Most people simply do a factory reset prior to selling their old smartphone, thinking that this method will be effective in wiping out existing data. What if we were to burst your bubble and tell you that is not the case?!
People store images, passwords, login tokens and texts in their smartphones, which a user looks to delete prior to selling off the handset. The common procedure is to perform a factory reset, which will wipe the device's memory and restore the original settings of the device. However, it seems that merely a factory reset is not sufficient when it comes to Android devices.
A study by researchers at Cambridge University on 21 Android-based devices found that a flaw exists in Android devices, which makes them susceptible to hackers accessing your sensitive data even if you've performed a factory reset.
This flaw basically ends up leaving residual data, even when an Android user has performed the factory reset function. The researchers at Cambridge University conducted tests on devices from five different mobile OEMs. The 21 used smartphones were running Android operating systems 2.3 Gingerbread to 4.3 Jelly Bean. The researchers discovered that a good amount of data remained in the data partitions of the smartphones, making them vulnerable.
The area where sensitive information, such as the login tokens used to sign into Google, was retained after the reset included in-built SD cards. The researchers even found text and email conversations that could potentially be used to blackmail unsuspecting victims.
The flaw lies within the flash memory of an Android device, which basically restricts the amount of memory that can be overwritten.
So, what is the solution, you ask, if Android's factory reset does not completely wipe out your data? Here are some fixes:
"If you plan to resell or discard your device and you haven't already, encrypt it and then perform a factory reset," Android security lead engineer Adrian Ludwig said.
- Encrypt the data on your smartphone prior to putting it up for sale or disposing it. To do this, head to Settings > Security > Encrypt Phone.
The Nexus 6 and Nexus 9 are encrypted by default, but other Android devices require a full disk encryption (FDE). After the encryption, perform the factory reset as this will scramble the unerased data and render it useless.
Encrypting does not completely delete the files, but the factory reset process gets rid of the encryption key. As a result, the device has no way it can decrypt the files and, therefore, makes data recovery extremely difficult.
- It is recommended that a user performs a FDE on a supportable device on its first use for extra effectiveness.
Per Cambridge University researchers, smartphone vendors can deploy eMMC architecture as it supports digital data wipeout. The vendors will be required to expose eMMC to digital sanitization in Android, Recovery Kernel and the Bootloader.
Photo: Marial Elena | Flickr