Passwords and Multimedia Files Can Be Recovered From Hundreds of Millions of Android Phones
Researchers at the University of Cambridge have conducted a detailed analysis of the “Factory Reset” feature in Android devices and determined that it’s not as effective as it should be.
Experts analyzed the factory reset feature on 21 Android smartphones from five different vendors. The tested devices, acquired from eBay and phone recycling companies in the UK, ran versions 2.3 through 4.3 of Google’s mobile operating system.
The researchers’ tests revealed that up to 500 million Android devices might not properly sanitize the data partition storing credentials and other sensitive data. Furthermore, up to 630 million devices might expose multimedia and other files stored on the SD card.
Many mobile phone owners sell their old devices when they buy new ones. A 2013 study estimated that the used smartphone market would grow to more than 250 million units by 2018.
Most users are aware that they must delete personal information from their smartphones before passing them on. This is usually done by using the factory reset feature and by formatting the external memory card.
However, as antivirus company Avast demonstrated in 2014, these methods are not very efficient. Researcher managed to recover a total of more than 40,000 files from 20 second hand Android smartphones using readily available recovery software.
Now, researchers at the University of Cambridge have conducted a thorough analysis of the factory reset functions in Android and they’ve also determined that a lot of sensitive data can be easily recovered.
Researchers managed to recover details on the phone owner, information on previously installed applications, contacts, browsing data, credentials, multimedia files, and conversations (SMS, email, chat) from all the tested devices using automated pattern matching and file carving, a technique used to search for files by knowing their content and structure.
In one case study presented in the research paper, experts demonstrated how an attacker could hijack Google accounts by recovering deleted authentication tokens. These authentication tokens are used to log in users to their accounts after they first enter their password. By recovering the master token for a Google account, which according to researchers is recoverable 80% of the time, an attacker could re-synchronize the targeted user’s contacts, emails and other information.
The data that can be recovered from an Android device that has been wiped using the factory reset feature can be sold on the underground market or it can be used to blackmail the smartphone’s previous owner. However, researchers noted that in many cases attacks are not profitable due to the investment and effort needed to monetize the data.
The Android versions on which these tests have been carried out are older but, according to Google, they are still installed on roughly half of the devices running Android. It’s unclear if the factory reset feature is flawed in newer versions of Android as well.
“The extraction of data from resold devices is a growing threat as more users buy second-hand devices. A healthy second-hand market is valuable for vendors as people are more willing to buy expensive new devices if they know they can trade them in later. So data sanitisation problems have the potential to disrupt market growth,” researchers wrote in their report. “If user fear for their data, they may stop trading their old devices, and buy fewer new ones; or they may continue to upgrade, but be reluctant to adopt sensitive services like banking or healthcare apps, thereby slowing down innovation. Last but not least, phone vendors may be held accountable under consumer protection or data protection laws.”
“The results of this study confirm Avast’s results from last year, that it is possible to recover personal information from older versions of Android, even if a factory reset has been done. This study once again proves that some older versions of Android have security flaws when it comes to sanitizing data,” Jaromir Horejsi, senior malware analyst at Avast, told SecurityWeek via email. “Smartphone owners should therefore take further steps to wipe their personal information from their smartphones before selling them on platforms like eBay.”
Google says the best way to protect personal data is by using encryption.
“The best way to protect your data is to encrypt your Android device and apply a strong lockscreen password. Encryption can be enabled in the device settings under the Security section, instructions are provided here. If you plan to resell or discard your device and you haven’t already, encrypt it and then perform a factory reset,” Adrian Ludwig, lead engineer at Android Security, told SecurityWeek.
The search giant has clarified that a factory reset feature with secure wipe directly integrated in the platform is available in Android 3.0 and greater, versions currently installed on over 94% of Android devices. In these versions, data should be wiped in a way that prevents recovery.
However, Google noted that this Android implementation relies on other hardware and software in order to make a complete wipe, and in some cases these components don’t function as expected.
“We believe the most reliable method of protecting user data is the full disk encryption that is available on over 94% of Android devices. Encryption ensures that data is protected within Android itself, rather than relying on diverse hardware implementations that may not securely wipe if there is an error,” Google told SecurityWeek. “Recovery of data from a device that has been encrypted and insecurely wiped is significantly more difficult than on a device that is not encrypted. This is one of the reasons we have enabled encryption by default on the Nexus 6 and 9, and one of the reasons we have very strongly recommended it for other manufacturers as well.”
Google has thanked University of Cambridge experts for their research and contribution to Android security. The company has also thanked Avast for their earlier research.
*Updated with comment from Avast and statement from Google