Android factory reset not enough to keep data secure
If you sell or gift your old Android phone to someone, is it enough to do a factory reset to wipe all your sensitive data? And if your Android gets stolen, how sure are you that your anti-theft solution will do a good job wiping it and/or locking the device?
Consumers generally have no insight in how well these features work. Their only option is to trust the manufacturers’ and developers’ assurances, and wait for security researchers to test the solutions.
Today, two researchers from the Security Group at the University of Cambridge Computer Laboratory have published two papers that answer those questions.
The first one details the results of a security analysis of Android’s Factory Reset option, tested on 21 second-hand Android smartphones from 5 vendors running Android versions v2.3.x to v4.3.
The researchers concentrated on cheap data recovery attacks that require neither expensive equipment nor specific per-chip knowledge, and found that they could recover some SMSes, emails, and/or chats from messaging apps, and Google master cookies and Facebook authentication tokens which would allow them to access those users’ accounts.
All in all, they estimate that “up to 500 million devices may not properly sanitise their data partition where credentials and other sensitive data are stored, and up to 630M may not properly sanitise the internal SD card where multimedia files are generally saved.”
“We found we could recover Google credentials on all devices presenting a flawed Factory Reset,” they noted. “Full-disk encryption has the potential to mitigate the problem, but we found that a flawed Factory Reset leaves behind enough data for the encryption key to be recovered.”
Finally, they offered Google, other vendors and Android Open Source Project developers recommendations for reducing these risks in the future.
In the second paper, they revealed the results of their testing of the top 10 mobile anti-virus apps’ anti-theft functions (“remote wipe” and “remote lock”). Again, the results are bad: they found flaws that undermine MAV security claims and highlight the fragility of third-party security apps.
The researchers blame the unreliability of these remote locks on poor implementation practices, Android API limitations and vendor customizations.
“Mobile OS architectures leave third-party security apps little leeway to improve built-in Factory Resets, therefore MAV remote wipe functions are not an alternative to a flawed built-in Factory Reset,” they noted, and concluded that “the only viable solutions are those driven by vendors themselves.”