Some half a billion Android mobile devices from leading brands such as Samsung and HTC have a flawed “factory reset” function which leaves sensitive information — including passwords, contacts, emails, media files and text messages — recoverable after a device is “wiped”.
Even when full-disk encryption is in place, sensitive data is still recoverable because the factory reset process on affected models fails to erase the files which store decryption keys, a Cambridge University study has shown.
Researchers purchased 21 models of Samsung, LG, Motorola, HTC and Nexus smartphone second hand from eBay and other resellers which ran Android operating systems 2.2 Froyo through to 4.3 Jelly Bean.
Their report found the models, accounting for some 500 million devices, may not properly wipe disk partitions containing personal information.
In addition, 630 million devices may not fully erase internal storage cards, which often hold personal media files such as photos and videos, it said.
The authors said personal data was recoverable because authentication tokens used to automatically log the user into apps such as Facebook, WhatsApp or Gmail were often stored in flash storage, which is notoriously difficult to erase.
“As a test, we factory reset our own phone, then recovered the master token,” the authors said.
“After the reboot, the phone successfully re-synchronised contacts, emails, and so on.
“We recovered Google tokens in all devices with flawed factory reset, and the master token 80 per cent of the time.”
The authors successfully recovered contents of text messages, emails, chat apps, plus log-in credentials to users’ Google accounts, in all 21 of the devices.
One reason cited for the flaw was that smartphone manufacturers did not include on their devices the software drivers required to fully wipe flash chips used for non-volatile memory storage.
Access to personal information such as that contained in emails could leave highly sensitive data such as banking details available, and would create additional risks where sensitive corporate information was stored, the report noted.
The researchers warned consumers could be left vulnerable to blackmail resulting from “compromising conversations”.
Emails were recovered in 80 per cent of the sample devices, though “generally only a few per device”.
Android Security lead engineer Adrian Ludwig thanked the researchers for their efforts but said device encryption still made the recovery of data after an incomplete wipe “significantly more difficult”.
“This is one of the reasons we have enabled encryption by default on the Nexus 6 and 9 [smartphones], and one of the reasons we have very strongly recommended it for other manufacturers as well,” Mr Ludwig said.
Linus Information Security Systems director Mike Thompson also recommended device encryption, but with “no guarantees”.
It was reasonable to assume similar flaws existed in other models not included in the study, he said, and also in Apple and Windows phones.
“Even the latest models, while less exposed, will still carry through some exposures,” Mr Thompson warned.
“The issues primarily relate to the way in which flash memory storage works and how phone vendors and Google support the necessary tools to make flash more secure, [therefore] other manufacturers such as Apple are likely to be similarly exposed.”
Mr Thompson said concerned users could opt for phones with external SD storage cards, which can be removed when discarding the phone.
For businesses, he advised only sharing sensitive information on devices that complied with the latest security recommendations, plus regularly educating employees about data protection to minimise exposure.
There have been two major Android operating system upgrades since those included in the study.
Google’s Nexus 6 and 9 smartphones run the latest Android OS, Lollipop.
Android devices account for 80 per cent of the global smartphone market, according to research firm Gartner.
Some 64 per cent of all smartphones are passed on to others, traded in or sold second-hand, the firm estimates, while sales of second-hand smartphones are expected to grow significantly to 120 million units by 2017.
The operating systems included the Cambridge study make up around 50 per cent of all Android devices currently in use, according to Google.
A factory reset function is designed to remove all files and settings a user has added to a device, and is therefore often implemented before someone gives away or sells a personal mobile device.
Consumers in mature markets such as Australia are estimated to upgrade their smartphone devices every 18 to 20 months on average, according to Gartner.