Android Factory Reset Leaves Your Data Exposed: Study

9 iOS, Android Apps to Boost Productivity

A burgeoning market in refurbished smartphones can help offset the cost of new devices for you or your employees. But you may want to think twice before letting any of the Android smartphone users in your organization turn their old mobile devices over to the reseller market.

A study conducted by two Cambridge University students examined 21 secondhand devices from five different manufacturers running Android OS versions 2.3 to 4.3 that had been wiped using the built-in factory reset. Despite the factory reset, the researchers were able to recover the master token in 80% of the devices, from which they could successfully re-synchronize contacts, emails, and other data.

To improve usability and user engagement, most smartphone apps replace passwords with authentication tokens the first time a user enters his password. After the first password-based authentication, users are automatically logged in with the authentication token. Emails can be retrieved, calendar notifications downloaded, etc., without user intervention.

These tokens are often stored on non-volatile flash storage on the data partition, and their continued presence suggests that consumers will remain exposed to ineffectual data wipes for the foreseeable future.

The team found that viable alternatives to a factory reset for devices running Google's Android OS each possess certain drawbacks. One such option involved filling up the partition of interest with random-byte files. This alternative was discarded by the researchers because it uses the file system rather than direct flash access, and adds another layer of uncertainty. "Overwriting the entire partition bit-by-bit once did provide logical sanitization for all devices and all partitions we studied; it is therefore a reliable alternative," the report noted. "The drawback of this method is that it requires privileged [root] access to devices in practice. Therefore, it is likely to put off ordinary users."

[ Are we our own worst enemies when it comes to security? Read Google: Your Password Security Questions Are Terrible. ]

The report noted enabling Full Disk Encryption (FDE) on first use of the device would be more appropriate for ordinary users, if devices support it.

The study follows a similar report from the same research team, which revealed the same flaws in third-party anti-theft apps with remote wipe and remote lock functions. "Mobile OS architectures leave third-party security apps little leeway to improve built-in Factory Resets, therefore mobile anti-virus [MAV] remote wipe functions are not an alternative to a flawed built-in Factory Reset," the report noted. "We conclude the only viable solutions are those driven by vendors themselves."

A February 2015 survey of more than 5,600 U.S. and Germany consumers conduced by IT research firm Gartner found 60% of consumers are replacing their smartphones because they are interested in additional functionality, or they "just want" a new device. Consequently, the worldwide market for refurbished phones that are sold to end-users will grow to 120 million units by 2017, with an equivalent wholesale revenue of around $14 billion.

In North America and Western Europe, the market for refurbished phones is forecast to be worth around $3 billion in 2015 and growing to $5 billion in 2017, the Gartner report projected.

[Did you miss any of the InformationWeek Conference in Las Vegas last month? Don't worry: We have you covered. Check out what our speakers had to say and see tweets from the show. Let's keep the conversation going.]