Researchers in Cambridge University have discovered that an estimated 500 to 630 million Android phones could leave critical data in phone storage after a factory reset have been applied.
The group of researchers tested 21 second hand Android phones that have already undergone factory reset and running on Android 2.3 to 4.3 from five different manufacturers.
At the end of the test the group of researchers in their report titled Security Analysis of Android Factory Resets claim they where able to recover some data, which were supposed to have been wiped by factory reset, in each of the phones tested.
Data recovered includes user contacts, images, videos, as well as conversations from messaging, SMS and email apps.
Even more worrying is the claim by the researchers that they were able to recover the master token, which Android uses to sync Google user data, in 80% of the Android phones tested.
This means that a hacker who recovers this master token can potentially use it to re-sync phone to the original owner’s email, contacts, etc. Tokens for other Apps like Facebook can also be recovered in similar way.
According to the researchers there are a number of reasons why this vulnerability exist. The first is that flash drives are inherently difficult to completely erase.
But, the major reason is that in some cases the manufacturer failed to load the Android phone with the drivers required for completely wiping data from the internal storage and SD cards.
This is a big headache for Android users and businesses who are planning to sell or give out their old phones, as factory reset was supposed to be a secure way to wipe data from the phone prior to getting rid of it.
This issue is even worse for users whose Android phone were stolen and hoping to use remote wipe to securely remove sensitive data from their phone
The Issue May be Worse
Note however, that because the research focused only on Android 2.3 to 4.3, this issue may well be present in Android 4.4 and beyond. It is also possible that other operating systems may have similar issues.
To be safe for now, change the password of your old Android phones you want to sell or giveaway to a more complicated one, before applying a factory reset.