Android factory reset not enough to keep data secureMay 22, 2015 – 4:27 AM
If you sell or gift your old Android phone to someone, is it enough to do a factory reset to wipe all your sensitive data? And if your Android gets stolen, how sure are you that your anti-theft solution will do a good job wiping it and/or locking the device?
Consumers generally have no insight in how well these features work. Their only option is to trust the manufacturers’ and developers’ assurances, and wait for security researchers to test the solutions.
Today, two researchers from the Security Group at the University of Cambridge Computer Laboratory have published two papers that answer those questions.
The first one details the results of a security analysis of Android’s Factory Reset option, tested on 21 second-hand Android smartphones from 5 vendors running Android versions v2.3.x to v4.3.
The researchers concentrated on cheap data recovery attacks that require neither expensive equipment nor specific per-chip knowledge, and found that they could recover some SMSes, emails, and/or chats from messaging apps, and Google master cookies and Facebook authentication tokens which would allow them to access those users’ accounts.
All in all, they estimate that “up to 500 million devices may not properly sanitise their data partition where credentials and other sensitive data are stored, and up to 630M may not properly sanitise the internal SD card where multimedia files are generally saved.”
“We found we could recover Google credentials on all devices presenting a flawed Factory Reset,” they noted. “Full-disk encryption has the potential to mitigate the problem, but we found that a flawed Factory Reset leaves behind enough data for the encryption key to be recovered.”