Mobile // Mobile Applications
News
7/9/2014
12:13 PM
Connect Directly
RSS
E-Mail
50%
50%

Android Data Wipe Leaves Personal Data

Factory reset tool on Android smartphones does not remove all photos, emails, chats, and other personal data, says security firm.

10 Ways Google Must Improve Android
10 Ways Google Must Improve Android
(Click image for larger view and slideshow.)

When Android users choose to reset their smartphones, they generally believe their personal data is deleted. But Avast Software, which makes and markets device-side security apps, says that's not necessarily the case. The company was able to recover vast stores of personal data from wiped smartphones using off-the-shelf software. Time to rethink your selfies?

Avast purchased 20 different Android smartphones from eBay, which typically has tens of thousands of such devices for sale at any given time. The previous owners performed a factory reset, deleting all the content from the phones, before selling them. The factory reset option is buried in the settings menu, but it claims to erase everything from the phone and memory card. Avast then used commercially available recovery software to dig up personal information.

"The amount of personal data we retrieved from the phones was astounding. We found everything from a filled-out loan form [to] selfies of what appear to be the previous owner,” said Avast's Jude McColgan.

Avast restored 40,000 photos -- including 1,500 of children, 750 of women in various stages of undress, and 250 male nudes -- from just 20 phones. Avast also recovered 1,000 Google searches, 750 emails and text messages, and 250 contact names and email addresses. Amazingly, Avast managed to identify only four of the 20 previous owners, but an identity ratio of one-in-five should be alarming to most smartphone users.

[The best BYOD plans balance control with convenience. Read 3 BYOD Risk Prevention Strategies.]

"Along with their phones, consumers may not realize they are selling their memories and their identities. Images, emails, and other documents deleted from phones can be exploited for identity theft, blackmail, or even stalking purposes. Selling your used phone is a good way to make a little extra money, but it's potentially a bad way to protect your privacy," said McColgan.

So how do you protect yourself? Obviously Avast wants you to download and install its Android app, which overwrites everything on the device and then deletes it. Avast's app is free. There are innumerable other options in the Play Store that provide similar services, including apps from Trend Micro, Norton, McAfee, Kaspersky, BitDefender, and LookOut Mobile. Another option is to encrypt the device. All Android smartphones support encryption, which must be enabled by the user.

Avast didn't specify what devices it purchased or what versions of Android they were running. Avast also didn't identify the "commercially available" recovery software it used to break into the phones' previous lives. Further, these were all devices sold by consumers. Businesses running mobile device management software have more powerful resetting and wiping tools at their disposal. If Avast were able to recover the same amount of personal data from the devices of mobile pros that had been wiped by enterprise-grade security software, there'd be more reason to worry.

Still, it doesn't hurt to be just a little more careful when passing on used devices.

Managing the interdependency between software and infrastructure is a thorny challenge. Enter DevOps, a methodology aimed at increasing collaboration and communication between these groups while minimizing code flaws. Should security teams worry -- or rejoice? Get the DevOps' Impact On Application Security report today (registration required).

Eric is a freelance writer for InformationWeek specializing in mobile technologies. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
ajar string
50%
50%
ajar string,
User Rank: Apprentice
7/18/2014 | 11:30:52 AM
that's a good thing
Some on the hill are pushing for remote wipe of all phones. Sure, you can take out the sd, but it's nice to think it's safe when the government goes to take it out - but probably not true. They have already read it.
mak63
100%
0%
mak63,
User Rank: Ninja
7/12/2014 | 3:23:00 PM
forensic software
Assuming that people should already know that the reset feature will delete data and not wipe it out or overwrite is a mistake.
I believe this kind of article is always welcome, regardless of our understanding of the reset feature.
 Another point that I read somewhere, it's that encryption wouldn't work, because the key is also on the phone.
I'm downloading a forensic software myself to check what data is left behind after a reset. I will post the results when I sell my phone.
Thomas Claburn
100%
0%
Thomas Claburn,
User Rank: Author
7/10/2014 | 5:07:38 PM
Re: Shouldn't be a surprise
> Good reason for you to stay out of politics.

As if I needed more reasons.

The article concedes that hammer-wiping is effective and legal. It's also far more time-efficient and satisfying than waiting 8 hours for multiple zero-write passes. Probably the best argument against it is the wastefulness and chance of self-harm. But I'd bet if you put a drive-melting kiln up as a Kickstarter project, it would get funded.
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
7/10/2014 | 11:21:49 AM
Re: Shouldn't be a surprise
Tom, one of our local public officials took the same tack to hammering out data and it was judged a scandal. Good reason for you to stay out of politics.

Fred Grimm: Ex-sheriff's data cleanup crew hammered away at their job - Fred Grimm - MiamiHerald.com http://ubm.io/1mjEwKZ
Thomas Claburn
100%
0%
Thomas Claburn,
User Rank: Author
7/9/2014 | 4:51:15 PM
Re: Shouldn't be a surprise
A few years ago when I was disposing of a hard drive (old and not worth much), I did so with a hammer. I thought I was being overcautious at the time but in retrospect it seems like the right choice.
anon1835292002
50%
50%
anon1835292002,
User Rank: Apprentice
7/9/2014 | 2:48:09 PM
Re: Shouldn't be a surprise
lol maybe all 20 came from him. 
YaarovS134
50%
50%
YaarovS134,
User Rank: Strategist
7/9/2014 | 2:44:51 PM
You may want to wait for Android 62.x.y.z
it will be perfect except google already knew what time the owner routinely went to the restroom everyday.
tufurzero
50%
50%
tufurzero,
User Rank: Apprentice
7/9/2014 | 2:19:58 PM
Re: Shouldn't be a surprise
Infoworld wouldn't run an advertisement disgised as an article. That would land them in trouble with the DOC. Avast probably just replaced their own phones and wondered what to do with them. That is why the story doesn't have a source and the phones have an outrageous amount of nude photos. Writting anti-virus software has never struck me as intensive work. It's more of a hard sell product. The photos must be pictures from Avast's office parties.

I believe Lorna you are right. It is rigged and nothing to worry about. There aren't too many people aware of sector editing flash memory and a simple encyption app can keep the remaining sectors from a wipe un-readable.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Author
7/9/2014 | 2:18:17 PM
Re: Shouldn't be a surprise
Mike, that's probably true about the overachievers. Wonder if Anthony Weiner recently sold his phone.
MarylandMike
50%
50%
MarylandMike,
User Rank: Apprentice
7/9/2014 | 2:07:15 PM
Re: Shouldn't be a surprise
Putting information on an SD card is a good idea, but still you wouldn't know if there were 'temp' files that made copies somewhere 'under the hood'. 
Page 1 / 2   >   >>
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.