The majority of us own a smartphone. How quick do you move onto a newer model? For some this will be related to their contract, often for one or two years, whereas others will opt for SIM-only deals and buy the phone outright each time. Smartphones are expensive pieces of kit, but we’ve got into the habit of churning through them pretty quickly. Unlike a TV which a lot of people will keep until there’s a massive innovation or until it breaks, there’s more of a routine and cycle to buying smartphones, even when there’s not much difference from last year’s models.
Of course, with so many excess smartphones, it’s no surprise that people want to sell these on in order to offset the costs of their newer device. So they remove their SIM card, take out the SD card if they have one and then factory reset the phone. Then it’s as good as new, right? All your personal data should now be off the device? In fact, it’s not quite as simple as that.
A study by researchers at Cambridge University found that a vulnerability exists on Android device, allowing unscrupulous types to recover some of your data even after a factory reset has been performed. This could be anything that’s ever been stored on your phone’s internal storage, like saved passwords, emails or text messages.
The researchers found that some data is still left in some partitions on a device following a factory reset. This is because Android devices use flash memory, which limits the amount of memory that it allows to be overwritten. There’s no driver that allows the NAND chips to be totally wiped and manufacturers have found it difficult to implement a factory reset feature that completely works.
It’s estimated that around 500 million Android devices don’t have their data fully wiped. The researchers were able to recover the Google master token, which allows access to Gmail and Calendar data, following factory reset on 80% of phones. It’s not just the data that was once stored on the phone that’s at risk, it’s the trails that lead to all the other services you use.
“If you plan to resell or discard your device and you haven't already, encrypt it and then perform a factory reset,” Android security lead engineer Adrian Ludwig said.
To do this, go to Settings on your phone, then Security and then Encrypt Phone. Some devices like the Nexus 6 and 9 are encrypted by default.
There’s some contention about whether this is a good enough technique, with the researchers claiming that the factory reset doesn’t remove the decryption key from the device – meaning that if the ‘crypto footer’ is recovered then the encryption could be broken offline.
Does this mean you should never sell your smartphone? If you’re worried about data security, perhaps. You could fill up your device with random files following a factory reset, in order to overwrite that free space, but if you’re really security conscious then the device is best destroyed than sold.
Should You Never Sell a Smartphone Due to Data Trails?
Comments
No comments yet. Sign in to add the first!