Your data is recoverable even after Android factory reset: Cambridge Study

By | May 26, 2015

According to a recent study conducted by a group of researchers at Cambridge University, factory reset doesn’t completely wipe off the data from an Android smartphone. In fact because of a flaw, your sensitive data could be recovered by hackers. So if you are in a habit of frequently changing your Android OS based smartphones, then better watch out before selling your old device.

After conducting series of tests on second hand Android smartphones, researchers have estimated that as much as 500 million Android smartphones don’t fully delete data partitions which contain sensitive data.Factory reset on android based smartphoneResearchers conducted tests on 21 used smartphones running Android versions from Android Gingerbread (2.3x) up to Android Jelly Bean (4.3) and subsequently recovered emails, text messages, Google access tokens and other sensitive data even after the factory reset function had been used.

Researchers Laurent Simon and Ross Anderson from the University of Cambridge, UK, bought used Android devices from eBay between January 2014 and May 2014 and conducted various tests to conclude the study. Tests were conducted on devices from following brands – Samsung Electronics, HTC, LG Electronics, Motorola and Google Nexus.

It is very disturbing to know that in 80% of the cases researchers were able to fish out Google master token from devices which were wiped clean of data using factory reset. The same token can be misused by attacker to repopulate the device with previous owner’s Google account and hence gaining access to email, contacts, WiFi passwords and other sensitive data.

The study also claims that the third party data deletion apps are also of no help in properly sanitizing the data off smartphones, and the same has been highlighted in a separate study. The team does not see this problem getting resolved in future Android versions as well.

The study chiefly blames two factors for failure of factory reset in wiping data completely. First of all, the physical nature of the flash drives found in smartphones makes it difficult to completely wipe off data using any method. Second factor is smartphone vendor’s inability to provide necessary drivers to completely wipe flash memory used for non-volatile storage. 

The issue may be resolved by planting random byte files in the desirable data partitions so that it occupies any unallocated space left out after factory data reset. However, you need to manually install third party non-priviledged apps after you are done with factory data reset. The only problem with this method is that it requires you to have root access to your device and may prove cumbersome for an ordinary smartphone user.