Singapore Expats

Android's Factory Reset Option Does Not Wipe All Data

Discuss about computers & Internet. Including mobile phones, home appliances & other gadgets. Read about Windows security risks or virus updates.
Post Reply
User avatar
the lynx
Governor
Governor
Posts: 5281
Joined: Thu, 09 Dec 2010 6:29 pm
Location: Location: Location: Location: Location: Location: Location: Location: Location: Location: Location:

Android's Factory Reset Option Does Not Wipe All Data

Post by the lynx » Wed, 09 Jul 2014 5:21 pm

http://gadgets.ndtv.com/mobiles/news/an ... udy-555500
"Users thought they were doing a clean wipe and factory reinstall," said Jude McColgan, Avast Mobile Division President speaking to CNET, but instead of a clean wipe, the factory reset clears "only at the application layer."
Oh boy...

User avatar
ecureilx
Immortal
Immortal
Posts: 9817
Joined: Fri, 20 Aug 2010 5:18 pm

Re: Android's Factory Reset Option Does Not Wipe All Data

Post by ecureilx » Wed, 09 Jul 2014 5:47 pm

the lynx wrote:http://gadgets.ndtv.com/mobiles/news/an ... udy-555500
"Users thought they were doing a clean wipe and factory reinstall," said Jude McColgan, Avast Mobile Division President speaking to CNET, but instead of a clean wipe, the factory reset clears "only at the application layer."
Oh boy...
I know it, when I was about to gift my Galaxy ace

rooted it and did an upgrade to pseudo V 4 .. problem solved ... but warranty void

actually even the Symbian phones don't delete all info too ...

User avatar
nakatago
Moderator
Moderator
Posts: 8363
Joined: Tue, 01 Sep 2009 11:23 pm
Location: Sister Margaret’s School for Wayward Children

Re: Android's Factory Reset Option Does Not Wipe All Data

Post by nakatago » Wed, 09 Jul 2014 6:10 pm

ecureilx wrote:
I know it, when I was about to gift my Galaxy ace

rooted it and did an upgrade to pseudo V 4 .. problem solved ... but warranty void

actually even the Symbian phones don't delete all info too ...
Flash memory has a limited number of writes it can tolerate before it fails. Deleting stuff actually just changing the state in a memory address from "something" to "nothing." For most purposes, this suffices as from the OS's point of view, all files are deleted. If one really wants a true wipe, you must go deeper. Old phones tend to get passed along and immediately overwritten with the new user's data. For what it's worth, even desktop OSs work this way (what? you think that Windows laptop you passed on doesn't have your old data in the newly-formatted hard drive still?).

If you're really worried about other people getting your data, you either shouldn't be using consumer-grade products (like how the president of the United States can't just use any phone) or you have protocols in place to prevent data retrieval in the first place.

There are tools available that does true data deletion as you might have guessed, Avast is most probably be peddling one.
"A quokka is what would happen if there was an anime about kangaroos."

User avatar
ecureilx
Immortal
Immortal
Posts: 9817
Joined: Fri, 20 Aug 2010 5:18 pm

Re: Android's Factory Reset Option Does Not Wipe All Data

Post by ecureilx » Wed, 09 Jul 2014 6:28 pm

nakatago wrote:
ecureilx wrote:
I know it, when I was about to gift my Galaxy ace

rooted it and did an upgrade to pseudo V 4 .. problem solved ... but warranty void

actually even the Symbian phones don't delete all info too ...
Flash memory has a limited number of writes it can tolerate before it fails. Deleting stuff actually just changing the state in a memory address from "something" to "nothing." For most purposes, this suffices as from the OS's point of view, all files are deleted. If one really wants a true wipe, you must go deeper. Old phones tend to get passed along and immediately overwritten with the new user's data. For what it's worth, even desktop OSs work this way (what? you think that Windows laptop you passed on doesn't have your old data in the newly-formatted hard drive still?).

If you're really worried about other people getting your data, you either shouldn't be using consumer-grade products (like how the president of the United States can't just use any phone) or you have protocols in place to prevent data retrieval in the first place.

There are tools available that does true data deletion as you might have guessed, Avast is most probably be peddling one.
or install everything in memory card and remove it if you are giving it away ...

User avatar
nakatago
Moderator
Moderator
Posts: 8363
Joined: Tue, 01 Sep 2009 11:23 pm
Location: Sister Margaret’s School for Wayward Children

Re: Android's Factory Reset Option Does Not Wipe All Data

Post by nakatago » Wed, 09 Jul 2014 6:34 pm

ecureilx wrote: or install everything in memory card and remove it if you are giving it away ...
* Not all phones come with a card slot
* Not all people even bother thinking about removing their data from a phone

If you're passing your phone to someone you know, you're probably ok.

If you're selling your phone, after a factory reset, install a dummy account, take pictures/install apps until full, factory reset again, repeat if desired.

You can also go to Settings>Security>Encryption>Encrypt Phone. Then do a factory reset.

Or you can buy their software.
"A quokka is what would happen if there was an anime about kangaroos."

x9200
Moderator
Moderator
Posts: 10073
Joined: Mon, 07 Sep 2009 4:06 pm
Location: Singapore

Post by x9200 » Wed, 09 Jul 2014 8:14 pm

If one is paranoid:
-even zeroing doesn't help
-urandom may, if done few times.

On a practical note: nobody will give a damn sh*t about your private data. You are not the most wanted celebrity. Also if one wants to hack it, (s)he will find a way regardless your efforts. Stay below the radar and manage your date accordingly.

User avatar
zzm9980
Governor
Governor
Posts: 6869
Joined: Wed, 06 Jul 2011 1:35 pm
Location: Once more unto the breach

Post by zzm9980 » Thu, 10 Jul 2014 3:33 am

x9200 wrote:If one is paranoid:
-even zeroing doesn't help
-urandom may, if done few times.

On a practical note: nobody will give a damn sh*t about your private data. You are not the most wanted celebrity. Also if one wants to hack it, (s)he will find a way regardless your efforts. Stay below the radar and manage your date accordingly.
This is one of the stupidest things I've ever seen you type (and you're generally quite intelligent). No one gives a shit? Maybe the *user* gives a shit. Passwords? Financial data? Nude photos (from the article)? Just personal expectation of privacy?

FWIW iOS's solution to this is offering hardware level encryption. All data is encrypted per application is encrypted if the application developer 'opts in'. Then when the user wants it wiped, iOS simply wipes the key used for decryption. The encrypted data remaining is no more useful than random numbers.

x9200
Moderator
Moderator
Posts: 10073
Joined: Mon, 07 Sep 2009 4:06 pm
Location: Singapore

Post by x9200 » Thu, 10 Jul 2014 7:17 am

zzm9980 wrote:
x9200 wrote:If one is paranoid:
-even zeroing doesn't help
-urandom may, if done few times.

On a practical note: nobody will give a damn sh*t about your private data. You are not the most wanted celebrity. Also if one wants to hack it, (s)he will find a way regardless your efforts. Stay below the radar and manage your date accordingly.
This is one of the stupidest things I've ever seen you type (and you're generally quite intelligent). No one gives a shit? Maybe the *user* gives a shit. Passwords? Financial data? Nude photos (from the article)? Just personal expectation of privacy?
It's not really stupid, just pragmatic:
1) for majority of the users nobody would care to look for such data (leftovers) unless they are still available at the application level. Good that the study showed a potential problem (more real right now as it was advertised) but in reality it was/is extremely unlikely that the next owner was going to make any attempts to recover anything. I bet it is more likely by an order of magnitude that the said devices were lost or stolen with all the data presents in their original condition.

2) no one with a tidbit of common sense store this sort of data in such devices (or he/she takes calculated risk). I think you as a security specialist are more then aware that practically always it is possible to restore the data, factory reset or not. It is just the matter what means are employed. If you chose to store your naked photos on such device you always take a risk. Always.
Also, if you have a PC with sensitive data and you encounter a disc failure with no access to the disc within the warranty period what should you do?

3) Yes, encryption helps but if someone really wants I bet the key can be also recovered, or not? The only true* protection would be to have the key on a separate piece of hardware and have a new one issued with the change of the owner with the old one being physically destroyed.

*true as of the computing power available to check all the possible keys.

User avatar
zzm9980
Governor
Governor
Posts: 6869
Joined: Wed, 06 Jul 2011 1:35 pm
Location: Once more unto the breach

Post by zzm9980 » Thu, 10 Jul 2014 7:36 am

x9200 wrote:
zzm9980 wrote:
x9200 wrote:If one is paranoid:
-even zeroing doesn't help
-urandom may, if done few times.

On a practical note: nobody will give a damn sh*t about your private data. You are not the most wanted celebrity. Also if one wants to hack it, (s)he will find a way regardless your efforts. Stay below the radar and manage your date accordingly.
This is one of the stupidest things I've ever seen you type (and you're generally quite intelligent). No one gives a shit? Maybe the *user* gives a shit. Passwords? Financial data? Nude photos (from the article)? Just personal expectation of privacy?
It's not really stupid, just pragmatic:
1) for majority of the users nobody would care to look for such data (leftovers) unless they are still available at the application level. Good that the study showed a potential problem (more real right now as it was advertised) but in reality it was/is extremely unlikely that the next owner was going to make any attempts to recover anything. I bet it is more likely by an order of magnitude that the said devices were lost or stolen with all the data presents in their original condition.
Once a cheap/easy tool is available (There are already a pair of tools I know of, and have for a while) to do this, lots of people will be doing this to old devices. Mobile phone vendors need to consider this.
2) no one with a tidbit of common sense store this sort of data in such devices. I think you as a security specialist are more then aware that practically always it is possible to restore the data, factory reset or not. It is just the matter what means are employed. If you chose to store your naked photos on such device you always take a risk. Always.
Also, if you have a PC with sensitive data and you encounter a disc failure with no access to the disc within the warranty period what should you do?
Email access automatically begets most of this. Many more users access this type of data from phones anyway. Except maybe the nudies lol.
3) Yes, encryption helps but if someone really wants I bet the key can be also recovered, or not? The only true* protection would be to have the key on a separate piece of hardware and have a new one issued with the change of the owner with the old one being physically destroyed.

*true as of the computing power available to check all the possible keys.
Every iPhone since iPhone4 has had dedicated crypto storage specifically for this purpose. It's easy for Apple since they own the hardware and software stack. Other phone makers should do the same. It's harder for them.

User avatar
zzm9980
Governor
Governor
Posts: 6869
Joined: Wed, 06 Jul 2011 1:35 pm
Location: Once more unto the breach

Post by zzm9980 » Thu, 10 Jul 2014 7:38 am

You can encrypt the device and Android will do something similar. I'm hoping it zero's out the key. Note sure though:

http://arstechnica.com/gadgets/2014/07/ ... warranted/

x9200
Moderator
Moderator
Posts: 10073
Joined: Mon, 07 Sep 2009 4:06 pm
Location: Singapore

Post by x9200 » Thu, 10 Jul 2014 8:46 am

zzm9980 wrote:
x9200 wrote:
zzm9980 wrote: This is one of the stupidest things I've ever seen you type (and you're generally quite intelligent). No one gives a shit? Maybe the *user* gives a shit. Passwords? Financial data? Nude photos (from the article)? Just personal expectation of privacy?
It's not really stupid, just pragmatic:
1) for majority of the users nobody would care to look for such data (leftovers) unless they are still available at the application level. Good that the study showed a potential problem (more real right now as it was advertised) but in reality it was/is extremely unlikely that the next owner was going to make any attempts to recover anything. I bet it is more likely by an order of magnitude that the said devices were lost or stolen with all the data presents in their original condition.
Once a cheap/easy tool is available (There are already a pair of tools I know of, and have for a while) to do this, lots of people will be doing this to old devices. Mobile phone vendors need to consider this.

Lots? They will be buying 2nd hand camera phones from ebay and such to check if there are some naked photos inside? C'mon.

2) no one with a tidbit of common sense store this sort of data in such devices. I think you as a security specialist are more then aware that practically always it is possible to restore the data, factory reset or not. It is just the matter what means are employed. If you chose to store your naked photos on such device you always take a risk. Always.
Also, if you have a PC with sensitive data and you encounter a disc failure with no access to the disc within the warranty period what should you do?
Yes, true, but who, an average who, cares to recover such data? You sold your phone, somebody bought it and then, this somebody had to: a) know he could do it; b) make some effort to do this. A 1/10k chance?

Again, why do you think somebody would make an effort (personal, finantial) to buy a phone from an anonymous person hoping to take over her or his e-mail passwords? Just realize what efford this would require, assuming the intentions are criminal.
3) Yes, encryption helps but if someone really wants I bet the key can be also recovered, or not? The only true* protection would be to have the key on a separate piece of hardware and have a new one issued with the change of the owner with the old one being physically destroyed.

*true as of the computing power available to check all the possible keys.
Every iPhone since iPhone4 has had dedicated crypto storage specifically for this purpose. It's easy for Apple since they own the hardware and software stack. Other phone makers should do the same. It's harder for them.

But this is a built in storage and can not be replaced/destroyed by the end user. Or is this some sort of storage that once wiped out is not possible to recover data at all? Somehow I doubt that in this world of permanent invigilation a company would sell a product where the data can not be recovered.

User avatar
rajagainstthemachine
Manager
Manager
Posts: 2871
Joined: Sat, 24 Nov 2012 10:45 am
Location: Singapore

Post by rajagainstthemachine » Thu, 10 Jul 2014 8:50 am

zzm9980 & X9200

I'm open to buying used memory cards from you guys :cool: how many naked photos will I find?
To get there early is on time and showing up on time is late

x9200
Moderator
Moderator
Posts: 10073
Joined: Mon, 07 Sep 2009 4:06 pm
Location: Singapore

Post by x9200 » Thu, 10 Jul 2014 9:53 am

The whole point is there is no reason to panic. Nothing is going on more severe that is already going on for many years. It is simply ridiculous if one considers how people handle their sensitive data on their own PCs/Macs/laptops whatever. How many of them wipes their hard drives clean when selling the computers or sending for a service? I mean anything beyond format c: . Tools to recover are everywhere and guess what? Nothing bad happens. Here we have exactly the same situation from the end user accessibility perspective.

Raj, I believe my wife may have some photos of my naked chest and above on her iphone. You have to negotiate with her.

User avatar
nakatago
Moderator
Moderator
Posts: 8363
Joined: Tue, 01 Sep 2009 11:23 pm
Location: Sister Margaret’s School for Wayward Children

Post by nakatago » Thu, 10 Jul 2014 9:58 am

rajagainstthemachine wrote:zzm9980 & X9200

I'm open to buying used memory cards from you guys :cool: how many naked photos will I find?
You do NOT WANT to see those.
"A quokka is what would happen if there was an anime about kangaroos."

User avatar
rajagainstthemachine
Manager
Manager
Posts: 2871
Joined: Sat, 24 Nov 2012 10:45 am
Location: Singapore

Post by rajagainstthemachine » Thu, 10 Jul 2014 12:05 pm

nakatago wrote:
rajagainstthemachine wrote:zzm9980 & X9200

I'm open to buying used memory cards from you guys :cool: how many naked photos will I find?
You do NOT WANT to see those.
hey want a used camcorder dude?

@x9200 *steps away from the keyboard slowly*
To get there early is on time and showing up on time is late

Post Reply
  • Similar Topics
    Replies
    Views
    Last post

Return to “Computer, Internet, Phone & Electronics”

Who is online

Users browsing this forum: No registered users and 2 guests