A burgeoning market in refurbished smartphones can help offset the cost of new devices for you or your employees. But you may want to think twice before letting any of the Android smartphone users in your organization turn their old mobile devices over to the reseller market.
A study conducted by two Cambridge University students examined 21 secondhand devices from five different manufacturers running Android OS versions 2.3 to 4.3 that had been wiped using the built-in factory reset. Despite the factory reset, the researchers were able to recover the master token in 80% of the devices, from which they could successfully re-synchronize contacts, emails, and other data.
To improve usability and user engagement, most smartphone apps replace passwords with authentication tokens the first time a user enters his password. After the first password-based authentication, users are automatically logged in with the authentication token. Emails can be retrieved, calendar notifications downloaded, etc., without user intervention.
These tokens are often stored on non-volatile flash storage on the data partition, and their continued presence suggests that consumers will remain exposed to ineffectual data wipes for the foreseeable future.
The team found that viable alternatives to a factory reset for devices running Google’s Android OS each possess certain drawbacks. One such option involved filling up the partition of interest with random-byte files. This alternative was discarded by the researchers because it uses the file system rather than direct flash access, and adds another layer of uncertainty. “Overwriting the entire partition bit-by-bit once did provide logical sanitization for all devices and all partitions we studied; it is therefore a reliable alternative,” the report noted. “The drawback of this method is that it requires privileged [root] access to devices in practice. Therefore, it is likely to put off ordinary users.”
Android Factory Reset Leaves Your Data Exposed: Study – InformationWeek.