![\"USB](\"https:\/\/www.europesays.com\/uk\/wp-content\/uploads\/2025\/04\/USB_stick_plugged_into_an_Android_phone_while_locked_hero_image-scaled.jpg\"\/ "\\"USB")
<\/p>\n<\/p>\n
Mishaal Rahman \/ Android Authority<\/p>\n
TL;DR<\/p>\n
If you\u2019re serious about security, then you probably already avoid inserting random USB sticks into your personal devices. It\u2019s good practice to be cautious of unknown USB devices, especially since you don\u2019t know what kinds of payloads they might contain. But if your Android device is lost or confiscated, then you can\u2019t stop someone else from inserting a USB device. To protect against this, Google is working on a new, optional feature in Android 16<\/a> that disables USB access when your phone is locked.<\/p>\n \nYou\u2019re reading an Authority Insights<\/strong> story. Discover Authority Insights<\/a> for more exclusive reports, app teardowns, leaks, and in-depth tech coverage you won\u2019t find anywhere else.<\/p>\n It might sound like paranoia, but there are valid reasons why one might want to block USB devices when your Android phone is locked. If you\u2019re a journalist or activist who is at risk of being targeted by hackers, you\u2019ll want to take every precaution you can to prevent your phone\u2019s contents from being extracted. USB peripherals like keyboards can be used to brute force the keyguard, while other devices can inject payloads that exploit vulnerabilities to unlock the device. This isn\u2019t hypothetical \u2014 Amnesty International\u2019s Security Lab recently documented<\/a> a zero-day USB driver exploit that was used to break into the phone of a student activist in Serbia.<\/p>\n The best way to stop these kinds of attacks is to disable USB data signaling, preventing USB devices from sending data to locked Android devices. This can be achieved in two ways: through hardware or software controls. Disabling USB data signaling at the hardware level cuts off the USB data lines entirely. Charging will still work, of course, but all peripherals\u2014including keyboards, mice, flash drives, and even external displays\u2014will not.<\/p>\n According to the GrapheneOS<\/a> team, implementing this hardware-level feature requires changes to USB drivers. In contrast, the software-level approach involves disabling high-level USB support, essentially blocking connections from new peripherals and gadgets when the device is locked. While either method would have thwarted the exploit documented by Amnesty International, the hardware-based approach offers slightly stronger security.<\/p>\n With the release of Android 12 in 2021, Google introduced an API for disabling USB data signaling at a software level. This API was made available to device admin apps, i.e. apps that manage enterprise devices. It wasn\u2019t used in any other context until the release of Android 15<\/a> last year, which enhanced the operating system\u2019s lockdown mode<\/a> to also disable USB data access. Now in Android 16, Google is looking to use this API to disable USB data access when your Android device is locked, but only if you enable Advanced Protection Mode.<\/p>\n Advanced Protection Mode<\/a> is a new feature in Android 16 that enables extra security features for people who opt in. It builds upon Google\u2019s Advanced Protection Program, a security program that provides extra protection against hackers getting into your Google account. When Advanced Protection Mode is enabled in Android 16, apps can\u2019t be granted the sideloading permission, 2G access can\u2019t be enabled, MTE is enabled for compatible apps, and WEP connections are blocked. In addition, apps can query the Advanced Protection Mode API to know when a user has opted in and then enable their own set of security features. As revealed in an APK teardown<\/a>, apps like Phone by Google and Messages are poised to support Advanced Protection Mode.<\/p>\n While digging through the recent Android 16 betas, I found strings that suggest enabling Advanced Protection Mode will also disable USB data signaling when Android is locked. The titles of each string have \u201c_apm_\u201d in them, which stands for Advanced Protection Mode internally. They also explicitly mention how new USB devices can\u2019t be used when Android is locked. When a new USB device is plugged in, a notification will appear that warns the user of \u201csuspicious USB activity.\u201d To use the device, you have to \u201cunlock Android first and then reinsert [the] USB device to use it.\u201d<\/p>\n Code<\/p>\n Copy TextUSB device is plugged in when Android is locked.
Google has yet to roll out a user-facing way to enable Advanced Protection Mode, but I was able to manually enable it in Android 16 Beta 4<\/a>. After enabling it, I was able to get the new USB data protection working, as shown in the video embedded below.<\/p>\n As you can see in the video, Android rejects both the USB stick and the keyboard I inserted into my Pixel device when it was locked. Only after unlocking and reinserting both items was I able to use them. After inserting them and then locking the device, they weren\u2019t disconnected\u2014suggesting that Android won\u2019t forcibly disconnect USB devices with an active data connection.<\/p>\n Mishaal Rahman \/ Android Authority<\/p>\n This is a simple security change that should prevent cases like the one described in the Amnesty International report from happening again. Hopefully Google rolls out a way to toggle Android 16\u2019s new Advanced Protection Mode soon, because it\u2019ll serve as an easy one-click toggle to enable a lot of features that security-conscious users will enjoy.<\/p>\n![\"Sideloading](\"https:\/\/www.europesays.com\/uk\/wp-content\/uploads\/2025\/04\/Sideloading_disabled_by_advanced_protection_in_Android_16_Beta_1.jpg\"\/ "\\"Sideloading")
![\"Advanced](\"https:\/\/www.europesays.com\/uk\/wp-content\/uploads\/2025\/04\/Advanced_protection_dialog_in_Android_16_Beta_1.jpg\"\/ "\\"Advanced")
<\/p>\n
\nTo use device, please unlock Android first and then reinsert USB device to use it.
\nUSB device plugged in when locked
\nUSB data signal has been disabled.
\nSuspicious USB activity<\/p>\n![\"USB](\"https:\/\/www.europesays.com\/uk\/wp-content\/uploads\/2025\/04\/USB_device_plugged_in_while_locked_notification.jpg\"\/ "\\"USB")
<\/p>\n