Got an older Android smartphone?
Be careful how you dispose of it. Because whether you recycle it, give it to a friend, or sell it on eBay, you could be putting your personal information and data at risk.
The problem, according to Cambridge University security researchers Laurent Simon and Ross Anderson, lies in the “factory reset” option on devices running Android 2.3.x Gingerbread through to Android 4.3 Ice Cream Sandwich.
In a paper, entitled “Security Analysis of Android Factory Resets”, Simon and Anderson bought and tested 21 Android devices manufactured by Samsung, HTC, LG, Motorola, and Google that they had bought on eBay and from phone recycling companies:
“We estimate that up to 500 million devices may not properly sanitise their data partition where credentials and other sensitive data are stored, and up to 630M may not properly sanitise the internal SD card where multimedia files are generally saved.”
“We found we could recover Google credentials on all devices presenting a flawed Factory Reset. Full-disk encryption has the potential to mitigate the problem, but we found that a flawed Factory Reset leaves behind enough data for the encryption key to be recovered.”
In other words, you may not have wiped your old Android phone properly – and the company you asked to recycle your Android phone may not have wiped it properly either.
Furthermore, Simon and Anderson say that recovering the sensitive data does not require expensive equipment, and it’s easy to imagine how a criminal who has recovered data, conversations or images from an Android device could exploit their haul for the purposes of identity fraud or blackmail.
And don’t just imagine that this is only a problem if you rely upon the “Factory reset” option of the Android operating system. As the researchers explore in a different paper, mobile security apps which allow you to remotely wipe a lost Android smartphone may also be doing a poor job if they rely upon a faulty factory reset.
On their blog, Anderson and Simon warn that it could be possible for criminals could use the security weakness to impact a large number of people:
“These failings mean that staff at firms which handle lots of second-hand phones (whether lost, stolen, sold or given to charity) could launch some truly industrial-scale attacks.”
All in all, maybe your Android smartphone wasn’t as smart as you thought…
Read more: “Security Analysis of Android Factory Resets”, Laurent Simon and Ross Anderson, University of Cambridge.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
One comment on “Android’s faulty factory reset puts your data privacy at risk”
Individuals wanting to sell on old Android devices should first encrypt their device, where possible, via the security settings and then perform a factory reset. Additionally it would be prudent to employ 2-step-verification on one’s Google account. Without a special code, downloaded ahead of time or sent via SMS, in addition to one’s password the account cannot be accessed. It might also be advisable to change all passwords of any accounts used on said device.
Of course the more foolproof method would be to encrypt, wipe and then physically destroy the device. Since the second hand value of such devices is low anyway, my advice would be to take the latter option or just keep it on your shelf.
It must also be remembered that such risks apply to many computer devices. If a hard drive has sensitive information on it, it would be best to destroy it rather than sell it on
The issue concerning remote wipe apps is of course concerning, but the facility is better than nothing and if used in conjunction with a device already encrypted you're probably better protected than most should the device be lost or stolen – and certainly better protected than if one had lost a PC.
With all the phishing, spamming and scamming going on these days people should think twice about the disposal or selling on any electronic device which may retain important information. It seems nothing short of an EM pulse or complete destruction of a device will protect you from anyone, be it a criminal or law enforcement, should they be interested in gleaning information from a device.