Bad news for people who have sold or given away their Android old phones: Google's own factory reset likely didn't remove all of their personal data and account-login information. A whopping 500 million Android devices may be at risk, according to a study by University of Cambridge researchers Laurent Simon and Ross Anderson.
According to their academic paper, once an Android device's data is recovered by exploiting this flaw, it will "successfully re-synchronize contacts, emails, and so on," leaving the digital lives of the original owners completely exposed. Access to accounts through dedicated apps, such as Facebook, on a poorly wiped device can also be procured through recovered authentication tokens.
While the stock Android factory reset claims to remove Google account data, highly sensitive login credentials can be recovered after a wipe, Simon and Anderson said. Recovering data was possible even with full-disk encryption switched on, because the encryption password is often a four-digit PIN or a short password.
The pair tested 21 secondhand phones, running Android builds between between 2.3 Gingerbread and 4.3 Jelly Bean, made by Google, HTC, LG, Motorola and Samsung. Following the primary factory reset built into the operating systems, user data was recoverable on all the phones, and Google account connectivity was restored on 80 percent of the devices.
Simon and Anderson said Android's factory reset does not touch the file that stores the user account's decryption keys. Once access to that file is gained, access to that file, the so-called "crypto footer" can be used to brute-force the user's PIN or password and gain complete access to the device.
The best advice we can offer a user looking to safely and cleanly reach a conscious uncoupling with his or her Android device is to encrypt the device with a difficult-to-crack password just before it is wiped. Simon and Anderson suggested a password with a minimum of 11 characters, including punctuation marks, symbols, and both upper- and lowercase letters.
Upgrading to Android 4.4 KitKat or later may further protect your data, but we can't be certain, as Simon and Anderson tested only secondhand phones that ran Android versions between 2.3 Gingerbread and 4.3 Jelly Bean.
In a blog post, Anderson explained that blame for this situation can be spread generously across all parties involved, although he noted that Google's own Nexus line of phones do have a higher quality of security.
"The reasons for failure are complex," Anderson said. "However, the vendors need to do a fair bit of work, and users need to take a fair amount of care."
If you were hoping that the remote-wipe feature offered by many third-party Android antivirus products fared better than the stock factory-reset procedure, think again.
"AV vendors' ... results are not that impressive," Anderson wrote, citing a second academic paper by himself and Simon released in conjunction with the first.
Taken together, Anderson said, "these failings mean that staff at firms which handle lots of second-hand phones (whether lost, stolen, sold or given to charity) could launch some truly industrial-scale attacks."