IT Focus Area: Security
May 28, 2015
Android Flaw Puts Sensitive Info on 500 Million Smartphones at Risk
Cambridge University researchers have revealed a flaw in the Android phone factory reset that has put the sensitive information found on an estimated 500 million smartphones at risk.
According to a report titled, "Security Analysis of Android Factory Resets," the flawed factory reset on Android devices running older software doesn’t entirely wipe all data. This weakness has allowed researchers to recover sensitive information from flashed devices, including Facebook and Google login credentials, text messages, emails, contact information and more. Even more alarming is the fact that this data could be accessed even if the user had turned on full disk encryption.
Researchers tested the factory reset of 21 Android smartphones from five different manufacturers running Android 2.3.x to 4.3. All of the phones when tested retained fragments of old data, including contact data stored in the phone and in third-party apps such as Facebook, pictures and video from the camera, and text-based conversations from SMS and e-mail apps. Additionally, researchers were able to extract the master token on 80 percent of the devices, which gives access to extremely sensitive data.
The findings are disturbing for users who want to sell or otherwise get rid of old Android devices. Cybercriminals who know about the weakness could easily buy the phones on sites such as eBay, and restore wiped data in hopes of recovering financial and other potentially valuable information.
Corporate devices linked to systems storing sensitive corporate information will have the most to lose if these devices fall into the wrong hands.
How can you protect an old device?
If you plan to resell or discard your device, turn on full-disk encryption (you can find the option at Settings > Security > Encrypt Phone, for any Android version since 3.0.) and then perform a factory reset.
Since it’s possible for attackers to use brute force to break simple disk-encryption passwords, add a randomly generated password that includes numbers, letters, and symbols, and has a minimum of 11 characters. There are random password-generating tools available in the Google Play store.
Consider a military-grade wipe; there are apps available for secure deletion such as iShredder.
For more information on mobile device risks in the enterprise, read Mobile Device Security in the Workplace: 6 Key Risks and Challenges.