Hundreds of millions of Android users have potentially used the Android’s factory reset option to wipe of confidential data before selling it or donating it, they assume all that data is gone permanently from the device. But a new study from the makers of security products for mobile and desktop devices, Avast claim that Android's built-in factory reset option does not fully delete a device of the user’s personal information and the data may still be recoverable.
The Prague-based Avast conducted a test to support their theory. It bought nearly 20 used Android smartphones from eBay which is one of the most widely used online sources for selling smartphones. The company was able to recover tens of thousands of personal files including e-mails, text messages, personal photos and even nude selfies of the owners.
The recovered files include more than 40,000 photos including more than 1,500 family pictures of children, 750 photos of women in different stages of undress and 250 selfies of nude men. Besides that, there were 750 e-mails and text messages, 250 contact names and e-mail addresses, one completed loan application, identities of four phones’ previous owners and 1,000 Google searches, all from phones that had been wiped clean.
Used smartphones are available for sale in the thousands. Avast noted that, at any given time, there are more than 80,000 used smartphones for sale on eBay. The Android devices were bought from different sellers in the U.S. The previous owners of the phones had all used a factory reset to erase their data. Using digital forensics software such as FTK Imager, a drive-imaging programme, Avast managed to retrieve personal data that supposedly had been erased.
The company apprised that simply removing data from Android handsets was not enough, with software easily able to recover deleted files. Users are suggested to use specialist apps to permanently remove and overwrite all files on the device before trading it. This would help intercept sensitive data being accessed by potential future owners. Jude McColgan, Avast's President of Mobile pointed out that if those files landed in the wrong hands, they could be used for blackmail, identity theft or even stalking.
In contrast, iOS tackles data wipe more effectively, according to Apple. iPhones and iPads include hardware encryption, and when the user erases the data on the phone, the encryption keys are overwritten. With that, there’s no way anybody can decrypt the data, even if they somehow managed to recover it.