Factory data reset for Android leaves encrypted data and login keys intact

Factory data reset for Android leaves encrypted data and login keys intact
Researchers at Cambridge University discovered they were able to recover data on a vast array of Android powered devices that had undergone the factory data reset process.

By “data” it is not simply information like a Google password, it is also images, texts messages, contacts, and other media where at least “some fragments” of old data were found. The data was not confined to the operating system either, third-party apps such as Facebook, left traces in the form of photos, videos, and text-based messages.

The sample of devices tested was small, but also representative of more than half of Android devices in use around the world. Testing 21 devices made by five different manufacturers (technically 4 if you do not count Google’s Nexus devices), running OS versions 2.3.x Gingerbread to 4.3 Jelly Bean, researchers found data following a factory reset, and in 80% of the devices, they successfully extracted the master token used by Android to access Google user data.

To prove the concept, the researchers successfully recovered a master token and were able to restore the credential file, “After the reboot, the phone successfully re-synchronised contacts, emails, and so on. We recovered Google tokens in all devices with flawed Factory Reset, and the master token 80% of the time. Tokens for other apps such as Facebook can be recovered similarly. We stress that we have never attempted to use those tokens to access anyone's account.”

Data was recovered even when full encryption was previously enabled.

You may be asking how any of this is possible. Turns out, part of the problem lies with the nature of flash storage. Due to inherence reliability factors, often times storage is over-provisioned to account for wear and tear over time. Another part of the problem is the manufacturers did not provide the necessary software drivers to fully delete the storage.

We have seen news of this before. Last summer, AVAST performed a number of factory data resets on devices and was able to recover thousands of photos, Google searches, and hundreds of contacts and emails. In both the case of AVAST, and with the Cambridge University study, the hardware used was acquired second-hand. The Cambridge study included the following devices:

Android 2.2.x FroyoHTC Nexus OneAndroid 4.0.x ICSHTC Sensation

Motorola Defy
Samsung Galaxy S3



HTC Desire C
Android 2.3.x GingerbreadSamsung Galaxy S+
Samsung Galaxy S2

HTC Wildfire S
LG Optimus L5

HTC Desire S


Samsung Galaxy SAndroid 4.(1-3).x Jelly BeanNexus 4 (2)

Samsung Galaxy S2
Motorola RAZR i

Samsung Galaxy ACE
LG Optimus L7

LG Optimus L3
Nexus S

Nexus S
Samsung Galaxy Note



HTC One S



HTC One X



While this looks like an recurring issue, is simply points out potential vulnerabilities and it does not prove that any other platform is necessarily “safe.” The fact that flash storage is at least part of the problem means that this can likely be duplicated on any mobile device.

For those that like to be extra sure before they wipe a device to sell on the secondary market like eBay or Swappa, one way to help abate left over data from surviving a factory reset is to delete your accounts, then overwrite all available space on the storage with random files, then deleting again. Some people like to do that more than once.

As the other half of Android devices are running version 4.4 KitKat and later, we hope researchers will try to gather some newer devices and apply the same methodology to recover files that are supposed to be removed during a reset.

sources: Cambridge University (PDF) via Ars Technica

FEATURED VIDEO

25 Comments

1. BobbyBuster

Posts: 854; Member since: Jan 13, 2015

Beauty of Android: There are such innovative ways raising resale values. ROFL.

2. vergil9

Posts: 517; Member since: Apr 06, 2015

This was completely expected.

12. vincelongman

Posts: 5692; Member since: Feb 10, 2013

Yea isn't this just the nature of deleting things? There's programs out there designed to recover accidentally "permanently" deleted files If you really want to delete files you have to overwrite the data multiple times Google should add this option But we got to keep in mind it would increase the time taken by heaps e.g. maybe 3x longer for 3 overwrites

13. vergil9

Posts: 517; Member since: Apr 06, 2015

I was talking about his comment. Anyways, it's not just 3x, because you have to overwrite the entire storage.

18. vincelongman

Posts: 5692; Member since: Feb 10, 2013

Oh right haha Yea, I believe you would have overwrite the entire storage multiple times over Unless the algorithms have improved since

3. drunkenjay

Posts: 1670; Member since: Feb 11, 2013

dw you p*ssy pics are probably in the next installation of the f*ppening.

11. bendgate unregistered

You are beyond ret@rd. Even patriots are better than you.

14. vincelongman

Posts: 5692; Member since: Feb 10, 2013

Apple's version isn't perfect either (at when I used it) I factory reset my old Jailbroken iPod Touch 4 multiple times One of my "minor" Jailbroken mods remained everytime But no complaints from me though I hated that my iPod Touch 4 didn't show its battery percentage And unless Apple's factory reset does multiple overwrite, they will the same problem as Google since the problem is with erasing the data after its deleted

21. VZWuser76

Posts: 4974; Member since: Mar 04, 2010

Ever done a regular format on a PC? The same thing happens there. The only way to truly eliminate the data stored on a hard drive is to do a zero fill format (overwrite). The one I've used in the past was a DOD 3 pass format app. It overwrites the hard drive 3 times, ensuring no data is recoverable. This is only a problem if the next owner of the phone knows how to recover the data. And I'll bet this issue is no different on other OSs, with maybe the exception of BlackBerry.

4. JunitoNH

Posts: 1946; Member since: Feb 15, 2012

This should be interesting, they probably blame Apple blah blah blah

5. UglyFrank

Posts: 2194; Member since: Jan 23, 2014

That's not googles style.

6. sprockkets

Posts: 1612; Member since: Jan 16, 2012

"Data was recovered even when full encryption was previously enabled." Incorrect. They found the footer to do an offline attack. This does not mean they actually recovered any data. "As the other half of Android devices are running version 4.4 KitKat and later, we hope researchers will try to gather some newer devices and apply the same methodology to recover files that are supposed to be removed during a reset." Here's a hint: They didn't use 4.4 because it isn't practical to do offline attacks with it, not because they didn't have access to any. Bottom line? This is all irrelevant. If your phone is not rooted, nor can be rooted via an exploit or via unlocking the bootloader, you can't dump the information off the phone, full stop. If you can root, forget about anything else, because it is game over at that point.

7. BobbyBuster

Posts: 854; Member since: Jan 13, 2015

excuses, excuses.....

8. iushnt

Posts: 3105; Member since: Feb 06, 2013

Or may be u got an excuse to hate Android more.. By the way, if someone goes and buys an Android device now, it will be lollipop. So I think you should stop finding excuses for hating..

9. vergil9

Posts: 517; Member since: Apr 06, 2015

Don't bother, he's either an idiot or a troll, or maybe both.

10. sprockkets

Posts: 1612; Member since: Jan 16, 2012

Not at all. IOS devices since the 4s are very hard to crack, and none of them can be bootloader unlocked. And they did the secure erase of the keys correctly. Only Nexus LP devices with reset protection and TEE key signing will stand up to these attacks. But, any device bought in the last two years who used TEE key signing to stop offline attacks will work too! Your turn to mindlessly troll back.

15. joey_sfb

Posts: 6794; Member since: Mar 29, 2012

"excuses, excuses....." Did you even read the article? It say this could be done on any devices which is the nature of how flash storage works. Unless iPhone don't use flash memory but it does. So take your comment and shoved it in your own ass!

16. sprockkets

Posts: 1612; Member since: Jan 16, 2012

I have to concede here. Every ios device since the 3GS encrypts everything by default. On a factory erase, it erases the key multiple times to ensure its destruction. Apple got it right. But with LP (well most are making encryption mandatory) and using TZ for key signing, it is just as good.

19. joey_sfb

Posts: 6794; Member since: Mar 29, 2012

"Data was recovered even when full encryption was previously enabled. You may be asking how any of this is possible. Turns out, part of the problem lies with the nature of flash storage. Due to inherence reliability factors, often times storage is over-provisioned to account for wear and tear over time. Another part of the problem is the manufacturers did not provide the necessary software drivers to fully delete the storage."

17. WAusJackBauer

Posts: 455; Member since: Mar 22, 2015

Well of course, this happens with any data. You need to secure erase and I don't you're able to do that on phones.

20. trublackrose

Posts: 45; Member since: Apr 14, 2015

Be it Apple, WP, Android, PC, Mac, Thumb drive, External HDD, PS3, PS4, Xbox 360, Xbox One, PS2 Memory Card, Xbox Memory Card, PS Memory Card, Gameboy Advance, Gameboy, Gameboy 3ds, Nintendo Cartridges, N64 Memory Cards, etc. If it writes Data. The only way to delete the data where it cannot be recovered is by Destroying the device, then Lighting it on fire, then pouring thermite on it, then dumping it in an active volcano. This is not news. Moving on.

22. VZWuser76

Posts: 4974; Member since: Mar 04, 2010

I've found a DOD 3 pass overwrite program will take care of the issue, since it overwrites the data 3 times.

23. janno

Posts: 144; Member since: Aug 19, 2014

Or you could...you know...encrypt your device by default. Encryption solves this problem and it's just one of the many reasons you should make sure it's enabled from the moment you buy your phone (should have fast performance on 64-bit ARM chips).

24. dimas

Posts: 3363; Member since: Jul 22, 2014

Digital forensics will tell you that there's no guarantee you're doing 100% data wipe out on PCs and mobile devices least you use a special program. I don't resell my phones, I just destroy the motherboard and chips if it's too broken to be fixed. Hardware destruction is still the best method for data erasure.

26. tommartin17

Posts: 32; Member since: Apr 07, 2015

I like your idea!

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.