Skip to main content

Android Factory Reset Leaves Personal Data on Phone

Bad news for people who have sold or given away their Android old phones: Google's own factory reset likely didn't remove all of their personal data and account-login information. A whopping 500 million Android devices may be at risk, according to a study by University of Cambridge researchers Laurent Simon and Ross Anderson.

According to their academic paper, once an Android device's data is recovered by exploiting this flaw, it will "successfully re-synchronize contacts, emails, and so on," leaving the digital lives of the original owners completely exposed. Access to accounts through dedicated apps, such as Facebook, on a poorly wiped device can also be procured through recovered authentication tokens.

While the stock Android factory reset claims to remove Google account data, highly sensitive login credentials can be recovered after a wipe, Simon and Anderson said. Recovering data was possible even with full-disk encryption switched on, because the encryption password is often a four-digit PIN or a short password. 

MORE: Best Android Antivirus Apps

The pair tested 21 secondhand phones, running Android builds between between 2.3 Gingerbread and 4.3 Jelly Bean, made by Google, HTC, LG, Motorola and Samsung. Following the primary factory reset built into the operating systems, user data was recoverable on all the phones, and Google account connectivity was restored on 80 percent of the devices.

Simon and Anderson said Android's factory reset does not touch the file that stores the user account's decryption keys. Once access to that file is gained, access to that file, the so-called "crypto footer" can be used to brute-force the user's PIN or password and gain complete access to the device.

The best advice we can offer a user looking to safely and cleanly reach a conscious uncoupling with his or her Android device is to encrypt the device with a difficult-to-crack password just before it is wiped. Simon and Anderson suggested a password with a minimum of 11 characters, including punctuation marks, symbols, and both upper- and lowercase letters.

Upgrading to Android 4.4 KitKat or later may further protect your data, but we can't be certain, as Simon and Anderson tested only secondhand phones that ran Android versions between 2.3 Gingerbread and 4.3 Jelly Bean.

In a blog post, Anderson explained that blame for this situation can be spread generously across all parties involved, although he noted that Google's own Nexus line of phones do have a higher quality of security.

"The reasons for failure are complex," Anderson said. "However, the vendors need to do a fair bit of work, and users need to take a fair amount of care."

If you were hoping that the remote-wipe feature offered by many third-party Android antivirus products fared better than the stock factory-reset procedure, think again.

"AV vendors' ... results are not that impressive," Anderson wrote, citing a second academic paper by himself and Simon released in conjunction with the first.

Taken together, Anderson said, "these failings mean that staff at firms which handle lots of second-hand phones (whether lost, stolen, sold or given to charity) could launch some truly industrial-scale attacks."

Henry T. Casey is a Staff Writer at Tom's Guide. Follow him on Twitter @henrytcasey. Follow us @tomsguide, on Facebook and on Google+.

  • f-14
    it's getting to be like hard disk drives and motherboard bios's because of the built in keylogger chip mandated by the us government decades ago, you simply must destroy them physically to the point they can not be repaired. 20# sledge hammers work great wonders.
    Reply
  • Turb0Yoda
    I wonder if they tested with a Custom Recovery(TWRP, CWM, Phillz, Safestrap, etc). My assumption is the same. My routine follows a full wipe two or three times and then restoring a stock factory image onto the phone... Then flashing the Recovery and a new ROM
    Reply
  • infernocy
    Thats why i dont have personal info on my phone , i have one gmail specifically for the phone , and i backup the images and delete them from the phone..., i worry more about losing my phone and having gmail open than this .....
    Reply
  • captaincharisma
    its is basically the same as a hard drive.its the same when resetting any apple products too. some people recommend just let the video cam running when up againced a wall or something and let it record until it runs out of memory.this is nothing but another biased article by an apple fanboy
    Reply
  • njoy
    But the BEST PART of it is that it wipes the SD card. This is a long known issue, I remember having to manually wipe all the data from the phones people brought in for sale back when I was working at CEX in London. And the best example was my dad restoring his phone to factory settings having copied the contacts over onto the SD card, but not taking it out before the wipe. Guess which part of the storage was wiped and which stayed as it was? Yep.
    Reply
  • hst101rox
    But the BEST PART of it is that it wipes the SD card. This is a long known issue, I remember having to manually wipe all the data from the phones people brought in for sale back when I was working at CEX in London. And the best example was my dad restoring his phone to factory settings having copied the contacts over onto the SD card, but not taking it out before the wipe. Guess which part of the storage was wiped and which stayed as it was? Yep.

    I did a factory rest on an older Android phone, version 2.3 or something like that. The SD card wan't wiped. It was reformatted. So I used Recuva or another free recovery software and got all the pictures, videos back.
    So be careful, be sure the SD card really is wiped if you want to sell it.
    Reply
  • TunaSoda
    This is news?
    Reply
  • Downpayment Blues
    I can factory reset a phone with 3 swings of a ball peen hammer. No I wont sell my phones, nor put them in the trash in such a way someone could steal the info. Until phone manufacturers quit using flash my ball peen hammer will be busy.
    Reply
  • hst101rox
    Ball peen hammer and then e-cycle it
    Reply
  • ericburnby
    its is basically the same as a hard drive.its the same when resetting any apple products too. some people recommend just let the video cam running when up againced a wall or something and let it record until it runs out of memory.this is nothing but another biased article by an apple fanboy

    Not the same as Apple at all. Apple has used on-device hardware encryption since the iPhone 3GS. Android is still stuck in the last century with software based encryption, that you have to specifically enable and which causes a performance hit.

    When you wipe an iOS device the data doesn't get erased - the encryption key does. So you have data there, but it's encrypted basically making it useless.
    Reply