Android's Factory Reset Option Does Not Wipe All Data

[the lynx]

http://gadgets.ndtv.com/mobiles/news/an ... udy-555500

"Users thought they were doing a clean wipe and factory reinstall," said Jude McColgan, Avast Mobile Division President speaking to CNET, but instead of a clean wipe, the factory reset clears "only at the application layer."

Oh boy...

[ecureilx]

http://gadgets.ndtv.com/mobiles/news/an ... udy-555500

"Users thought they were doing a clean wipe and factory reinstall," said Jude McColgan, Avast Mobile Division President speaking to CNET, but instead of a clean wipe, the factory reset clears "only at the application layer."

Oh boy...

I know it, when I was about to gift my Galaxy ace

rooted it and did an upgrade to pseudo V 4 .. problem solved ... but warranty void

actually even the Symbian phones don't delete all info too ...

[nakatago]

I know it, when I was about to gift my Galaxy ace

rooted it and did an upgrade to pseudo V 4 .. problem solved ... but warranty void

actually even the Symbian phones don't delete all info too ...

Flash memory has a limited number of writes it can tolerate before it fails. Deleting stuff actually just changing the state in a memory address from "something" to "nothing." For most purposes, this suffices as from the OS's point of view, all files are deleted. If one really wants a true wipe, you must go deeper. Old phones tend to get passed along and immediately overwritten with the new user's data. For what it's worth, even desktop OSs work this way (what? you think that Windows laptop you passed on doesn't have your old data in the newly-formatted hard drive still?).

If you're really worried about other people getting your data, you either shouldn't be using consumer-grade products (like how the president of the United States can't just use any phone) or you have protocols in place to prevent data retrieval in the first place.

There are tools available that does true data deletion as you might have guessed, Avast is most probably be peddling one.

[ecureilx]

I know it, when I was about to gift my Galaxy ace

rooted it and did an upgrade to pseudo V 4 .. problem solved ... but warranty void

actually even the Symbian phones don't delete all info too ...

Flash memory has a limited number of writes it can tolerate before it fails. Deleting stuff actually just changing the state in a memory address from "something" to "nothing." For most purposes, this suffices as from the OS's point of view, all files are deleted. If one really wants a true wipe, you must go deeper. Old phones tend to get passed along and immediately overwritten with the new user's data. For what it's worth, even desktop OSs work this way (what? you think that Windows laptop you passed on doesn't have your old data in the newly-formatted hard drive still?).

If you're really worried about other people getting your data, you either shouldn't be using consumer-grade products (like how the president of the United States can't just use any phone) or you have protocols in place to prevent data retrieval in the first place.

There are tools available that does true data deletion as you might have guessed, Avast is most probably be peddling one.

or install everything in memory card and remove it if you are giving it away ...

[nakatago]

or install everything in memory card and remove it if you are giving it away ...

* Not all phones come with a card slot
* Not all people even bother thinking about removing their data from a phone

If you're passing your phone to someone you know, you're probably ok.

If you're selling your phone, after a factory reset, install a dummy account, take pictures/install apps until full, factory reset again, repeat if desired.

You can also go to Settings>Security>Encryption>Encrypt Phone. Then do a factory reset.

Or you can buy their software.

[x9200]

If one is paranoid:
-even zeroing doesn't help
-urandom may, if done few times.

On a practical note: nobody will give a damn sh*t about your private data. You are not the most wanted celebrity. Also if one wants to hack it, (s)he will find a way regardless your efforts. Stay below the radar and manage your date accordingly.

[zzm9980]

If one is paranoid:
-even zeroing doesn't help
-urandom may, if done few times.

On a practical note: nobody will give a damn sh*t about your private data. You are not the most wanted celebrity. Also if one wants to hack it, (s)he will find a way regardless your efforts. Stay below the radar and manage your date accordingly.

This is one of the stupidest things I've ever seen you type (and you're generally quite intelligent). No one gives a shit? Maybe the *user* gives a shit. Passwords? Financial data? Nude photos (from the article)? Just personal expectation of privacy?

FWIW iOS's solution to this is offering hardware level encryption. All data is encrypted per application is encrypted if the application developer 'opts in'. Then when the user wants it wiped, iOS simply wipes the key used for decryption. The encrypted data remaining is no more useful than random numbers.

[x9200]

If one is paranoid:
-even zeroing doesn't help
-urandom may, if done few times.

On a practical note: nobody will give a damn sh*t about your private data. You are not the most wanted celebrity. Also if one wants to hack it, (s)he will find a way regardless your efforts. Stay below the radar and manage your date accordingly.

This is one of the stupidest things I've ever seen you type (and you're generally quite intelligent). No one gives a shit? Maybe the *user* gives a shit. Passwords? Financial data? Nude photos (from the article)? Just personal expectation of privacy?

It's not really stupid, just pragmatic:
1) for majority of the users nobody would care to look for such data (leftovers) unless they are still available at the application level. Good that the study showed a potential problem (more real right now as it was advertised) but in reality it was/is extremely unlikely that the next owner was going to make any attempts to recover anything. I bet it is more likely by an order of magnitude that the said devices were lost or stolen with all the data presents in their original condition.

2) no one with a tidbit of common sense store this sort of data in such devices (or he/she takes calculated risk). I think you as a security specialist are more then aware that practically always it is possible to restore the data, factory reset or not. It is just the matter what means are employed. If you chose to store your naked photos on such device you always take a risk. Always.
Also, if you have a PC with sensitive data and you encounter a disc failure with no access to the disc within the warranty period what should you do?

3) Yes, encryption helps but if someone really wants I bet the key can be also recovered, or not? The only true* protection would be to have the key on a separate piece of hardware and have a new one issued with the change of the owner with the old one being physically destroyed.

*true as of the computing power available to check all the possible keys.

[zzm9980]

If one is paranoid:
-even zeroing doesn't help
-urandom may, if done few times.

On a practical note: nobody will give a damn sh*t about your private data. You are not the most wanted celebrity. Also if one wants to hack it, (s)he will find a way regardless your efforts. Stay below the radar and manage your date accordingly.

This is one of the stupidest things I've ever seen you type (and you're generally quite intelligent). No one gives a shit? Maybe the *user* gives a shit. Passwords? Financial data? Nude photos (from the article)? Just personal expectation of privacy?

It's not really stupid, just pragmatic:
1) for majority of the users nobody would care to look for such data (leftovers) unless they are still available at the application level. Good that the study showed a potential problem (more real right now as it was advertised) but in reality it was/is extremely unlikely that the next owner was going to make any attempts to recover anything. I bet it is more likely by an order of magnitude that the said devices were lost or stolen with all the data presents in their original condition.

Once a cheap/easy tool is available (There are already a pair of tools I know of, and have for a while) to do this, lots of people will be doing this to old devices. Mobile phone vendors need to consider this.

2) no one with a tidbit of common sense store this sort of data in such devices. I think you as a security specialist are more then aware that practically always it is possible to restore the data, factory reset or not. It is just the matter what means are employed. If you chose to store your naked photos on such device you always take a risk. Always.
Also, if you have a PC with sensitive data and you encounter a disc failure with no access to the disc within the warranty period what should you do?

Email access automatically begets most of this. Many more users access this type of data from phones anyway. Except maybe the nudies lol.

3) Yes, encryption helps but if someone really wants I bet the key can be also recovered, or not? The only true* protection would be to have the key on a separate piece of hardware and have a new one issued with the change of the owner with the old one being physically destroyed.

*true as of the computing power available to check all the possible keys.

Every iPhone since iPhone4 has had dedicated crypto storage specifically for this purpose. It's easy for Apple since they own the hardware and software stack. Other phone makers should do the same. It's harder for them.

[zzm9980]

You can encrypt the device and Android will do something similar. I'm hoping it zero's out the key. Note sure though:

http://arstechnica.com/gadgets/2014/07/ ... warranted/

[x9200]

This is one of the stupidest things I've ever seen you type (and you're generally quite intelligent). No one gives a shit? Maybe the *user* gives a shit. Passwords? Financial data? Nude photos (from the article)? Just personal expectation of privacy?

It's not really stupid, just pragmatic:
1) for majority of the users nobody would care to look for such data (leftovers) unless they are still available at the application level. Good that the study showed a potential problem (more real right now as it was advertised) but in reality it was/is extremely unlikely that the next owner was going to make any attempts to recover anything. I bet it is more likely by an order of magnitude that the said devices were lost or stolen with all the data presents in their original condition.

Once a cheap/easy tool is available (There are already a pair of tools I know of, and have for a while) to do this, lots of people will be doing this to old devices. Mobile phone vendors need to consider this.

Lots? They will be buying 2nd hand camera phones from ebay and such to check if there are some naked photos inside? C'mon.

2) no one with a tidbit of common sense store this sort of data in such devices. I think you as a security specialist are more then aware that practically always it is possible to restore the data, factory reset or not. It is just the matter what means are employed. If you chose to store your naked photos on such device you always take a risk. Always.
Also, if you have a PC with sensitive data and you encounter a disc failure with no access to the disc within the warranty period what should you do?

Yes, true, but who, an average who, cares to recover such data? You sold your phone, somebody bought it and then, this somebody had to: a) know he could do it; b) make some effort to do this. A 1/10k chance?

Again, why do you think somebody would make an effort (personal, finantial) to buy a phone from an anonymous person hoping to take over her or his e-mail passwords? Just realize what efford this would require, assuming the intentions are criminal.

3) Yes, encryption helps but if someone really wants I bet the key can be also recovered, or not? The only true* protection would be to have the key on a separate piece of hardware and have a new one issued with the change of the owner with the old one being physically destroyed.

*true as of the computing power available to check all the possible keys.

Every iPhone since iPhone4 has had dedicated crypto storage specifically for this purpose. It's easy for Apple since they own the hardware and software stack. Other phone makers should do the same. It's harder for them.

But this is a built in storage and can not be replaced/destroyed by the end user. Or is this some sort of storage that once wiped out is not possible to recover data at all? Somehow I doubt that in this world of permanent invigilation a company would sell a product where the data can not be recovered.

[rajagainstthemachine]

zzm9980 & X9200

I'm open to buying used memory cards from you guys how many naked photos will I find?

[x9200]

The whole point is there is no reason to panic. Nothing is going on more severe that is already going on for many years. It is simply ridiculous if one considers how people handle their sensitive data on their own PCs/Macs/laptops whatever. How many of them wipes their hard drives clean when selling the computers or sending for a service? I mean anything beyond format c: . Tools to recover are everywhere and guess what? Nothing bad happens. Here we have exactly the same situation from the end user accessibility perspective.

Raj, I believe my wife may have some photos of my naked chest and above on her iphone. You have to negotiate with her.

[nakatago]

zzm9980 & X9200

I'm open to buying used memory cards from you guys how many naked photos will I find?

You do NOT WANT to see those.

[rajagainstthemachine]

zzm9980 & X9200

I'm open to buying used memory cards from you guys how many naked photos will I find?

You do NOT WANT to see those.

hey want a used camcorder dude?

@x9200 *steps away from the keyboard slowly*