Half a billion Android users who use or have used Android software could be at risk from having their phone data recovered and Google accounts compromised after researchers recently found that the default wiping feature fails to properly clear all sensitive user data from the device.
Android phones are normally reset to its factory state before selling or disposing of it. However, University of Cambridge scientists Laurent Simon and Ross Anderson have claimed that user data is retrievable from second-hand Android devices that have been deleted through a factory reset.
Most Android phones provides no easy way to delete user data, including messages, pictures, access tokens and other content, the study said. There has been growing concern about smartphones still holding traces of personal data even after using the phone's factory reset feature.
The study examined 21 second-hand devices of Samsung, LG, Motorola, HTC and Nexus smartphone running Android versions systems 2.2 Froyo through to 4.3 Jelly Bean that had been cleared using the operating system's built-in factory reset feature.
It found that the models, accounting for some half a million devices could not properly wipe disk partitions containing personal information. Additionally, 630 million devices may not completely erase internal storage cards, which often contain personal media files such as pictures and videos, the study said.
The issue also exists with third-party data deletion applications, like those provided by antivirus vendors who fail to include much needed drivers or failures introduced by their modifications of Android for individual devices, the researchers said.
The researchers were able to retrieve data including multimedia files and login credentials from erased handsets, and many of the phones yielded the master token used to access Google account data, such as Gmail and Google Calendar and found that after reboot, it successfully re-synchronised emails, contacts and other information.
The problem is the result of various issues, including the indelible difficulty of completely erasing data from the flash memory used in smartphones, something due to the physical nature of such memory chips, according to the study.
The master token, used to access Google accounts, was found to be recoverable in almost 80 percent of the handsets that had a default factory reset mechanism.
The data can be recovered even from devices protected by full-disk encryption, because the file storing the decryption key is not deleted, making it accessible to cracking, the researchers said.