One of the most important things to do before selling or giving away a used smartphone is to wipe the device clean. After all, the last thing anyone wants is for a complete stranger to have access to all of their personal data. Unfortunately for Android users, researchers from Cambridge University recently discovered that performing a data wipe on Android devices doesn’t clear the device as one would expect.
Even with full-disk encryption in play, researchers found that performing a factory reset on Android smartphones isn’t always what it’s cracked up to be.
“[Researchers] found the file storing decryption keys on devices was not erased during the factory reset,” Allie Coyne reports for ITNews. “With access to that file, an attacker could recover the “crypto footer” to brute-force the user’s PIN offline and decrypt the device.”
As a result, researchers were successfully able to access data “wiped” Android devices from a wide variety of sources, including text messages, images, video, and even third-party applications. What’s more, researchers were able to “recover Google authentication tokens”, thereby enabling them to sync up any data a user had tied to Google’s services, including private emails.
The Android devices tested, which were purchased secondhand via eBay, were running Android 2.2 Froyo through Android 4.3 Jellybean. Together, devices running those particular flavors of Android account for 50.5% of all Android devices in use, this according to Google’s developer dashboard.
“The researchers estimated that 500 million Android devices may not fully wipe device disk partitions,” the report adds. “As many as 630 million phones may not wipe internal SD cards.”
Speaking to Ars Technica, Computer Scientist Kenn White said: “It’s a staggering number of devices out there that are exposed, and it’s not just somebody’s Gmail password. It’s images, photos, text, chat. It’s all these things that are private that you think if you’ve reset it you’ve reset it.”
Notably, the researchers point out that the level of risk across Android devices can vary by vendor. The full research report, titled Security Analysis of Android Factory Resets, can be viewed over here.