GENUINE WARNING to Android Phone Owners and their Data

#1 Posted by musicalmac (23033 posts) -

Have you ever employed the use of factory reset to wipe (so you thought) the data clear on your phone so you could sell it or give it to a friend? In a truly serious warning, Avast, a security software company, uncovered some troubling information --

Hard Proof That Wiping Your Phone Doesn't Actually Delete Everything

The team at security software company Avast purchased 20 different phones on eBay and unleashed data-recovery tools on them to see what they could find. The results are persuasive evidence that resetting your phone back to factory settings doesn't mean your data is gone forever.

From the 20 phones, Avast managed to recover 40,000 photos (including 1,500 family photos with children and 250 selfies of someone's "manhood"), 750 emails, 250 contacts with names and addresses and even files such as a loan application and a completed sexual harassment course. Predictably, some of the recovered photos were pornographic, as reported by VentureBeat, with one of the previous owners clearly a fan of anime porn, an Avast representative is quoted as saying.

Apple owners need not worry.

"You'll notice that the [Avast] story is about 20 Android phones, not iPhones," says Chris Bross, CTO of Drivesavers, a data-recovery service. "The recovery of data from an iPhone vs. an Android device is more challenging because of the protections that Apple puts in the security stack. Apple does a better job in their secure-wipe routine than what appears to happen with third-party apps on Android."

iPhones and iPads include hardware encryption, and when the user wipes the phone, the encryption keys are overwritten, a process that makes recovering data very difficult. The secure-wipe solutions on Android aren't nearly so consistent.

Thoughts? Anyone done this thinking they were safe to sell their device or to give it away?

#2 Edited by Mister-Man (60 posts) -

I just recently sold my S4 after wiping the data... Any idea how prevalent this issue is, and if there are any people out there already taking advantage of this exploit? This concerns me because I had a lot of photo's of my daughter and a crap load of sensitive information on it

#3 Posted by NVIDIATI (7697 posts) -

This wouldn't surprise me, but at the same time I'm quite sceptical on the source for a number of reasons.

1. The "study" was performed by Avast, and their solution to the problem is to install their software to clear your data from your Android device.

2. There is little information on the actual devices tested and data posted. They claim 20 Android devices had been purchased from Ebay, but the only devices mentioned are a Motorola and HTC from 2011 both launched running Android version 2.3 (Gingerbread).

3. They never made it clear if the devices had been properly reset in the first place. "In this blog post series we will reveal what we managed to dig out from supposedly erased devices." Avast Blog

@mister-man said:

I just recently sold my S4 after wiping the data... Any idea how prevalent this issue is, and if there are any people out there already taking advantage of this exploit? This concerns me because I had a lot of photo's of my daughter and a crap load of sensitive information on it

As for Samsung, the S4 was one of few Android devices approved for enterprise usage (Samsung's SAFE / KNOX), so I imagine a factory reset would clear all of your data. Of course I can't say for certain.

#4 Posted by musicalmac (23033 posts) -

@NVIDIATI:

1. The solution may be their software, but it seems that their software may be necessary because simply doing a full reset doesn't actually remove all the data. They make a strong case for their software.

2. You're right on this one, I wish we'd gotten more information about exactly what handsets they purchased and tested.

3. I doubt very much the phones they purchased hadn't gone through the typical reset process the entire article was about. That quote you finish with reads more like a marketing/positioning statement than it does give me the idea that the phones hadn't been reset.

I also struggle to put my faith in a company like Samsung.

#5 Posted by NVIDIATI (7697 posts) -

@musicalmac

What I was getting at is the fact that in both of their blog posts (1, 2) , they never clearly said what type of method was used to delete the files, or if a proper factory reset was even performed on all of the devices in question. Their motive is clear, to promote their software and create a demand for their software from consumers. My reason for remaining sceptical, is due to the lack of information posted from their study. If and when more information is published, then maybe my scepticism will be cleared.

That being said, it still wouldn't surprise me if data is not being completely deleted from pre-owned Android devices. No matter the results of this study, I would still recommend users take precautions before selling their devices of any kind.

#6 Edited by musicalmac (23033 posts) -

@NVIDIATI: Here are a few other sources.

Cnet -- Yahoo -- The Wire (whatever that is)

The real convincing stuff is here.

Particularly as Android continues pushing into the business sphere I believe this problem needs to be addressed urgently. It's bad enough that everyday user data may be easily compromised, but corporate phones being reassigned or recycled could clearly lead to even more serious data breaches. 
Credit code.google.com

#7 Posted by NVIDIATI (7697 posts) -

@musicalmac I noticed the BBC mentioned Google's response in an article.

Google responded that Avast used outdated smartphones and that their research did not "reflect the security protections in Android versions that are used by the vast majority of users". It was recommended by Google that all users enable encryption on their devices before applying a factory reset to ensure files cannot be accessed. This feature, said Google, has been available for three years, although it is not enabled by default, which could leave less tech-savvy users open to attack.

Credit BBC
#8 Posted by musicalmac (23033 posts) -

@NVIDIATI: Why wouldn't it be enabled by default? And how is Google classifying vast majority? It means all those activation, the millions touted at all those many conferences thus far, were all vulnerable. That's why I don't let an ad company design my mobile device interface. As if we needed any more reasons to avoid android.

What a poor choice.

#9 Posted by NVIDIATI (7697 posts) -

@musicalmac said:

@NVIDIATI: Why wouldn't it be enabled by default? And how is Google classifying vast majority? It means all those activation, the millions touted at all those many conferences thus far, were all vulnerable. That's why I don't let an ad company design my mobile device interface. As if we needed any more reasons to avoid android.

What a poor choice.

I don't know Google's reasoning for now enabling encryption by default, but the option is there.

I'm not sure how Google is classifying the vast majority. If I had to guess, I would assume they're talking about devices with 4.0 and later (no idea). Despite all of this media attention there are still very few details being passed around regarding this issue.

#10 Posted by slimdogmilionar (561 posts) -

I thought this was a known fact already, the only way to truly erase your data is to root your phone. Ironically rooting your phone voids your warranty but it also gives you the option to make your phone perform better and stop Google logging. Basically allow us to pry into your devices or your warranty is voided, sad part is that if you root your phone you can always reverse it if it acts up and if it's truly bricked the company won't know because in the process of fixing it they return it to 100% stock automatically. I've bricked plenty of phones under warranty and sent them back to the manufacturer no problem, best way to erase data is by restoring stock using the same flash tools as the company who made your phone. The whole warranty voided thing is just something they made up to scare people so stuff like this will happen.

#11 Posted by musicalmac (23033 posts) -

@NVIDIATI said:

I don't know Google's reasoning for now enabling encryption by default, but the option is there.

I'm not sure how Google is classifying the vast majority. If I had to guess, I would assume they're talking about devices with 4.0 and later (no idea). Despite all of this media attention there are still very few details being passed around regarding this issue.

The details we have are than performing the standard factory reset on your android powered phone doesn't erase all the sensitive data. That data can be revived through the use of simple tools.

What's the difficulty? How many users will be savvy enough to go enable encryption?

This is what you get when an ad company makes your operating system. It's a poor choice to use such software.

#12 Posted by NVIDIATI (7697 posts) -

@musicalmac

When I mentioned the lack of details, I was referring to the study (devices used, the OS version, etc.). Even Google's response to their study is vague.

The process to enable encryption is simple, about as easy as performing a factory reset.

Enabling encryption on Android:
Settings --> Security --> Encrypt phone --> Encrypt phone

Performing a factory reset on Android:
Settings --> Backup & reset --> Factory data reset --> Reset phone

#13 Posted by musicalmac (23033 posts) -

@NVIDIATI: Why wouldn't that be on by default? Do you see no issues with that not being a default setting in a world run by casual tech users? Telling me how to enable it won't do any good.

#14 Posted by NVIDIATI (7697 posts) -

@musicalmac

While I see the issue for casual users that are selling old smartphones, I can see why they might not have had this as a default. Encryption requires the user have password protection.

You just asked me what the difficulty was to enable it. I mentioned the steps required, so you could get a better understanding of what I might consider "easy", and I compared it to the task of performing a factory reset.

#15 Edited by musicalmac (23033 posts) -

@NVIDIATI said:

@musicalmac

While I see the issue for casual users that are selling old smartphones, I can see why they might not have had this as a default. Encryption requires the user have password protection.

You just asked me what the difficulty was to enable it. I mentioned the steps required, so you could get a better understanding of what I might consider "easy", and I compared it to the task of performing a factory reset.

Casual = almost all, just so we're clear. Thank you to Google for not burdening their trusting users with something as inconveniencing as a password.

Google has proven time and time again (to willing and savvy observers) that they cannot be trusted. I used to utilize many of Google's services, but since we've learned more about the company over the years, I've decided to use none of them. They aren't missed. I've been Google free since shortly after they announced their "me, too" operating system.