Android Factory reset fails to wipe sensitive user data, million devices at risk

Two security researchers demonstrated that the Android Factory Reset process fails to wipe private data from Android mobile devices.

Researchers at Cambridge University, Laurent Simon and Ross Anderson, revealed that more than half a billion Android devices could have data recovered due to flaws in the default wiping process.

The experts have analyzed Android 21 devices from 5 different vendors, including Samsung, HTC, and Nexus running Android versions 2.3 to 4.3, discovering that more than 500 Million Android devices fail to completely wipe data after the factory reset. The researchers demonstrated that it is possible to retrieve encryption keys and master tokens for Google and Facebook in 80 percent of cases.

User data, including SMS, photos, and videos, can be recovered because the factory reset process in Android 4.3 Jellybean and below versions is affected by flaws. The researchers explained  that the factory reset doesn’t completely wipe data, in fact, they are able to retrieve encryption keys and master tokens for Google and Facebook in 80 percent of cases.

User data, including SMS, photos, and videos, can be recovered because the factory reset process in Android 4.3 Jellybean and below versions is affected by flaws. The researchers published a paper titled Security Analysis of Android Factory Resets (PDF) that includes the detailed results of the study.

“After the reboot, the phone successfully re-synchronised contacts, emails, and so on,” researchers reported. “We recovered Google tokens in all devices with flawed Factory Reset, and the master token 80% of the time. Tokens for other apps such as Facebook can be recovered similarly. We stress that we have never attempted to use those tokens to access anyone’s account.”  states the paper.

After running factory reset on every Android device, the researchers were able to retain at least some piece of data previously stored in the Smartphone, Google account credentials, including text messages, conversations on apps such as WhatsApp and Facebook.

Below the five critical Reset failures discovered during the study:

1. The lack of Android support for the proper deletion of the disk partition in devices running versions 2.3.x of the mobile operating system.
2. The incomplete upgrades pushed to flawed devices by smartphone vendors.
3. The lack of driver support for proper deletion shipped by vendors in newer devices such as versions 4.1, 4.2 and 4.3.
4. The lack of Android support for the proper deletion of the internal and external SD card in all versions of mobile operating systems.
5. The fragility of full-disk encryption to mitigate those problems up to Android version 4.4 KitKat.

“We estimate that up to 500 million devices may not properly sanitise their data partition where credentials and other sensitive data are stored, and up to 630 million may not properly sanitise the internal SD card where multimedia files are generally saved.We found we could recover Google credentials on all devices presenting a flawed factory reset. Full-disk encryption has the potential to mitigate the problem, but we found that a flawed factory reset leaves behind enough data for the encryption key to be recovered.” explained the duo.

The experts already have reported the flaw to Google, they also highlighted that remote wiping feature for lost and stolen Android devices is affected by the same flaws.

Everyone that has sold used Android devices could be exposed to the risk of disclosure of their data, the problem is serious if we consider devices that are put aside by private firms.

Cyber spies and thieves can buy or steal the mobile devices and obtain user sensitive data, including bank account information.

An attacker can also obtain the list of installed apps and use it to profile the previous Android owner, for example discovering if he is a corporate executive or simply a school kid.

• Remotely wiping the smartphone by hitting “factory reset” as if the phone were stolen
• Updating the phone to a new version of the Android OS that allows for encryption with a passcode

but researchers explained that this solution is not 100 percent reliable.

Lets me suggest enabling full disk encryption and used strong passwords to make hard brute forcing of master keys.

Pierluigi Paganini

(Security Affairs – Factory reset, Android)