Android's Factory Reset Feature May Leave User Data Behind
If you're one of the millions of people out there with an Android phone, then you may have a problem. Last week, a research paper revealed that Android phones don't completely erase your personal data when you choose the option to reset your phone.
This presents problems for anyone who resells a phone or otherwise erases the data in the belief that their personal data are completely wiped out. Turns out they're not.
Erase All the Things
A Ph.D. student at the University of Cambridge Computer Laboratory, along with his advisor, published a research paper titled "Security Analysis of Android Factory Resets" last week. Laurent Simon and Professor Ross Anderson discovered that authentication tokens can be recovered even from phones that were ostensibly erased. Authentication tokens are used by applications from Gmail to Facebook to log a user into a particular service.
Simon and Anderson were able to recover Google tokens 80% of the time, even after a factory reset, including the so-called master token, which grants access to a user's entire Google account. This is thanks to a flawed implementation of the factory reset that doesn't erase all the data on the internal flash storage. If that weren't bad enough, thanks to Android's hardware fragmentation, the erase feature is implemented in different ways depending on the handset hardware.
Hack Attack
What's the problem? Here's the problem: Potential attackers can obtain Android phones, recover the authentication information, and log in to a user's Google account -- even if the user followed the correct steps to wipe his phone before selling it on eBay or anywhere else.
From there, a nefarious type can use the information however he or she wants, though the authors admit that "[b]lackmailing users requires enough devices to hit compromising data and enough users to hit a gullible mark," which "requires (i) a significant time investment to bet on/follow items and (ii) great logistics to buy, process, and re-sell devices." They posit that perhaps salesmen at brick-and-mortar stores would be able to more easily identify rubes, making it slightly more likely and more profitable that they would attempt to recover user information from a wiped phone.
So what can you do to protect your Android phone? For one, enable Full Disk Encryption, the authors say. Well, sort of. FDE is available only on devices that support it, and even then, only in newer versions of Android. (It was introduced in Ice Cream Sandwich, also known as Android 4.0.) To prevent unauthorized users from accessing your stuff, it's best -- where possible -- to deauthorize the device from the service. (Google and Facebook, for example, allow you to revoke a particular device's access.)
And if your plan is to sell your Android phone for a pittance, just destroy it, instead.
Related Resources:
- Flawed Android Factory Reset Leaves Crypto and Login Keys Ripe for Picking (Ars Technica)
- Security Vuln Allows Android App Tampering Through Single URL Click (ZDNet)
- FBI: Actually, Don't Encrypt Your Phone After All (FindLaw's Technologist)
- Three Viable Alternatives to iOS and Android (FindLaw's Technologist)