Using in-built ‘factory reset’ and ‘delete-all’ services on phones with Google’s Android operating system is not enough to cleanse them of personal data, new research has revealed.
Experts found they were able to pull tens of thousands of photos, emails, text messages and more from used phones being on eBay that previous owners had thought they had ‘wiped’ clean.
The findings suggest that mobile owners should be much more thorough if they are planning to sell their phone to prevent their data being accessed.
The study by Avast Software, a Prague-based internet security firm, found they could easily retrieve personal data from smartphones sold online, despite consumers deleting their data.
Aside from 40,000 photos and 250 ‘compromising’ selfies of men, the company was even able to discover the identity of several sellers, and one person’s completed loan application.
The huge multitude of data was recovered from just 20 used smartphones, highlighting just how much data can be retrieved from a small number of used phones.
These were phones where the previous owners had performed a factory reset or a ‘delete all’ operation on their devices with in-built software.
Despite doing this, however, Avast was able to gather vast amounts of data.
Only one phone had third-party security software installed, and it actually gave up the most personal information of all.
In response to the findings, Google said: ‘This research looks to be based on old devices and versions (pre-Android 3.0) and does not reflect the security protections in Android versions that are used by the vast majority of users.
‘If you sell or dispose of your device, we recommend you enable encryption on your device and apply a factory reset beforehand; this has been available on Android for over three years.’
To recover the data Avast used programs called FTK Imager, a disk imaging programme, and SuperSU, an app management programme.
In one example, Avast explains how they recoevered ‘deleted’ messages from a Facebook chat from an HTC Sensation smartphone.
‘The amount of personal data we retrieved from the phones was astounding,’ said Jude McColgan, President of Mobile at Avast.
‘We found everything from a filled-out loan form to more than 250 selfies of what appear to be the previous owner’s manhood.
‘We purchased a variety of Android devices from sellers across the U.S. and used readily available recovery software to dig up personal information that was previously on the phones.
‘The take-away is that even deleted data on your used phone can be recovered unless you completely overwrite it.’
‘Images, emails, and other documents deleted from phones can be exploited for identity theft, blackmail, or for even stalking purposes.
‘Selling your used phone is a good way to make a little extra money, but it’s potentially a bad way to protect your privacy.’
HOW TO COMPLETELY WIPE YOUR ANDROID DEVICE
1. CNet recommends that you encrypt your device before wiping it, which can be done in the ‘Security’ section of the ‘Settings’ menu.
2. Next you’ll want to perform a factory reset, which is done in the ‘Backup & reset’ section of the Settings menu.
3. For added protection you then need to load your phone with ‘dummy’ data, such as stock photos and video, so people can’t steal your identity.
4. Now perform another factory reset, erasing the dummy data. Repeat this three times or more to be as secure as possible.
5. Your data is not only now buried beneath dummy content, but if someone does get that far into your phone they’ll find it is encrypted as well.
