Be careful how you dispose of it. Because whether you recycle it, give it to a friend, or sell it on eBay, you could be putting your personal information and data at risk.
The problem, according to Cambridge University security researchers Laurent Simon and Ross Anderson, lies in the “factory reset” option on devices running Android 2.3.x Gingerbread through to Android 4.3 Ice Cream Sandwich.
In a paper, entitled “Security Analysis of Android Factory Resets”, Simon and Anderson bought and tested 21 Android devices manufactured by Samsung, HTC, LG, Motorola, and Google that they had bought on eBay and from phone recycling companies:
“We estimate that up to 500 million devices may not properly sanitise their data partition where credentials and other sensitive data are stored, and up to 630M may not properly sanitise the internal SD card where multimedia files are generally saved.”
“We found we could recover Google credentials on all devices presenting a flawed Factory Reset. Full-disk encryption has the potential to mitigate the problem, but we found that a flawed Factory Reset leaves behind enough data for the encryption key to be recovered.”
In other words, you may not have wiped your old Android phone properly – and the company you asked to recycle your Android phone may not have wiped it properly either.
Furthermore, Simon and Anderson say that recovering the sensitive data does not require expensive equipment, and it’s easy to imagine how a criminal who has recovered data, conversations or images from an Android device could exploit their haul for the purposes of identity fraud or blackmail.
And don’t just imagine that this is only a problem if you rely upon the “Factory reset” option of the Android operating system. As the researchers explore in a different paper, mobile security apps which allow you to remotely wipe a lost Android smartphone may also be doing a poor job if they rely upon a faulty factory reset.
On their blog, Anderson and Simon warn that it could be possible for criminals could use the security weakness to impact a large number of people:
“These failings mean that staff at firms which handle lots of second-hand phones (whether lost, stolen, sold or given to charity) could launch some truly industrial-scale attacks.”
All in all, maybe your Android smartphone wasn’t as smart as you thought…
Read more: “Security Analysis of Android Factory Resets”, Laurent Simon and Ross Anderson, University of Cambridge.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.