Factory data reset for Android leaves encrypted data and login keys intact

Researchers at Cambridge University discovered they were able to recover data on a vast array of Android powered devices that had undergone the factory data reset process.

By “data” it is not simply information like a Google password, it is also images, texts messages, contacts, and other media where at least “some fragments” of old data were found. The data was not confined to the operating system either, third-party apps such as Facebook, left traces in the form of photos, videos, and text-based messages.

The sample of devices tested was small, but also representative of more than half of Android devices in use around the world. Testing 21 devices made by five different manufacturers (technically 4 if you do not count Google’s Nexus devices), running OS versions 2.3.x Gingerbread to 4.3 Jelly Bean, researchers found data following a factory reset, and in 80% of the devices, they successfully extracted the master token used by Android to access Google user data.

To prove the concept, the researchers successfully recovered a master token and were able to restore the credential file, “After the reboot, the phone successfully re-synchronised contacts, emails, and so on. We recovered Google tokens in all devices with flawed Factory Reset, and the master token 80% of the time. Tokens for other apps such as Facebook can be recovered similarly. We stress that we have never attempted to use those tokens to access anyone's account.”

Data was recovered even when full encryption was previously enabled.

You may be asking how any of this is possible. Turns out, part of the problem lies with the nature of flash storage. Due to inherence reliability factors, often times storage is over-provisioned to account for wear and tear over time. Another part of the problem is the manufacturers did not provide the necessary software drivers to fully delete the storage.

We have seen news of this before. Last summer, AVAST performed a number of factory data resets on devices and was able to recover thousands of photos, Google searches, and hundreds of contacts and emails. In both the case of AVAST, and with the Cambridge University study, the hardware used was acquired second-hand. The Cambridge study included the following devices:

Android 2.2.x Froyo	HTC Nexus One	Android 4.0.x ICS	HTC Sensation
	Motorola Defy		Samsung Galaxy S3
			HTC Desire C
Android 2.3.x Gingerbread	Samsung Galaxy S+		Samsung Galaxy S2
	HTC Wildfire S		LG Optimus L5
	HTC Desire S
	Samsung Galaxy S	Android 4.(1-3).x Jelly Bean	Nexus 4 (2)
	Samsung Galaxy S2		Motorola RAZR i
	Samsung Galaxy ACE		LG Optimus L7
	LG Optimus L3		Nexus S
	Nexus S		Samsung Galaxy Note
			HTC One S
			HTC One X

While this looks like an recurring issue, is simply points out potential vulnerabilities and it does not prove that any other platform is necessarily “safe.” The fact that flash storage is at least part of the problem means that this can likely be duplicated on any mobile device.

For those that like to be extra sure before they wipe a device to sell on the secondary market like eBay or Swappa, one way to help abate left over data from surviving a factory reset is to delete your accounts, then overwrite all available space on the storage with random files, then deleting again. Some people like to do that more than once.

As the other half of Android devices are running version 4.4 KitKat and later, we hope researchers will try to gather some newer devices and apply the same methodology to recover files that are supposed to be removed during a reset.

sources: Cambridge University (PDF) via Ars Technica