We often recommend you to factory reset your Android devices when facing any bug or issue. However, the process is considered almost essential when a user wants to sell an Android device. Factory Reset is considered a trusted procedure to erase all your footprints on your Android phone and wipe its memory clean. Something you do before trusting the device to someone else, someone possibly a complete stranger.
Turns out the procedure shouldn't be trusted with cleaning the memory off the devices as some 500 million Android phones don't completely wipe data when factory reset is run on them. This, as you can see, is a huge security issue as personal data, login credentials, emails, contacts, and more can be retrieved from the Android devices even after wiping their memory clean.
Flawed Android factory reset leaves login keys on the devices:
Researchers of Cambridge University have disclosed how they were able to recover data on a wide range of devices after running factory reset. Research team tested the memory clean process on 21 Android smartphones running versions of Android between 2.3x to 4.3. The smartphones were of five different manufacturers.
All of the test phones retained at least some fragments of the data including data from third-party apps, SMS, and email apps. What's more serious is that in 80% of cases, researchers were able to get the master token that Android uses to give access to Google data including Gmail and Google calendar.
"After the reboot, the phone successfully re-synchronised contacts, emails, and so on. We recovered Google tokens in all devices with flawed Factory Reset, and the master token 80% of the time. Tokens for other apps such as Facebook can be recovered similarly. We stress that we have never attempted to use those tokens to access anyone's account."
Some of the reasons why Android Factory Reset has failed its promise of wiping the data clean include:
- Incomplete upgrades pushed by OEMs to flawed devices
- Lack of Android support for proper deletion of memory (serious problems with SD card cleaning were discovered)
- While Android Lollipop employs full-disk encryption, same is not true with OS versions up to Android 4.4 KitKat
- Lack of driver support for proper deletion on latest devices shipped by vendors
Google is yet to update on the issue as it won't be the OEMs taking the charge of problem here. Considering how serious this lack of any strong measure to clean an Android device is, users are expecting some strong response from Google.
In the meantime, if you need to clean the memory off your Android device, try remotely wiping it as if your device is stolen. While this method too isn't sure to not leave any traces but one can try.
- More details and suggestions at Security Analysis of Android Factory Resets PDF