An estimated 500 million Android phones don’t completely wipe data when their factory reset option is run, a weakness that may allow the recovery of login credentials, text messages, e-mails, and contacts, computer scientists said Thursday.
In the first comprehensive study of the effectiveness of the Android feature, Cambridge University researchers found that they were able to recover data on a wide range of devices that had run factory reset. The function, which is built into Google’s Android mobile operating system, is considered a crucial means for wiping confidential data off of devices before they’re sold, recycled, or otherwise retired. The study found that data could be recovered even when users turned on full-disk encryption.
Based on the devices studied, the researchers estimated that 500 million devices may not fully wipe disk partitions where sensitive data is stored and 630 million phones may not wipe internal SD cards where pictures and video are often kept. The findings, published in a research paper titled Security Analysis of Android Factory Resets, are sure to be a wake-up call for individual users and large enterprises alike.
“It’s going to have a major impact in organizations that have fairly mature established disposal practices because they’re not effective,” Kenn White, a North Carolina-based computer scientist who has read the paper, told Ars. “It’s a staggering number of devices out there that are exposed, and it’s not just somebody’s Gmail password. It’s images, photos, text, chat. It’s all these things that are private that you think if you’ve reset it you’ve reset it.”
The researchers tested the factory reset of 21 Android smartphones that ran versions 2.3.x to 4.3 of the mobile OS and were sold by five manufacturers. All of the phones retained at least some fragments of old data, including contact data stored in the phone app and third-party apps such as Facebook and What’sApp, images and video from the camera, and text-based conversations from SMS and e-mail apps. In 80 percent of phones, the researchers were able to extract the master token Android uses to give access to most Google user data, such as Gmail and Google calendar.