Mobile // Mobile Applications
News
7/9/2014
12:13 PM
Connect Directly
RSS
E-Mail
50%
50%

Android Data Wipe Leaves Personal Data

Factory reset tool on Android smartphones does not remove all photos, emails, chats, and other personal data, says security firm.

10 Ways Google Must Improve Android
10 Ways Google Must Improve Android
(Click image for larger view and slideshow.)

When Android users choose to reset their smartphones, they generally believe their personal data is deleted. But Avast Software, which makes and markets device-side security apps, says that's not necessarily the case. The company was able to recover vast stores of personal data from wiped smartphones using off-the-shelf software. Time to rethink your selfies?

Avast purchased 20 different Android smartphones from eBay, which typically has tens of thousands of such devices for sale at any given time. The previous owners performed a factory reset, deleting all the content from the phones, before selling them. The factory reset option is buried in the settings menu, but it claims to erase everything from the phone and memory card. Avast then used commercially available recovery software to dig up personal information.

"The amount of personal data we retrieved from the phones was astounding. We found everything from a filled-out loan form [to] selfies of what appear to be the previous owner,” said Avast's Jude McColgan.

Avast restored 40,000 photos -- including 1,500 of children, 750 of women in various stages of undress, and 250 male nudes -- from just 20 phones. Avast also recovered 1,000 Google searches, 750 emails and text messages, and 250 contact names and email addresses. Amazingly, Avast managed to identify only four of the 20 previous owners, but an identity ratio of one-in-five should be alarming to most smartphone users.

[The best BYOD plans balance control with convenience. Read 3 BYOD Risk Prevention Strategies.]

"Along with their phones, consumers may not realize they are selling their memories and their identities. Images, emails, and other documents deleted from phones can be exploited for identity theft, blackmail, or even stalking purposes. Selling your used phone is a good way to make a little extra money, but it's potentially a bad way to protect your privacy," said McColgan.

So how do you protect yourself? Obviously Avast wants you to download and install its Android app, which overwrites everything on the device and then deletes it. Avast's app is free. There are innumerable other options in the Play Store that provide similar services, including apps from Trend Micro, Norton, McAfee, Kaspersky, BitDefender, and LookOut Mobile. Another option is to encrypt the device. All Android smartphones support encryption, which must be enabled by the user.

Avast didn't specify what devices it purchased or what versions of Android they were running. Avast also didn't identify the "commercially available" recovery software it used to break into the phones' previous lives. Further, these were all devices sold by consumers. Businesses running mobile device management software have more powerful resetting and wiping tools at their disposal. If Avast were able to recover the same amount of personal data from the devices of mobile pros that had been wiped by enterprise-grade security software, there'd be more reason to worry.

Still, it doesn't hurt to be just a little more careful when passing on used devices.

Managing the interdependency between software and infrastructure is a thorny challenge. Enter DevOps, a methodology aimed at increasing collaboration and communication between these groups while minimizing code flaws. Should security teams worry -- or rejoice? Get the DevOps' Impact On Application Security report today (registration required).

Eric is a freelance writer for InformationWeek specializing in mobile technologies. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
MarylandMike
50%
50%
MarylandMike,
User Rank: Apprentice
7/9/2014 | 2:05:53 PM
Re: Shouldn't be a surprise
My guess is that some of those phones were from 'over achievers'.  There might be a picture or 2 on some phones whereas others might have hundreds...
MarylandMike
50%
50%
MarylandMike,
User Rank: Apprentice
7/9/2014 | 2:04:53 PM
Android naivete
The Andoid OS (for all it's features) reminds me of an old comparison between DOS 5.0 and Windows 95.  There were some things that simply couldn't be done in Win 95.  The Avast product would (I hope) allow you to delete everything except the default OS.  Some users just want a clean machine.  On my Android tablet, I don't see (or recognize) hidden files/system files, read-only files.  We don't know what is under the covers of the OS, but at least we realize that our photos, our forms are there for the saavy user.
Lorna Garey
100%
0%
Lorna Garey,
User Rank: Author
7/9/2014 | 1:51:30 PM
Re: Shouldn't be a surprise
Maybe I am naive, but that averages out to 50 risque photos per phone. Seems high among the general (non frat boy) population.

Or am I wrong?
Gary_EL
0%
100%
Gary_EL,
User Rank: Ninja
7/9/2014 | 1:36:31 PM
Do I see the next big lawsuit a brewin'?
Did those people whose personal information and embarrassing photos are now in the hands of strangers have some kind of legal, enforceable expectation of privacy after they "wiped" their smartphones? The attorneys must be lickin' their chops.
SoStupocrisy
0%
100%
SoStupocrisy,
User Rank: Apprentice
7/9/2014 | 1:33:10 PM
Re: Shouldn't be a surprise
Surely you don't think that only "frat boys" have this kind of material on their phones?!?

I've seen adults well above the 40yo mark with such things on many occassions...what bubble are you living under?
Henrisha
100%
0%
Henrisha,
User Rank: Strategist
7/9/2014 | 1:11:08 PM
Re: Shouldn't be a surprise
It does make more sense to store data (sensitive files, private photos, etc) on a removable SD card. Definitely better than having to go through folders in the phone one by one to check (although it's still recommended that you do this, as a just-in-case maesure.)
ChrisW967
50%
50%
ChrisW967,
User Rank: Apprentice
7/9/2014 | 1:03:00 PM
Maths
4 of 20 --> 1 in 5, not 1 in 4.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Author
7/9/2014 | 12:50:44 PM
Re: Shouldn't be a surprise
OK, so here's what surprises me: "750 of women in various stages of undress and 250 male nudes -- from just 20 phones."

Who did they buy them from, a bunch of frat boys?!
jagibbons
100%
0%
jagibbons,
User Rank: Ninja
7/9/2014 | 12:42:23 PM
Re: Shouldn't be a surprise
I'm not sure if Avast has done similar research on iOS or Windows devices, but Android (as well as Windows) does have one thing in its favor despite this issue. A micro SD card can be removed when the phone is sold. If all your photos are on the SD card and you keep it, then the guy who buys your used phone can't get access to them.

Regardless, one should still use a true wipe tool that overwrites the data blocks multiple times to make sure all electronic traces are gone.
KeithT494
100%
0%
KeithT494,
User Rank: Apprentice
7/9/2014 | 12:31:09 PM
Shouldn't be a surprise
This shouldn't be news to a technology professional worth a grain of salt. All non-volatile computer storage, whether it be hard disk or flash memory, work the same way -- deleting the file doesn't make the data disappear, any more than throwing that top secret memo in your trash can makes it disappear. Or taking it home and giving it to your 3-year-old to color on.

Android's factory reset (and the factory reset for almost any device, Android or otherwise) isn't a "wipe." That's a simplistic layperson misconception. The purpose of factory reset is to reset the system software to its original state. It does this mostly by deleting files, and restoring other files from an original image or state.

Factory reset is NOT a security function. If you want a security erase, there are specific tools for that. They use repetetive, slow algorithms to specifically eradicate all remains of the data. Be sure you use one that's flash-memory-aware, though, because the automatic "cycling" of flash memory -- done to preserve it's lifetime -- can render such algorithms mostly useless.

Again, not news to any technology professional worth a grain of salt. I don't know what IW's target audience is, but if there are CTOs, CIOs, MISes, IT directors, and other technology-managing types who didn't already know this fundamental storage hardware fact, our technology infrastructure is in deep doo-doo.
<<   <   Page 2 / 2
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 23, 2014
Intrigued by the concept of a converged infrastructure but worry you lack the expertise to DIY? Dell, HP, IBM, VMware, and other vendors want to help.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.