help.† Although you should be very wary that anything received there should be presumed to be a phishing attempt (note that any notification regarding the lost phone would not be sent there, only a human that had read the message would direct phone-related mails there!).



            † Of course, store the name and password for that email safely, as well as of the primary account where the device backups everything.






            share|improve this answer























            • Some assume every lost phone is stolen. I once found one and was trying to figure out how to contact the owner when she tried to video call me to get the face of "the stealer".

              – Esa Jokinen
              Feb 15 at 16:52















            2














            I would consider that the main risk of placing the email address there is that in case it is lost, it would be a phishing target for unlocking the device.



            This is quite common with Apple devices: iPhone is lost/stolen, and thus the owner locks access to the phone, so it's no longer possible to use this device (unless accessing the Apple account of the owner). However, the message shown for those that find it often includes the email address associated to the account. Thus, what attackers do (actually there are people selling this 'service') is to send a phishing email there claiming to come from Apple and stating that the iPhone has been found, that actually leads to a phishing page from which the credentials of such accounts are harvested for freeing the device.



            I find that the same approach would equally work with an Android phone. If the email address shown is the Google account linked to the device (as it'd be usual to be), phishing the account credentials would allow unlocking the device.



            Using a secondary email address exclusively for that (which should then receive 0 mails, and you may not even look at until you lose your phone), and not linked to the phone, should help.† Although you should be very wary that anything received there should be presumed to be a phishing attempt (note that any notification regarding the lost phone would not be sent there, only a human that had read the message would direct phone-related mails there!).



            † Of course, store the name and password for that email safely, as well as of the primary account where the device backups everything.






            share|improve this answer























            • Some assume every lost phone is stolen. I once found one and was trying to figure out how to contact the owner when she tried to video call me to get the face of "the stealer".

              – Esa Jokinen
              Feb 15 at 16:52













            2












            2








            2







            I would consider that the main risk of placing the email address there is that in case it is lost, it would be a phishing target for unlocking the device.



            This is quite common with Apple devices: iPhone is lost/stolen, and thus the owner locks access to the phone, so it's no longer possible to use this device (unless accessing the Apple account of the owner). However, the message shown for those that find it often includes the email address associated to the account. Thus, what attackers do (actually there are people selling this 'service') is to send a phishing email there claiming to come from Apple and stating that the iPhone has been found, that actually leads to a phishing page from which the credentials of such accounts are harvested for freeing the device.



            I find that the same approach would equally work with an Android phone. If the email address shown is the Google account linked to the device (as it'd be usual to be), phishing the account credentials would allow unlocking the device.



            Using a secondary email address exclusively for that (which should then receive 0 mails, and you may not even look at until you lose your phone), and not linked to the phone, should help.† Although you should be very wary that anything received there should be presumed to be a phishing attempt (note that any notification regarding the lost phone would not be sent there, only a human that had read the message would direct phone-related mails there!).



            † Of course, store the name and password for that email safely, as well as of the primary account where the device backups everything.






            share|improve this answer













            I would consider that the main risk of placing the email address there is that in case it is lost, it would be a phishing target for unlocking the device.



            This is quite common with Apple devices: iPhone is lost/stolen, and thus the owner locks access to the phone, so it's no longer possible to use this device (unless accessing the Apple account of the owner). However, the message shown for those that find it often includes the email address associated to the account. Thus, what attackers do (actually there are people selling this 'service') is to send a phishing email there claiming to come from Apple and stating that the iPhone has been found, that actually leads to a phishing page from which the credentials of such accounts are harvested for freeing the device.



            I find that the same approach would equally work with an Android phone. If the email address shown is the Google account linked to the device (as it'd be usual to be), phishing the account credentials would allow unlocking the device.



            Using a secondary email address exclusively for that (which should then receive 0 mails, and you may not even look at until you lose your phone), and not linked to the phone, should help.† Although you should be very wary that anything received there should be presumed to be a phishing attempt (note that any notification regarding the lost phone would not be sent there, only a human that had read the message would direct phone-related mails there!).



            † Of course, store the name and password for that email safely, as well as of the primary account where the device backups everything.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Feb 14 at 22:10









            ÁngelÁngel

            9,55611340




            9,55611340












            • Some assume every lost phone is stolen. I once found one and was trying to figure out how to contact the owner when she tried to video call me to get the face of "the stealer".

              – Esa Jokinen
              Feb 15 at 16:52

















            • Some assume every lost phone is stolen. I once found one and was trying to figure out how to contact the owner when she tried to video call me to get the face of "the stealer".

              – Esa Jokinen
              Feb 15 at 16:52
















            Some assume every lost phone is stolen. I once found one and was trying to figure out how to contact the owner when she tried to video call me to get the face of "the stealer".

            – Esa Jokinen
            Feb 15 at 16:52





            Some assume every lost phone is stolen. I once found one and was trying to figure out how to contact the owner when she tried to video call me to get the face of "the stealer".

            – Esa Jokinen
            Feb 15 at 16:52











            0














            Including your email there is a pretty risky move. Imagine you lose the phone and a bad guy finds it:



            • he sees the email and goes to example.com and tries to log in

            • since he doesn't know the password, he chooses to recover the account by sending a token to your (now his) phone

            • the text notification on the phone displays the token since it isn't very long (and you have it configured to show that preview)

            • now he can change the password of example.com and that account is gone

            He can repeat that for other services and cause a lot of damage, so don't include your email. Look at the other answers that provide good advice (in this answer I just wanted to point out how easily things could go wrong).






            share|improve this answer




















            • 1





              This is basically my answer, but your take on it requires a very specific set up for lock screen notifications, how 2FA is used, and how the password reset process works on the site's side....

              – schroeder
              Feb 14 at 13:26











            • @schroeder, exactly, that's why I added the bits related to specific set up for lock screen notifications, how 2FA is used, and how the password reset process works on the site's side, mentioned to look the other answers (including yours) and also told why my answer was estructured that way

              – Felipe Pereira
              Feb 14 at 13:30






            • 2





              In any event, my comment still stands. I'm not sure that this adds anything and it requires a very specific set things to be true to be relevant.

              – schroeder
              Feb 14 at 14:27











            • @schroeder well, you didn't suggested that I reacted to your comment, you just went ahead and stated it by saying Those additions came after my comment., and that isn't true at all, again, the answer wasn't edited after I posted it, there is no way you can have read two versions of it, unless you as a mod can see the draft while I'm writing it. In case you are not sure if this answer adds anything, I elaborated on what you mentioned in might have unintended consequences, it adds a clear example of an exploit against having the email there.

              – Felipe Pereira
              Feb 14 at 14:37






            • 1





              Also not an answer if you refer to another answer which could be modified or deleted in the future.

              – pipe
              Feb 14 at 16:02















            0














            Including your email there is a pretty risky move. Imagine you lose the phone and a bad guy finds it:



            • he sees the email and goes to example.com and tries to log in

            • since he doesn't know the password, he chooses to recover the account by sending a token to your (now his) phone

            • the text notification on the phone displays the token since it isn't very long (and you have it configured to show that preview)

            • now he can change the password of example.com and that account is gone

            He can repeat that for other services and cause a lot of damage, so don't include your email. Look at the other answers that provide good advice (in this answer I just wanted to point out how easily things could go wrong).






            share|improve this answer




















            • 1





              This is basically my answer, but your take on it requires a very specific set up for lock screen notifications, how 2FA is used, and how the password reset process works on the site's side....

              – schroeder
              Feb 14 at 13:26











            • @schroeder, exactly, that's why I added the bits related to specific set up for lock screen notifications, how 2FA is used, and how the password reset process works on the site's side, mentioned to look the other answers (including yours) and also told why my answer was estructured that way

              – Felipe Pereira
              Feb 14 at 13:30






            • 2





              In any event, my comment still stands. I'm not sure that this adds anything and it requires a very specific set things to be true to be relevant.

              – schroeder
              Feb 14 at 14:27











            • @schroeder well, you didn't suggested that I reacted to your comment, you just went ahead and stated it by saying Those additions came after my comment., and that isn't true at all, again, the answer wasn't edited after I posted it, there is no way you can have read two versions of it, unless you as a mod can see the draft while I'm writing it. In case you are not sure if this answer adds anything, I elaborated on what you mentioned in might have unintended consequences, it adds a clear example of an exploit against having the email there.

              – Felipe Pereira
              Feb 14 at 14:37






            • 1





              Also not an answer if you refer to another answer which could be modified or deleted in the future.

              – pipe
              Feb 14 at 16:02













            0












            0








            0







            Including your email there is a pretty risky move. Imagine you lose the phone and a bad guy finds it:



            • he sees the email and goes to example.com and tries to log in

            • since he doesn't know the password, he chooses to recover the account by sending a token to your (now his) phone

            • the text notification on the phone displays the token since it isn't very long (and you have it configured to show that preview)

            • now he can change the password of example.com and that account is gone

            He can repeat that for other services and cause a lot of damage, so don't include your email. Look at the other answers that provide good advice (in this answer I just wanted to point out how easily things could go wrong).






            share|improve this answer















            Including your email there is a pretty risky move. Imagine you lose the phone and a bad guy finds it:



            • he sees the email and goes to example.com and tries to log in

            • since he doesn't know the password, he chooses to recover the account by sending a token to your (now his) phone

            • the text notification on the phone displays the token since it isn't very long (and you have it configured to show that preview)

            • now he can change the password of example.com and that account is gone

            He can repeat that for other services and cause a lot of damage, so don't include your email. Look at the other answers that provide good advice (in this answer I just wanted to point out how easily things could go wrong).







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Feb 14 at 13:30









            schroeder

            77.1k30171206




            77.1k30171206










            answered Feb 14 at 13:21









            Felipe PereiraFelipe Pereira

            769410




            769410







            • 1





              This is basically my answer, but your take on it requires a very specific set up for lock screen notifications, how 2FA is used, and how the password reset process works on the site's side....

              – schroeder
              Feb 14 at 13:26











            • @schroeder, exactly, that's why I added the bits related to specific set up for lock screen notifications, how 2FA is used, and how the password reset process works on the site's side, mentioned to look the other answers (including yours) and also told why my answer was estructured that way

              – Felipe Pereira
              Feb 14 at 13:30






            • 2





              In any event, my comment still stands. I'm not sure that this adds anything and it requires a very specific set things to be true to be relevant.

              – schroeder
              Feb 14 at 14:27











            • @schroeder well, you didn't suggested that I reacted to your comment, you just went ahead and stated it by saying Those additions came after my comment., and that isn't true at all, again, the answer wasn't edited after I posted it, there is no way you can have read two versions of it, unless you as a mod can see the draft while I'm writing it. In case you are not sure if this answer adds anything, I elaborated on what you mentioned in might have unintended consequences, it adds a clear example of an exploit against having the email there.

              – Felipe Pereira
              Feb 14 at 14:37






            • 1





              Also not an answer if you refer to another answer which could be modified or deleted in the future.

              – pipe
              Feb 14 at 16:02












            • 1





              This is basically my answer, but your take on it requires a very specific set up for lock screen notifications, how 2FA is used, and how the password reset process works on the site's side....

              – schroeder
              Feb 14 at 13:26











            • @schroeder, exactly, that's why I added the bits related to specific set up for lock screen notifications, how 2FA is used, and how the password reset process works on the site's side, mentioned to look the other answers (including yours) and also told why my answer was estructured that way

              – Felipe Pereira
              Feb 14 at 13:30






            • 2





              In any event, my comment still stands. I'm not sure that this adds anything and it requires a very specific set things to be true to be relevant.

              – schroeder
              Feb 14 at 14:27











            • @schroeder well, you didn't suggested that I reacted to your comment, you just went ahead and stated it by saying Those additions came after my comment., and that isn't true at all, again, the answer wasn't edited after I posted it, there is no way you can have read two versions of it, unless you as a mod can see the draft while I'm writing it. In case you are not sure if this answer adds anything, I elaborated on what you mentioned in might have unintended consequences, it adds a clear example of an exploit against having the email there.

              – Felipe Pereira
              Feb 14 at 14:37






            • 1





              Also not an answer if you refer to another answer which could be modified or deleted in the future.

              – pipe
              Feb 14 at 16:02







            1




            1





            This is basically my answer, but your take on it requires a very specific set up for lock screen notifications, how 2FA is used, and how the password reset process works on the site's side....

            – schroeder
            Feb 14 at 13:26





            This is basically my answer, but your take on it requires a very specific set up for lock screen notifications, how 2FA is used, and how the password reset process works on the site's side....

            – schroeder
            Feb 14 at 13:26













            @schroeder, exactly, that's why I added the bits related to specific set up for lock screen notifications, how 2FA is used, and how the password reset process works on the site's side, mentioned to look the other answers (including yours) and also told why my answer was estructured that way

            – Felipe Pereira
            Feb 14 at 13:30





            @schroeder, exactly, that's why I added the bits related to specific set up for lock screen notifications, how 2FA is used, and how the password reset process works on the site's side, mentioned to look the other answers (including yours) and also told why my answer was estructured that way

            – Felipe Pereira
            Feb 14 at 13:30




            2




            2





            In any event, my comment still stands. I'm not sure that this adds anything and it requires a very specific set things to be true to be relevant.

            – schroeder
            Feb 14 at 14:27





            In any event, my comment still stands. I'm not sure that this adds anything and it requires a very specific set things to be true to be relevant.

            – schroeder
            Feb 14 at 14:27













            @schroeder well, you didn't suggested that I reacted to your comment, you just went ahead and stated it by saying Those additions came after my comment., and that isn't true at all, again, the answer wasn't edited after I posted it, there is no way you can have read two versions of it, unless you as a mod can see the draft while I'm writing it. In case you are not sure if this answer adds anything, I elaborated on what you mentioned in might have unintended consequences, it adds a clear example of an exploit against having the email there.

            – Felipe Pereira
            Feb 14 at 14:37





            @schroeder well, you didn't suggested that I reacted to your comment, you just went ahead and stated it by saying Those additions came after my comment., and that isn't true at all, again, the answer wasn't edited after I posted it, there is no way you can have read two versions of it, unless you as a mod can see the draft while I'm writing it. In case you are not sure if this answer adds anything, I elaborated on what you mentioned in might have unintended consequences, it adds a clear example of an exploit against having the email there.

            – Felipe Pereira
            Feb 14 at 14:37




            1




            1





            Also not an answer if you refer to another answer which could be modified or deleted in the future.

            – pipe
            Feb 14 at 16:02





            Also not an answer if you refer to another answer which could be modified or deleted in the future.

            – pipe
            Feb 14 at 16:02

















            draft saved

            draft discarded
















































            Thanks for contributing an answer to Information Security Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f203478%2fdownsides-of-showing-email-address-on-android-lock-screen%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown






            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?