Android devices may still leave data vulnerable even after doing a factory reset, according to a new report published by the University of Cambridge. The report says that sensitive personal information such as data and user credentials can be easily recovered from an Android handset even after one performs a full factory reset of his/her Android phone.
The report further states that this feature which is supposed to eradicate all data from the device does not work as its supposed to on up to 630 million Android handsets. It apparently fails at properly erasing the data partition, where “credentials and other sensitive data are stored”, on around 500 million handsets, while on roughly about 130 millions devices, the factory reset feature does not properly erase the user-accessible storage. Moreover, dependency on encryption to secure data also does not help.
Researchers conducting the research said they purchased refurbished models of top smartphone brands including LG, Motorola, HTC and Nexus from eBay and other resellers, which ran Android operating systems ranging from v2.3 Gingerbread to v4.3 Jelly Bean.
As a test, we factory reset our own phone, and then recovered the master token. After the reboot, the phone successfully re-synchronized contacts, emails, and so on. We recovered Google tokens in all devices with a flawed factory reset, and the master token 80 percent of the time, said the authors of the research.
The research notes that personal data could be decrypted as authentication tokens used to automatically log-in the user into their Facebook, Gmail and Twitter accounts were often stored in the flash storage, which is apparently very difficult to erase. Researchers were successfully able to retrieve contents of text messages, emails, messaging apps, along with log-in credentials to users’ Google accounts in all 21 devices used for this particular research.
Other reasons cited for the above mentioned flaw are smartphone manufacturers and their inability to provide timely updates and software drivers, while part of the blame lies with Google and their inability to provide “support for proper deletion of the internal and external SD card in all OS versions”.
Taiwanese manufacturer HTC apparently seems to be aware of the inefficiency of the factory reset feature, clearly mentioning on their official One M8 page that “A factory reset may not permanently erase all data from your phone, including personal information”.
Meanwhile, Android Security Lead Engineer Adrian Ludwig applauded researchers for their efforts though responded by saying that device encryption still makes the recovery of data “significantly more difficult”.
“This is one of the reasons we have enabled encryption by default on the Nexus 6 and 9 [smartphones], and one of the reasons we have very strongly recommended it for other manufacturers as well,” added Ludwig.
However, the research does not include two major Android operating system upgrades namely – the KitKat and Lollipop in the study.
So what are the precautionary measures an ordinary user should take? Well, the research implies not a lot can be done to make sure their personal information is secure after a device has been reset. However, it does provide some recommendations for damage limitation. Interested users can read the whole report right below.