Researchers from Cambridge University have proven that Android versions from 2.3 all the way up to 4.3 do not entirely wipe out user data from the phone.
After testing 21 pre-used smartphones between 2.3x (Gingerbread) and 4.3 (Jelly Bean), researchers from the University of Cambridge in the UK have proved that it is entirely possible to recover emails, text messages and other access credentials from ‘wiped’ or ‘factory-reset’ Android phones. This is a significant cause for concern with user privacy as well as raising the possibility of identity theft.
Researchers Laurent Simon and Ross Anderson tested pre-used devices bought from eBay between January and May 2014. They did this to keep the tests as practical and as close to a real-world testing as possible. Devices included phone models from:
- HTC
- Samsung
- LG Electronics
- Motorola
- Nexus phones that include the Nexus S, Galaxy Nexus and Nexus 4
Not quite the factory reset.
With the test, researchers made the discovery that with 80 percent of cases, the Google master token was easily recovered. This master token could potentially allow an attacker to hack the device by gaining access to the previous owner’s Google account. With this, emails, contacts, drive documents, Wi-FI passwords and all other Google synced data can be breached.
In certain cases, the researchers were also able to recover access tokens and APIs (Application Programming Interface) to Facebook data, instant messaging conversations and SMS messages as well.
“The reasons for failure are complex; new phones are generally better than old ones, and Google’s own brand phones are better than the OEM offerings,” Ross Anderson noted in a blog post. “However the vendors need to do a fair bit of work, and users need to take a fair amount of care.”
500 million devices vulnerable.
With these findings, researchers claim that Android devices are fundamentally vulnerable and the number of phones and tablets at risk could count up to an astonishing 500 million devices. The same vulnerability also puts about 650 million devices at risk by not wiping out the SD card entirely, leaving behind pictures, media, financial documents and other personal data.
Additionally, Anderson and Simon discovered that there were plenty of problems found across the different Android operating systems and versions. With Gingerbread (2.3), about 90 per cent of failed to wipe the data partition securely, “in that at most a few hundred MB are deleted, representing between 60 per cent and 99.9 per cent of the data partition depending on its size”, their paper read.
Although the numbers mentioned above are estimates, it’s entirely clear that there are considerable security concerns with the reset capabilities of Android phones that are still in use today. A work-around to fix this particular concern is to use an emulated primary SD Card, since that leaves a single partition to be properly deleted from the phone. With this, the partition will be wiped out in its entirety, including user data and not just the part used by the Android file system.
