Weaknesses in the factory reset function within Google's Android mobile operating system mean data from more than 500 million phones can be discovered despite being wiped, researchers have found.
Cambridge University researchers Laurent Simon and professor Ross Anderson studied the security feature - which is baked into the Android OS and allows users to wipe devices - and found data could be recovered from phones that had been factory-reset.
Recovering data was even possible with full-disk encryption switched on, the researchers discovered.
Simon and Anderson found the file storing decryption keys on devices was not erased during the factory reset. WIth access to that file, an attacker could recover the "crypto footer" to brute-force the user’s PIN offline and decrypt the device.
The researchers estimated that 500 million Android devices may not fully wipe device disk partitions. As many as 630 million phones may not wipe internal SD cards.
Five "critical failures" were outlined in the researchers' Security Analysis of Android Factory Resets paper:
- no Android support for proper deletion of data partition in devices running 2.3.x;
- incomplete upgrades pushed by vendors to flawed devices;
- no driver support for proper deletion shipped by vendors in newer devices;
- no Android support for proper deletion of the internal and external SD card in all OS versions; and
- fragile full-disk encryption up to Android v4.4 (KitKat).
Twenty-six second-hand Android phones running versions 2.3 to 4.3 of the operating system, sold by five handset makers, were tested.
The researchers found that all retained at least partial amounts of data from contacts information, images and video, SMS, email, and data from third-party apps like Facebook.
They were able to recover Google authentication tokens in all devices with flawed factory reset, and were able to access master tokens in 80 percent of cases.
To test their findings, they used one of the recovered master tokens from a reset to restore the credential file.
"After the reboot, the phone successfully re-synchronised contacts, emails, and so on," they wrote.
"We recovered Google tokens in all devices with flawed Factory Reset, and the master token 80 percent of the time. Tokens for other apps such as Facebook can be recovered similarly. We stress that we have never attempted to use those tokens to access anyone's account."
For Android users wanting to ensure their data is completely wiped from their device, the researchers suggested turning on full-disk encryption where it is offered, and protecting the phone with a strong password - a minimum of 11 characters, symbols, upper and lower case letters.
They also suggested users reset their phone and fill up a partition of interest with random-byte files, in order to overwrite all unallocated space, via a third-party non-privileged app.
The researchers warned however that there were still risks in that approach - the third-party app that would fill the partition with random-byte files would have to be installed manually, otherwise the Google token stored on the file system would not be erased.
More technical users with privileged access could overwrite the entire partition bit by bit to provide logical sanitisation, the researchers said.
"This method does not provide thorough digital sanitisation, since the flash is overprovisioned to handle physical wear and tear of the medium – but an attacker cannot recover data using public APIs exposed by the Linux kernel," they wrote.
"Furthermore, the over-provisioning could differ even for instances of the same device, for example if different grades of flash were used."
"Since we are concerned only with massively scalable attacks, we did not consider this issue further, but firms with high assurance requirements might have to unless they can use encryption."