Slashdot Mirror
Want To Ensure Your Personal Android Data Is Truly Wiped? Turn On Encryption
MojoKid writes We've been around the block enough times to know that outside of shredding a storage medium, all data is recoverable. It's just matter of time, money, and effort. However, it was still sobering to find out exactly how much data security firm Avast was able to recover from Android devices it purchased from eBay, which included everything from naked selfies to even a completed loan application. Does this mean we shouldn't ever sell the old handset? Luckily, the answer is no. Avast's self-serving study was to promote its Anti-Theft app available on Google Play. The free app comes with a wipe feature that overwrites all files, thereby making them invisible to casual recovery methods. That's one approach. There's another solution that's incredibly easy and doesn't require downloading and installing anything. Before you sell your Android phone on eBay, Craigslist, or wherever, enable encryption and wait for it to encrypt the on board storage. After that, perform a wipe and reset as normal, which will obliterate the encryption key and ensure the data on your device can't be read. This may not work on certain devices, which will ask you to decrypt data before wiping but most should follow this convention just fine.
Is the a public booth around here ? -- Richard Stallman
What is not addressed is whether or not this wipes the free space as well. Recovering deleted files is easy, and if the encryption doesn't fill the device then encrypt then this trick can leave some stuff behind.
Followup, not dupe. The post you referenced is also referenced in the summary.
viola
I do not think this word means what you think it means.
It's just too bad that it makes your android device run like complete sh!t.
I'd nuke it from orbit...
I'm under the impression that turning on encryption works by file-by-file basis, not full-disk encryption, and as such it might still be possible to find at least some old files there if the locations haven't been overwritten by new data. If it indeed works as I have the impression of then turning encryption on is still possibly inadequate a safety method.
It's well established that plenty of consumers discard or donate hard disks without taking any precautions, and are playing roulette with their identity. It's also well established that hundreds of millions of tons of this equipment is replaced, resold, stolen or discarded, and most people who wind up with the secondary device lack either the time, money, or effort to scavenge data off the phone. If in fact someone is in the identity theft business by buying phones on ebay, they'd profile themselves pretty well after a dozen phone purchases (what do these data-theft-victims have in common?). And who knows how many phones they'd have to buy which had been wiped in some way (and required more time, money and effort)?
This isn't a bad article in that it birddogs simple things you can do before selling your used phone, and if it elevates the perception of risk in order to get people to do something easy, that's appropriate. But in response to people who are shooting and burning their devices to be "100% sure" that no one spends the time, money and effort to follow them... that's appropriate if you are a high risk target. If you have stuff on your phone of interest to the FBI or KGB, the amount of time+money+effort may be less than or = the amount of risk. Your call.
But there is a lot of hyperbole out there about the percentage of identity theft which is traced to secondary market devices, and the billions of dollars in secondary market sales on sites like ebay represent time+money+effort interest in new product makers to spend fanning flames. Again it's appropriate that the article raises concerns and then points to simple efforts a consumer can take to increase the barrier-to-entry to their personal data. But the army of ebay buyers getting their porn fixes by buying and then de-encrypting cell phones to retrieve ugly selfies seems exaggerated. Warn people about sharks if they are swimming in shark infested waters, don't tell people that most swimmers will be attacked by sharks.
Tear your mail in 8 pieces and someone could dig it out of the trash and tape it together, but the time+money+effort that represents is significant. I remember people selling paper shredding equipment in the 1990s who described armies of Iranian students or Chinese peasants who could be buying torn paper and taping it back together. If they know it's the President of the USA's mail, they no doubt will expend that time+money+effort... Presidents should assume they are swimming in a shark tank. For most of us, ebay resales are a swimming pool, and warnings of shark attacks get tiresome.
Gently reply
Last time I checked the standard Android encryption will not do the sdcard partition (I mean not the physical card, but the partition on the internal flash, usually the biggest chunk of it, like let's say 11 out of 16GB). YES, some manufacturers like Samsung and Motorola (possibly many more) have their own solution (I bet a really crappy one but never mind that) and it would do mostly everything, including the big sdcard partition and (if needed) even the physical sdcard.
Anyway bottom line is that:
a. depending on the phone you might not be able to encrypt at all /sdcard
b. ANY activity, including storing random (non-private) crap on the phone and then removing it helps. However, this is no maggic bullet.
How many times does it overwrite the files?
Troll is not a replacement for I disagree.
This.
What is the value of a used device? Compare that to the risk of the data on that device going to a malevolent third party.
I've had people saying "oh, look at all these hard drives, you should totally sell them on ebay and I bet you could get $10 apiece for them!" Adding up the time I would waste running DBAN or sdelete or whatever, and keeping track of which ones have been wiped, and double checking to make sure everything is really gone, it's not worth the time.
A big hammer and a punch, driven deeply through the thin aluminum cover and down the platter area, takes about a second and leaves nothing anybody would bother trying to recover. You can quickly look at a drive and say "yes, this drive has been taken care of", or "hey, there's no jagged hole here, this drive isn't destroyed." The aluminum cover contains the shards if the platters are glass. I don't care who handles them after destruction. There's no worries about toxic smoke. And if you have to inventory them before shipping them to a recycler, the serial numbers are still readable.
Smashing a phone wouldn't destroy the data on the chips, so a fire is a somewhat safer option.
John
Data cannot be destroyed, that is a fundamental axiom of physics. Someone might read your data based on the smoke your chimney emits.
Troll is not a replacement for I disagree.
Any marginal blocks mapped out before you encrypt will remain unencrypted and may be available to a determined attacker. Same goes for hard drives, and SATA secure erase is not provably trustworthy. Always encrypt your storage before you put any data on it. If you do not trust your hardware AES to not be backdoored then use software crypto.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
The "special values" were from Guttmann's paper on wiping MFM/RLL drives. It is pointless on any modern magnetic drive or solid state memory. He points out in his newer paper on solid-state memories that multi-level flash (now used everywhere other than the most performance critical applications) is particularly hard to recover data from. Furthermore, the wear-leveling strategies used in flash mass storage devices negates any attempt to securely wipe them short of physical destruction. You're just practicing cult cargo voodoo.
I am becoming gerund, destroyer of verbs.
and use up all free space. repeat again. Assumes you are saving things to internal "sdcard" and not the external.
>Furthermore, the wear-leveling strategies used in flash mass storage devices negates any attempt to securely wipe them short of physical destruction.
Well, it confounds it at any rate. But completely filling the device's memory 33 times in a row is pretty likely to overwrite everything at least once or twice - even the hidden "failure reserve" space if it's included in the wear leveling (and if it's not, then it doesn't yet hold any sensitive data, so there's no problem). Guttmann's values may be irrelevant to today's storage media, but that many repeated rewrites of anything still mostly does the job.
I don't know that I'd trust it to wipe vital military secrets, but it should do a good enough job for most anything in the civilian realm.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
This is not required.
https://security.web.cern.ch/s... is relevant.
This actually investigates the physics behind overwriting - in short - once is quite enough today.
There are concerns about reallocated space on hard disks - but 99.99% of the data has gone
away, and recovering the rest is at best expensive.
In iOS, when the factory reset is performed the key is removed so when the phone is reset and tied to a new account a new key is generated which is unable to access the old content. I'd rather the content was erased first, just in case some exploit is uncovered that can get at that key, but it's better than what Android has.
To expect an Android user to know that they must first encrypt the phone then do a factory reset if they want their data actually erased is absurd. Does Google not share the same view as the public on what the phrase "factory reset" actually means?
This (along with the all or nothing approach to app permissions) is something Google's PHDs really need to sort out.
Avantslash - View Slashdot cleanly on your mobile phone.
course, there is the risk of physical damage to your hand using your data destruction method...
Sleep your way to a whiter smile...date a dentist!
The use of full encryption and wiping the key was commented on many times in the article http://yro.slashdot.org/story/... quoted in this piece. Even the original story was an advert for avast's app. Does this really now deserve a separate article?
Well, it confounds it at any rate. But completely filling the device's memory 33 times in a row is pretty likely to overwrite everything at least once or twice - even the hidden "failure reserve" space if it's included in the wear leveling (and if it's not, then it doesn't yet hold any sensitive data, so there's no problem). Guttmann's values may be irrelevant to today's storage media, but that many repeated rewrites of anything still mostly does the job.
If you were an engineer in charge of destroying data printed on paper, and you decided on shred then burn then stir the ashes in water, how many times would you repeat the cycle in order to be sure the data was destroyed? Hint: if your recommendation is greater than one (in order to be pretty sure), check your job title, because you're probably Dilbert's pointy-haired boss.
Drives today work almost nothing like the drives of 20 years ago. They don't paint bit-bit-bit in a stripe, they encode a set of bits in every pulse of the write head. Alter it a tiny fraction, and it becomes a completely different set of bits, one that error correction won't be able to overcome.
Old disks were recoverable because the mechanisms weren't precise, and the data was written with big chunky magnets to assure it was readable. All that slop has been engineered out on order to achieve today's remarkable areal densities. One overwrite is all it takes - as long as you're overwriting it all.
John
Not quite - modern magnetic drives still have tracks wider than the read-write head so that atomic-level alignment isn't necessary. There may be far less "overwrite" than there once was, but if a newly recorded track is not *perfectly* aligned with the last recording then there may well be several percent of the previously recorded track that remains unaltered (consider the worst case scenario case that the previous recording in this track was written at the smallest radius allowed by actuator tolerances, while this pass is at the maximum radius allowed). Now, recovering that data will probably require removing the platters and analyzing them with much higher resolution read heads, but it can be done.
I was more addressing the problems with flash though - in order to disguise degradation modern flash drives typically include more capacity than is addressable by the host system. Fill it to the brim so there are zero bytes free, and there's still several percent of the total drive capacity that is sitting unused in the reserve pool. The only way to overwrite that (barring a OS-accessible "secure wipe" command implemented on the drive) is to generate sufficient churn that the internal wear leveling algorithms cycle through every byte of the reserve capacity at least once. And since you probably don't know the exact algorithm used or wear levels of the drive to begin with, more is better - after all you have to tease out the most heavily used page currently sitting in the reserve.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
Whenever we take hard drives out of service we run a secure wipe if we are able to so they can be handed down.
There seem to be a few utilities in the app store to securely wipe storage however would have been really nice if this was an option user is presented with when wiping their device.
I personally wouldn't store anything worth protecting on a mobile phone (including device encryption keys) I don't trust myself not to screw it up... any passible security measure (linked to device key chain) would be way too cumbersome and annoying to have to constantly deal with at unlock screen.
More importantly I simply don't trust android. Why is the keychain used to store VPN credentials yet email, accounts, browsers, etc all store passwords in the clear when facility to punt responsibility to keychain is right there? Seems to be either incompetence or intentional action either way result is the same -- I don't trust android for anything.
Tell you what mate, good luck with your punch and hammer technique.
I very regularly need to physically destroy hard disks, and depending on the vendor, it's actually rather tough - especially 15K SCSI jobbies which, due to the rotational speed require very sturdy housings.
Couple of weeks ago I had to wreck 3 dozen old worthless drives - even with running water to keep the bit cool, I still went through 4 tungsten bits.
As far as I know, the hardware is no different than a standard platter drive and since most phones can be mounted to and read/written from a normal PC, I really see no reason why you couldn't use a secure rewrite with something like CCleaner or even use killdisk if you want to WIPE the phone. Don't quote me on it, because I've never tried myself on a phone but I would think it is fine.
Most people who say to "destroy" the drive are just being overly cautious. For anything that does multiple overwrites on all drive sectors you should be fine for the most part. Technically yes the only way to guarantee the drive is unreadable is destruction, but for an individual that is normally over the top (says this as I've destroyed a few old drives myself...).
"all data is recoverable"
Wanna bet? -- Lois Lerner
or "see here"
What is the value of a used device? Compare that to the risk of the data on that device going to a malevolent third party.
That depends on the device. The fact that you liken them to a $10 harddisk is a problem for your argument. A Galaxy S4 fetches some $300 used on ebay. A Galaxy S4 with a broken screen is still fetching some $150+
That's the value of a used device. Now take $300 in your hand right now, hold a lighter under it and ask yourself, would you light it up right now to maybe protect the data on your phone from the slight chance that someone wants the phone for your secrets rather than as a replacement for the one they dropped in the toilet? I wouldn't. I don't routinely burn money for slight maybe chances.
That said I don't have naked selfies on my phone either, or loan applications, and if I did they're on my external SD card which would not be going with the phone.
I have a better idea, just send me the $300, less waste that way.
You don't know very far then, do you? But yes, a secure rewrite of the full device should wipe the flash to the point where some serious lab equipment is needed to recover anything from the device.
You're using an operating system built by an advertising company and you expect privacy?
There - problem solved. Go ahead and decipher my phone dust.
That would be why I posted that caveat... Obviously it isn't a 3.5'' or a 2.5'' platter drive, those are literally bigger than the phones most of the time, but conceptually it is the same principles for OS data storage and access (probably isn't using magnetic platters, but neither do SSDs and you can do the same things to both).
...if it didn't force me to also use an alphanumeric password on my new phone. It's got a fingerprint scanner. I want to use that to unlock my phone. But that's disabled if I turn on encryption. Same with my new tablet. So no encryption for me on these devices. Both of my previous devices were content with a PIN which is considered as secure as the fingerprint scanner. Seems ridiculous that I can't determine the level of risk I'm comfortable with.
The better solution is to use a Windows Phone. You can be sure no one will want to buy that on ebay ;-)
I'd like that ! :)
.177 air rifle ...
Sadly I only have a
Careful when you burn that phone--you might elect a new Pope!
I don't think you considered the depth of the question: what is the risk? Could your device contain credit card information? Could it have your social security numbers? Could it have a way to access your bank account? Your retirement accounts? Your brokerage accounts? A lot of your personal finances could be at risk. Are you wealthy enough to be worth kidnapping, and if so, could the device provide access to your family's panic room, or to your alarm system? What about medical information? Assign dollar values to those (it's certainly nebulous, but you want to end up with some kind of estimate) and add up your overall potential for loss. Now, divide by the likelihood your device will be compromised - you might estimate that tens of millions of devices are recycled each year, and you might figure a hundred thousand are handled by people who would like to steal from them, giving you roughly a 1 in 100 chance of having your device compromised. Would you bet the information above on those odds for $300?
Maybe you don't think you have very much worth stealing. Perhaps you're young, and don't have a retirement account, and not much in the bank, so your financial risk is only $1,000. Maybe you don't see any risk at leaking your health data. And maybe you're supremely confident in your abilities to wipe the flash RAM. Good for you, take the $300 and spend it. For you, it's a solid bet. For those of us with more at risk, it's not such a sure thing; even if I am confident in my skills at wiping these devices, what if I make a mistake?
John
I don't think you considered the depth of the question: what is the risk? Could your device contain credit card information? Could it have your social security numbers? Could it have a way to access your bank account? Your retirement accounts? Your brokerage accounts? A lot of your personal finances could be at risk. Are you wealthy enough to be worth kidnapping, and if so, could the device provide access to your family's panic room, or to your alarm system? What about medical information?
My device *could* also be used as a sex toy, be implicated in the murder of someone by blunt force trauma, or contain state secrets. Why not rephrase the question, rather than asking "could" it contain, ask "does" it contain.
Now, divide by the likelihood your device will be compromised - you might estimate that tens of millions of devices are recycled each year, and you might figure a hundred thousand are handled by people who would like to steal from them, giving you roughly a 1 in 100 chance of having your device compromised. Would you bet the information above on those odds for $300?
Yes, because your hypothetical doomsday scenario doesn't apply to the device. Now lets look at something more realistic. The vast majority of devices will leak personal information. It has my name and address, it has nickname and email accounts. Would I risk a 1 in 100 chance despite how unrealistic the thought that there are 100,000 people out there trawling for used devices for the purpose of theft? Yes I still would because I don't place value on the information on my phone when weighed up against the risk.
Maybe you don't think you have very much worth stealing. Perhaps you're young, and don't have a retirement account, and not much in the bank, so your financial risk is only $1,000. Maybe you don't see any risk at leaking your health data. And maybe you're supremely confident in your abilities to wipe the flash RAM. Good for you, take the $300 and spend it. For you, it's a solid bet. For those of us with more at risk, it's not such a sure thing; even if I am confident in my skills at wiping these devices, what if I make a mistake?
Actually it's far more simple than that. What is highly sensitive information doing on your phone to begin with. And more to the point why did in the TFA they identify photos of the owner's "manhood". I'm no more confident in my ability to wipe my phone than you are, but judging your post I feel far more confident that I don't need to wipe my phone quite as thoroughly as you do.
I'm more questioning what the hell it is you people do with your phones!
What encryption is used? If there's no major flaw in the algorithm that can simplify the breaking by many orders of magnitude, and if compared to what we can break now the thing is 2^64 or 2^128 times harder to break (or some measure worse than that), good luck with that, even in 20 years.
A dirt-cheap, little used phone more secure than Android? that feels like a good idea.
If everyone did the same to all things..
When you pack and move, tear down your house with a jackhammer, sledgehammer etc.
When you divorce, murder your wife.
When your Windows laptop is slow because of malware and lack of RAM, pour gasoline on it and set it on fire.
Broke a windshield, take your car to a junkyard and have it compressed to a very small cube.
After you had dinner, empty your fridge and flush everything you didn't eat in the toilet.