Android Makes It Easy for Thieves to Steal Your Google Account.

Both Apple ID and Google accounts offer a method to reset the password

This is a difficult trend to quantify. Although iPhone ownership may be part of the stereotype that high-value targets are, it’s unlikely we will get a complete picture from Stern’s reporting through her police contacts or those who have shared their stories.

Whatever statistics you may have about thefts of Android devices, it is important to know that the same exploit exists on Android phones. As Mishaal Rahman points out, thieves can take control of victims’ Google accounts by bypassing the password reset flow, authenticating with their passcode, and gaining access to their Google accounts.

In addition to Rahman’s instructions, malicious actors might be able to pass the second factor authentication if they choose the “Tap Yes” method. The prompt will be sent to the device and the Google app flow will be able to detect it, passing the check.

It doesn’t really matter if you choose facial recognition or fingerprint scanning, as these methods can return to a passcode or password or pattern. Our best advice is to change your device’s passcode or to a pattern lock to an alphanumeric one.

It’s not a pleasant thought. This is because, besides being a problem with password managers and authentication apps, it will also be a primary password that you’ll need to remember, along with all the pitfalls and memory limitations. It would be tragic and ironic if thieves could steal the best password you have that isn’t 5aP9hadQ. Apple and Google should not accept basic single-device authentication methods for password resets. We have asked Google to remove such authentication methods. If we hear back, we will let you know.