Researchers at Cambridge University have uncovered a critical vulnerability in Google’s Android OS. Over 500 million Android devices have a flawed implementation of the factory reset feature, leaving user data vulnerable. This weakness allows an attacker to access login credentials, contacts, emails, text messages and other information on the device even after the factory reset has done its wipe.
In determining the vulnerability, 21 devices were tested with Android versions spanning 2.3-4.3 from 5 different manufacturers. Each device had some old data that was recoverable and in 80% of cases, the master token, used to communicate with Google, was retrieved. Obtaining the token allowed the researchers to sync with Google servers for contacts, Gmail and Google Calendar. Tokens for other apps like Facebook were also retrieved after the reset.
The vulnerability arises from a number of factors. One of these is that the manufacturer, in creating their Android build, failed to supply the proper drivers to ensure the flash memory was wiped. Another factor is the inability of the OS to access all parts of storage due to the file system and flash controller. This is a factor inherent in how flash storage currently works, with the OS seeing less storage space than is actually being used by the device. More troubling is that full disk encryption fails to protect data as the decryption key is not wiped, allowing an attacker to first break the decryption key, then proceed to decrypt the device and it’s less than deleted contents.
Factory Reset is a critical function built into Android itself. It’s used when the phone is being retired, recycled or being resold as a way to prevent sensitive information from being passed on. The fact that such an important built-in function is so broken is troubling. It also raises issues with Android remote wiping function which likely has become less useful due to this vulnerability. For now, the only way to ensure security is to wipe storage repeatedly in hopes that all space will eventually get wiped or physical destruction of the device.
Google first announced that Android 5.1 is coming on Android One, giving a lot of reference to the software and stating that it is targeting developing countries. Now, the company has officially announced Android 5.1 via the Android blog .
At first glance, the latest Android seems to bring minor updates. However, Google states that it will be serving to “improves stability and performance” over 5.0. Aside from the latter, Android 5.1 also comes with support for multiple SIM slots and HD voice, along with a new security feature named Device Protection.
Google’s Device Protection feature seems to be working similar to Apple’s security measure, having it in place in case the phone is lost and stolen. Users are required to sign into their Google accounts to unlock the device and the protection survives even if the handset suffers a factory reset.
While we know that Google will be rolling out Android 5.1, we still do not know exactly when. However, AOSP and Nexus devices should be the first handsets to receive the latest update.
Thank you Arstechnica for providing us with this information
The assumption that a factory reset erases all the data you’ve put onto an Android device is a fairly common one among most Android users. However, this simply may not be the case. This isn’t the first time that the utility of the factory reset function has been called into question, 5 months ago we wrote a piece about how used phone vendors were selling phones with recoverable data on. The latest details come from Avast who claim that wiping your Android device through the factory reset could still leave much of your personal data behind.
Avast went to the length of buying 20 used phones on eBay that had been wiped using Android’s factory reset function. With some digital recovery tools and a little effort Avast were able to recover data from all 20 devices.
“Although at first glance the phones appeared thoroughly erased, we quickly retrieved a lot of private data. In most cases, we got to the low-level analysis, which helped us recover SMS and chat messages,”
From the 20 smartphones Avast managed to extract:
40,000 images (1000 of those included partial or full nude images)
750 emails and texts
The identity of the previous owners
A completed loan application
GPS coordinates detailing the previous owners travelling habits
How did Avast recover all this data? Simply using FTK imager, a free digital forensics tool available on line. Avast also used knowledge and information provided on the XDA developer forums, such as the need to use the Android Debug Bridge and Backup Extractor functions which essentially allow data to be extracted without the device being unlocked. Worse still Avast’s consumer habits survey revealed only 8% use software intended to wipe these kind of digital footprints.
Short of burning your old smartphone into a pile of ashes there are not any easy ways to erase your digital footprint. What tools do you use to erase your Android data?