Read This Before Selling Your Smartphone...
Before recycling, donating, or selling your smartphone, it’s a good idea to wipe it clean of all your contacts and other personal data. The easiest way to do that is the “factory reset” function; just tap it, confirm, and your phone is returned to the state it was in when it left the factory. All your personal data is gone. Or not. Read on to learn more...
Android Reset Vulnerability
The factory reset is supposed to scrub everything from your phone, and return it to "just out of the box" condition. Except your data isn’t gone completely, and much of it can be recovered by a tech-savvy snoop. Researchers at Cambridge University were able to recover passwords, contacts, photos, and other data that a factory-reset failed to erase from internal memory and external SD cards. Even full-disk encryption posed little hindrance to recovering "deleted" personal data.
The study, entitled Security Analysis of Android Factory Resets, included 21 smartphones from five manufacturers; the phones were running Android versions 2.3 to 4.3. (That means Android Gingerbread, Honeycomb, Ice Cream Sandwich, and Jelly Bean.) About 630 million such devices have been sold worldwide, and many have been re-sold or otherwise passed along.
The researchers say they don’t know if more recent versions of Android have the same shortcomings. What??? They didn't test the two most recent versions of the operating system? (Android KitKat and Lollipop run on 50% of all Android devices.) That's just bizarre. But anyway, let's continue...
In 80% of the tested phones, researchers were able to recover the master token that Android uses to provide access to Google services such as Gmail, Calendar, etc. So when these phones were reset and rebooted, they immediately synced with Google services to recover all the data stored there: emails, appointments, contacts, even text messages and voicemails. Tokens for other apps, including Snapchat and Facebook, were also recoverable on a majority of tested phones.
In case that's not clear, it means that in addition to recovering the data left on your phone, a determined hacker could gain ongoing access to your online accounts. So by all means change your passwords if you lose or sell a phone.
Why is it So Hard to Wipe a Phone?
Part of the problem is that some manufacturers do not include with their phones the software drivers needed to wipe non-volatile external storage devices, such as SD cards. But the main problem is internal flash memory, which is notoriously difficult to “wipe” completely.
Surprisingly, the researchers found that the “crypto footer” file which stores the decryption key of a fully encrypted flash drive is not erased during a factory-reset. This key is generated by the combination of a semi-random system-generated “cryptographic salt” value and a user-defined PIN or password. Since users tend to choose weak PINs and passwords, the crypto footer is easily cracked in less than a day, according to Kenn White, a North Carolina computer scientist.
The Cambridge study’s findings put Android users in a predicament when they want to dispose of a used phone, or when a phone is lost and a remote wipe is advisable. If full-disk encryption is available, it’s best to use it and choose a strong password: one that incorporates alphabetical, numeric, and special characters, and is more than 11 characters long. But given how often people need to unlock their phones and the challenges of smartphone keyboards, strong passwords are not likely to be used by many.
As for third-party remote-wiping apps, the same researchers also published a study entitled, Security Analysis of Consumer-Grade Anti-Theft Solutions Provided by Android Mobile Anti-Virus Apps. It found significant wiping flaws in 10 Android apps that have been downloaded hundreds of millions of times.
The bottom line: Encrypting your phone with a complex password before you do a factory reset will make it much harder (but not impossible) for a determined person to recover your data. The only way to ensure that your data doesn’t fall into the wrong hands is to destroy a used phone instead of reselling or donating it. That’s little comfort for people who lose phones. If you've sold or lost an Android-powered phone, the best you can hope is that it doesn't end up in the hands of a tech-savvy snoop.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 28 May 2015
|For Fun: Buy Bob a Snickers.|
Geekly Update - 27 May 2015
The Top Twenty
Boost Your WiFi Signal: Ten Tips and Tricks
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005
- Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Read This Before Selling Your Smartphone... (Posted: 28 May 2015)
Copyright © 2005 - Bob Rankin - All Rights Reserved