Study reveals ‘Factory Wiping’ an Android device doesn’t safely erase its data
Czech Republic-based security firm Avast has managed to easily extract data and images from second-hand Android phones by using standard forensic security tools, reports the BBC. The firm found hundreds of naked selfies and other intimate pictures on a batch of Android phones which has been factory wiped by the previous owners. Avast advises users that the ‘factory reset’ function on Andorid devices doesn’t truly erase data on the phone/tablet, and that the only way to completely delete data is to “destroy your phone”.
Joking that “tens of thousands of Americans sell themselves online every day,” Avast has recovered more than 40,000 stored photos, including 750 of girls in “numerous levels of undress,” and 250 selfies that “appear to be the previous owner’s manhood” on the 20 second hand Android handsets bought via eBay.
The EXIF data included in the picture file could also allow the curious to find out details of the person’s residence, if it included location data, and Avast found four of the phones included previous owners’ identities and a competed loan applications.
Most ‘factory reset’ options on smartphones are designed to wipe and reset the device to its original system state, but Avast warned that “deleting files from your Android phone before selling it or giving it away is not enough. You need to overwrite your files, making them irretrievable.”
A Google spokesperson has been in touch with ArsTechnica regarding Avast’s findings and issued a statement saying: “This research looks to be based on older devices and versions and does not reflect the security protections in Android versions that are used by 85% of users. If you sell or dispose of your device, we recommend you enable encryption on your device and apply a factory reset beforehand; this has been available on Android for over three years.”
However, the file encryption setting remains optional and this could potentially leave newer devices vulnerable too. Alan Calder, founder of cybersecurity and risk management firm IT Governance also said that “Google’s recommended routine for protecting the data only makes it harder for someone to recover the data – it does not make it impossible.” He went on to explain that “If you don’t want your data recovered, destroy the phone – and that has been standard security advice, in relation to telephones and computer drives, for a number of years. Any other ‘solution’ simply postpones the point at which someone is able to access your confidential data.”