When Android users choose to reset their smartphones, they generally believe their personal data is deleted. But Avast Software, which makes and markets device-side security apps, says that's not necessarily the case. The company was able to recover vast stores of personal data from wiped smartphones using off-the-shelf software. Time to rethink your selfies?
Avast purchased 20 different Android smartphones from eBay, which typically has tens of thousands of such devices for sale at any given time. The previous owners performed a factory reset, deleting all the content from the phones, before selling them. The factory reset option is buried in the settings menu, but it claims to erase everything from the phone and memory card. Avast then used commercially available recovery software to dig up personal information.
"The amount of personal data we retrieved from the phones was astounding. We found everything from a filled-out loan form [to] selfies of what appear to be the previous owner,” said Avast's Jude McColgan.
Avast restored 40,000 photos -- including 1,500 of children, 750 of women in various stages of undress, and 250 male nudes -- from just 20 phones. Avast also recovered 1,000 Google searches, 750 emails and text messages, and 250 contact names and email addresses. Amazingly, Avast managed to identify only four of the 20 previous owners, but an identity ratio of one-in-five should be alarming to most smartphone users.
[The best BYOD plans balance control with convenience. Read 3 BYOD Risk Prevention Strategies.]
"Along with their phones, consumers may not realize they are selling their memories and their identities. Images, emails, and other documents deleted from phones can be exploited for identity theft, blackmail, or even stalking purposes. Selling your used phone is a good way to make a little extra money, but it's potentially a bad way to protect your privacy," said McColgan.
So how do you protect yourself? Obviously Avast wants you to download and install its Android app, which overwrites everything on the device and then deletes it. Avast's app is free. There are innumerable other options in the Play Store that provide similar services, including apps from Trend Micro, Norton, McAfee, Kaspersky, BitDefender, and LookOut Mobile. Another option is to encrypt the device. All Android smartphones support encryption, which must be enabled by the user.
Avast didn't specify what devices it purchased or what versions of Android they were running. Avast also didn't identify the "commercially available" recovery software it used to break into the phones' previous lives. Further, these were all devices sold by consumers. Businesses running mobile device management software have more powerful resetting and wiping tools at their disposal. If Avast were able to recover the same amount of personal data from the devices of mobile pros that had been wiped by enterprise-grade security software, there'd be more reason to worry.
Still, it doesn't hurt to be just a little more careful when passing on used devices.
Managing the interdependency between software and infrastructure is a thorny challenge. Enter DevOps, a methodology aimed at increasing collaboration and communication between these groups while minimizing code flaws. Should security teams worry -- or rejoice? Get the DevOps' Impact On Application Security report today (registration required).