Android Factory Resets Are Flawed, Allow User Data to Be Recovered
Most Android handsets offer no easily accessible way of deleting user data including access tokens, messages, images and other content, researchers said.
The factory-reset shortcomings uncovered by researchers at the Cambridge University affect an estimated 500 million Android handsets, and pose a problem for organisations that routinely resell such devices. These 500 million handsets may not properly sanitise the data partition where credentials and other user data is stores, while up to 630 million handsets may not properly sanitise the internal SD card where multimedia files are generally saved.
They examined 21 second-hand devices running Android versions 2.3 to 4.3 from five manufacturers that had been wiped using the operating system’s built-in factory reset feature.
Researchers said the problems also exist with third-party data deletion applications, and pointed to a separate study on the same. Similar problems are likely to persist in newer versions of Android, the team said.
The team was able to recover data including multimedia files and login credentials from wiped phones, and many of the handsets yielded the master token used to access Google account data, such as Gmail. Both phone contact data and
Such data can be recovered even from handsets protected by full-disk encryption, researchers said, as the ‘crypto footer’ file that stores the decryption key isn’t erased after a factory reset.
The problem results from multiple issues, including the inherent difficulty of fully deleting data from the flash memory used in smartphones, something due to the physical nature of such memory chips, according to the research. Other issues include vendors’ failure to include necessary drivers to fully wipe flash memory used for non-volatile storage.
The researchers were able to recover the master token in a device and found that after reboot, it successfully re-synchronised contacts, emails and other data.
The master token, used to access Google accounts, was found to be retrievable in 80 percent of the devices that had a flawed factory reset mechanism.
Actual solutions for users are currently scarce. The team discussed a few ways to mitigate flawed factory resets, including filling up the partition of interest with random-byte files, in the hope of overwriting all unallocated space. This could be done third-party non-privileged apps after the built-in Factory Reset. This would require the app to be installed manually by users after a Factory Reset is performed. The drawback of this method is that it requires privileged (i.e. root) access to devices, and will therefore not be suitable for ordinary users. While the method does not provide thorough digital sanitisation, an attacker cannot recover data using public APIs exposed by the Linux kernel.
Another solution is enabling Full Disk Encryption (FDE) on first use of the device. Enabling FDE only before performing a Factory Reset may only provide logical sanitisation, not thorough digital sanitisation (plain-text data could still be present on the flash drive). The use of a complex user PIN longer than 6 digits is also recommended to prevent brute force attacks.
For vendors, the team recommended use of a recent eMMC with support for digital sanitisation, and to properly expose it in the Bootloader, Recovery and Android kernels.