Android factory reset flaw

When you sell your phone or pass it down to someone else, one of the very first things that you do is reset it to its factory settings. In doing so, the idea is that every single bit of data that you’ve ever put into the device will be deleted including: your calls, texts, songs, videos, and account log-in information. You can then feel confident with the idea that the next person who uses that device won’t be able to access a single thing.

Unfortunately for Android users, the factory resets that they’ve been doing haven’t exactly much wiped those devices clean; not even close. In fact, not only is a significant amount of data left on the devices, but what’s left on them is more than enough for malicious users and hackers to access log-in info and other sensitive information.

This was proven by Cambridge University researchers who tested a range of Android-powered p devices. The researchers put 21 different Android smartphones to the test, running a range of different Android operating systems from Android 2.3 to Android 4.3. All of the phones tested still held some amount of data on them after the factory resets had taken place, including contact data, information from the Facebook app, and info from text and email conversations. Information from Google apps fared better though, as in 80% of phones, the researchers could access the master token which in turn gave them access to things like Google Calendar and Gmail.

The researchers say that there are several root causes. One reason is because the memory aspects of our devices are built to withstand wear over time and so although they may say that they are capable of holding one amount of memory, the real figure may be a lot more than that to compensate for this degradation. As a result, it is difficult to delete everything off of them in a factory reset. Another reason is that when a device is protected with full-disk encryption, the file that stores the decryption key isn’t affected by the the factory reset and so the hacker would be able to use this leftover info to access other data within the device. Ars Technica notes that hacking a phone in this way could take a matter of seconds.

How many Android users have been affected? The researchers estimate that over 500 million Android users are vulnerable to this flaw, should they decide to factory reset their devices and pass them on. However there is one large caveat about their research: it doesn’t test Android 4.4 or Android 5.0, which newer Android handsets will be running. As a result, we don’t know if the flaw has been patched up and that it will be avoidable just by upgrading your OS.