A factory reset allows you to sell or trade in your phone for a newer model — leaving you safe in the knowledge that all your personal information has been removed, right? Apparently not with Android phones, according to a new study.
Researchers were able to recover Google credentials from factory-reset Android phones — which gave them access to the previous user's emails, contacts, text messages and any other information on each device.
Computer scientists at Cambridge University were able to recover data on a wide range of Android devices during the first comprehensive study on the effectiveness of the factory reset feature. The flaw was found in 21 devices from five different manufacturers running a range of Android versions from v2.3.x up to v4.3, which includes Gingerbread, Honeycomb, Ice Cream Sandwich and Jelly Bean.
In total, the study found that an estimated 500 million phones don't delete all data from the device's internal disk and 630 million devices fail to completely wipe removable SD memory cards.
The research paper, titled "Security Analysis of Android Factory Resets," said data could be recovered even when users turned on full-disk encryption.
All 21 phones that were tested retained at least some fragments of the supposedly wiped material, including contact information stored in apps like Facebook or WhatsApp, images and video from the camera, and text-based data from text messages and emails.
Most disturbing, however, is that in 80 percent of cases, the researchers were able to access the previous user's Google login credentials. In theory, anyone with this login could access a person's Gmail and gain access to any app associated with that user's Android account — like online banking or health insurance apps.
"We found we could recover Google credentials on all devices presenting a flawed Factory Reset," researchers Laurent Simon and Ross Anderson stated in the report.
Some of the flaws were a result of phone manufacturers failing to provide the updated software drivers required to fully wipe the device drives. But mostly, the problem comes down to fundamental Android flaws.
The phones use flash drives, which are extremely difficult to erase. Flash drives typically have more memory than is recognized by the phone's operating system. This is to account for portions of the drive memory that will deteriorate and wear out over time. However, that also makes it very difficult to fully wipe the flash drives.
In order to protect your Android device, the computer scientists suggest encrypting the phone with a strong password of 11 characters or more, to withstand brute force hacking. The only problem is having to enter this long password everytime you want to unlock your device — which isn't exactly convenient.
The results of the study could have consequences for secondhand phone market and phone recycling companies. The 21 phones used in the study were bought from eBay and phone recycling companies in the UK. If users can't be sure their data is secure, they might think twice about getting rid of their old phones.
The study didn't incorporate newer versions of Android like Kit Kat or Lollipop, but the researchers said it was plausible that newer devices are also affected.
So is this all good news for Apple? Perhaps not. Given that iPhones also use flash disks, they could be susceptible to the same issues. Then again, the drives are encrypted by default, so they could prove trickier for hackers to access.
The one comfort is that criminals might not bother trying to access your phone at all. The paper speculates that in most cases, the data recovered may not be profitable enough to justify the cost and effort involved in buying the phones and extracting the data.
"In general, high-value data like banking credentials appear likely to be the most profitable criminal option," the report reads. For their part, though, criminals would have no idea which phones have been used for internet banking before accessing them.
The researchers point out that it would therefore be much easier and more profitable for criminals to steal phones that have not yet been wiped. Still — it'll certainly make me think twice before I trade in my next phone.
Image: Uncalno Tekno | Flickr