Reminder: Android Phones May Still Leave Data Vulnerable After a Reset
Before you sell your old Android phone, it’s a good idea to encrypt and then wipe the data from your phone . However, the new security report echoes what we said earlier: under certain circumstances, this data can still be recovered. So be careful who you give your old phones to.
A Cambridge University report examined the effectiveness of the Android factory reset functionality on 21 different smartphone models, each ranging from Android 2.3.x to 4.3 (which, as of May 4, accounts for just over half of the active Android devices that regularly check into the Play Store) … They found that 80% of the time, they could still recover Google authentication tokens and receive data from phones, even if they were encrypted beforehand.
The reasons for this vulnerability are different. In some cases, it is the fault of the OEMs for not including the correct secure erase drivers. Otherwise, the Android OS is to blame. It’s worth noting, of course, that even Android’s built-in encryption tools have gotten better over the years, so it’s unclear if newer devices will suffer the same fate.
While this study highlights this point, it’s also worth noting that this is not entirely new information. When we talked to the jcase security researcher back in 2013 (shortly before the release of 4.4), he said about the same thing : the manufacturer’s implementation and older devices can lead to vulnerabilities. If you really want to protect your data, you can overwrite your entire phone, or more sensibly, just be careful who you sell it to. You can even just repurpose it yourself .
Cryptocurrency and Login Keys Ready to Select Due to Incorrect Android Factory Reset | Ars Technica