Android's Factory Reset Option Does Not Wipe All Data

[zzm9980]

zzm9980 & X9200

I'm open to buying used memory cards from you guys how many naked photos will I find?

You do NOT WANT to see those.

Agreed.

[nakatago]

zzm9980 & X9200

I'm open to buying used memory cards from you guys how many naked photos will I find?

You do NOT WANT to see those.

hey want a used camcorder dude?

@x9200 *steps away from the keyboard slowly*

It's alright; I'll just have a data wiping utility have a pass at it several times.

[zzm9980]

It's not really stupid, just pragmatic:
1) for majority of the users nobody would care to look for such data (leftovers) unless they are still available at the application level. Good that the study showed a potential problem (more real right now as it was advertised) but in reality it was/is extremely unlikely that the next owner was going to make any attempts to recover anything. I bet it is more likely by an order of magnitude that the said devices were lost or stolen with all the data presents in their original condition.

Once a cheap/easy tool is available (There are already a pair of tools I know of, and have for a while) to do this, lots of people will be doing this to old devices. Mobile phone vendors need to consider this.

Lots? They will be buying 2nd hand camera phones from ebay and such to check if there are some naked photos inside? C'mon.

2) no one with a tidbit of common sense store this sort of data in such devices. I think you as a security specialist are more then aware that practically always it is possible to restore the data, factory reset or not. It is just the matter what means are employed. If you chose to store your naked photos on such device you always take a risk. Always.
Also, if you have a PC with sensitive data and you encounter a disc failure with no access to the disc within the warranty period what should you do?

Yes, true, but who, an average who, cares to recover such data? You sold your phone, somebody bought it and then, this somebody had to: a) know he could do it; b) make some effort to do this. A 1/10k chance?

Again, why do you think somebody would make an effort (personal, finantial) to buy a phone from an anonymous person hoping to take over her or his e-mail passwords? Just realize what efford this would require, assuming the intentions are criminal.

3) Yes, encryption helps but if someone really wants I bet the key can be also recovered, or not? The only true* protection would be to have the key on a separate piece of hardware and have a new one issued with the change of the owner with the old one being physically destroyed.

*true as of the computing power available to check all the possible keys.

Every iPhone since iPhone4 has had dedicated crypto storage specifically for this purpose. It's easy for Apple since they own the hardware and software stack. Other phone makers should do the same. It's harder for them.

But this is a built in storage and can not be replaced/destroyed by the end user. Or is this some sort of storage that once wiped out is not possible to recover data at all? Somehow I doubt that in this world of permanent invigilation a company would sell a product where the data can not be recovered.

I hate when people reply in line in color, since it's obnoxious to try and address the individual points.

I don't agree with your points, and you don't agree with mine. You don't seem to value personal privacy as much as I do. I don't think we'll convince each otherwise so I'll just give up.

For the crypto chip, your doubts are unfounded as you're wrong. Feel free to read about it: http://infocenter.arm.com/help/topic/co ... epaper.pdf

[x9200]

I don't agree with your points, and you don't agree with mine. You don't seem to value personal privacy as much as I do. I don't think we'll convince each otherwise so I'll just give up.

You are generally quite intelligent person so I am a bit surprised you miss this simple point that this is not about the privacy but risk assessment and pragmatism. All the sudden you miss the whole forest for the trees.

[the lynx]

So from what I've been reading, you can prevent that by (1) encrypting before the factory reset (2) use the "special" data wiping feature offered by Avast and other "info security" companies, or (3) keep overwriting that data.

And I wonder why this only gets discovered now...

[x9200]

For the exact reason I mentioned in my first post. This is a classic high severity low frequency case.