Android users who thought that by using the Factory Reset on their devices before they sold them would remove their information may have to think again. Researchers have found that personal information can still be recovered.
We estimate that up to 500 million devices may not properly sanitize their data partition where credentials and other sensitive data are stored, and up to 630 M may not properly sanitize the internal SD card where multimedia files are generally saved. We found we could recover Google credentials on all devices presenting a flawed Factory Reset, Laurent Simon and Ross Anderson, from the University of Cambridge, wrote in their paper.
Between January and May 2014, they bought secondhand Android phones from eBay and from phone recycling companies in the UK, randomly selecting devices based on availability. As the project might possibly uncover personal information, it was first submitted to an ethics process for approval.
For anyone who has sold or is selling their old Android device, keep in mind that most of the handsets that were tested did not properly wipe all the data partition. This is where your account details are stored, so the person who buys your device has the ability to access your online accounts.
“We were able to retrieve the Google master cookie from the great majority of phones, which means that we could have logged on to the previous owner’s Gmail account. The reasons for failure are complex; new phones are generally better than old ones, and Google’s own brand phones are better than the OEM offerings. However, the vendors need to do a fair bit of work, and users need to take a fair amount of care,” Anderson wrote on his Light Blue Touch Paper blog.
They were also able to recover some “conversations” (SMSs, emails, and/or chats from messaging apps) in all devices; compromising conversations could be used to blackmail victims. To show the impact this could have on users, researchers ran a factory reset on their own phone and recovered its Google master token—with it, you can then access content from the Google accounts.
“We then created the relevant files and rebooted the phone. After the reboot, the phone successfully re-synchronized contacts, emails, and so on. We recovered Google tokens in all devices with flawed Factory Reset, and the master token 80 percent of the time. Tokens for other apps such as Facebook can be recovered similarly. We stress that we have never attempted to use those tokens to access anyone’s account,” they said.
They estimate there are about 500 million old Android handsets that may not have been properly sanitized.
While it’s believed that a further 630 million may have only partially sanitized their SD card, this is where most multimedia files are stored. This is easily resolved by removing the SD card, which you will probably want for your new phone anyway.
These failings mean that staff at firms that handle lots of secondhand phones (whether lost, stolen, sold, or given to charity) could launch some truly industrial-scale attacks, Anderson wrote on his Light Blue Touch Paper blog.
Well, I guess all you can do to ensure your security is to keep your old phone, try using a file shredder app, or at least remove the SD card.