Leave a comment

500 million Android users at risk!

500 million Android users at risk!
Photo courtesy of Shutterstock

One of the most important things I tell you to do when you give away or sell any gadget is to wipe your information. That prevents the next owner, whether they're a criminal or just a snoop, from seeing your sensitive information like bank accounts, contacts, emails, texts, photos, location or getting access to your online accounts.

With Android, wiping your gadget means using the simple Factory Reset option. Unfortunately, it now appears that a reset doesn't do quite as much as you would hope.

The University of Cambridge has wrapped up a first-of-its-kind study that looks at how much information is left on Android gadgets after a factory reset. It found that a hacker could recover Google account information, Wi-Fi credentials, browsing history, email, texts, photos, third-party app information and much more.

Because of Android's popularity, researchers estimate that 500 million gadgets are affected, and that number could grow to 630 million. That could include ones you've gotten rid of in the past, or are about to sell or give away.

The problem

To run the study, researchers got 21 second-hand Android gadgets covering 5 manufacturers with Android versions ranging from 2.3 to 4.3. The researchers wiped each gadget (assuming the former owners hadn't already wiped them) and then went digging to see what was left over.

Note: I should point out that most newer gadgets run 4.4 to 5.1, and the researcher didn't test those. However, right now you're more likely to get rid of a gadget running an older version of Android, so this is still a worry.

Depending on the version of Android and manufacturer there was actually a difference in what kind of information was left. For example, very few pre-Android 4.0 gadgets wiped the internal or external SD card, if there was one. This is where photos and other multimedia files are usually kept.

When it comes to specific phones, the Google Nexus 4 has an error and doesn't wipe the last 16KB of it's main partition. Various HTC-One models sometimes wipe the SD card and sometimes don't, even using the same settings.

However, as you can see from the below chart, the researchers were able to practically recover bits of data from each phone. This included the phone owner, installed apps, contacts, browsing history, credentials, multimedia and conversations.

Data recovery
University of Cambridge (PDF)

The credentials section is a big worry, because the includes your Google authentication token, which would let someone access your Google account without a password. It could do the same thing for Facebook.

I should point out that the data is still very fragmentary. So a hacker is unlikely to get your entire browsing history or contacts, just tiny bits and pieces that may or may not be useful.

The solution

So, what can you do? Unfortunately, the answer is "not much." The researchers give a few solutions, but they're highly technical.

If you have Android 4 or higher, you can turn on full disk encryption, which makes data harder to read. However, the researchers found that a skilled hacker might be able to rebuild the deleted encryption key and still access the information. If you do turn on encryption before you wipe the gadget, you can make it harder for a hacker to break by changing your gadget's password from a PIN to a really long, complicated password.

The researchers suggest overwriting the wiped area with random data to try and overwrite anything important, however that requires rooting your phone and adding data manually, which isn't an easy process. There's also a quirk of flash memory, which these gadgets use for storage, to consider; you can never completely wipe it. There's always going to be a fragments of data left behind.

The researchers say that the best solution is to destroy your old gadgets instead of selling or giving them away. It's up to Google and gadget manufacturers to work out a more secure way to permanently wipe data, and those ways will only arrive in newer gadgets.

It could be that the problem is already fixed and Android 4.4 and up fare better, but that still needs to be tested. There's also no data on whether or not similar problems exist with Apple, Windows Phone, Blackberry and other types of phones.

I'm going to say that if you have an older gadget, it's OK to give it to friends or family, because most of them won't have the skill to pull any information. However, I would think twice before selling a gadget that runs Android 4.3 or less, and definitely not one less than 4.0.

That doesn't mean you're stuck, however. Click here to learn some great uses for an old smartphone or tablet that you might not expect.

Next Story
Source: Daily Mail
View Comments ()
Do you REALLY own your car? GM says 'not exactly'
Previous Happening Now

Do you REALLY own your car? GM says 'not exactly'

Apple makes a MAJOR change
Next Happening Now

Apple makes a MAJOR change