Slashdot Mirror
Want To Ensure Your Personal Android Data Is Truly Wiped? Turn On Encryption
MojoKid writes We've been around the block enough times to know that outside of shredding a storage medium, all data is recoverable. It's just matter of time, money, and effort. However, it was still sobering to find out exactly how much data security firm Avast was able to recover from Android devices it purchased from eBay, which included everything from naked selfies to even a completed loan application. Does this mean we shouldn't ever sell the old handset? Luckily, the answer is no. Avast's self-serving study was to promote its Anti-Theft app available on Google Play. The free app comes with a wipe feature that overwrites all files, thereby making them invisible to casual recovery methods. That's one approach. There's another solution that's incredibly easy and doesn't require downloading and installing anything. Before you sell your Android phone on eBay, Craigslist, or wherever, enable encryption and wait for it to encrypt the on board storage. After that, perform a wipe and reset as normal, which will obliterate the encryption key and ensure the data on your device can't be read. This may not work on certain devices, which will ask you to decrypt data before wiping but most should follow this convention just fine.
What is not addressed is whether or not this wipes the free space as well. Recovering deleted files is easy, and if the encryption doesn't fill the device then encrypt then this trick can leave some stuff behind.
Followup, not dupe. The post you referenced is also referenced in the summary.
I'm under the impression that turning on encryption works by file-by-file basis, not full-disk encryption, and as such it might still be possible to find at least some old files there if the locations haven't been overwritten by new data. If it indeed works as I have the impression of then turning encryption on is still possibly inadequate a safety method.
It's well established that plenty of consumers discard or donate hard disks without taking any precautions, and are playing roulette with their identity. It's also well established that hundreds of millions of tons of this equipment is replaced, resold, stolen or discarded, and most people who wind up with the secondary device lack either the time, money, or effort to scavenge data off the phone. If in fact someone is in the identity theft business by buying phones on ebay, they'd profile themselves pretty well after a dozen phone purchases (what do these data-theft-victims have in common?). And who knows how many phones they'd have to buy which had been wiped in some way (and required more time, money and effort)?
This isn't a bad article in that it birddogs simple things you can do before selling your used phone, and if it elevates the perception of risk in order to get people to do something easy, that's appropriate. But in response to people who are shooting and burning their devices to be "100% sure" that no one spends the time, money and effort to follow them... that's appropriate if you are a high risk target. If you have stuff on your phone of interest to the FBI or KGB, the amount of time+money+effort may be less than or = the amount of risk. Your call.
But there is a lot of hyperbole out there about the percentage of identity theft which is traced to secondary market devices, and the billions of dollars in secondary market sales on sites like ebay represent time+money+effort interest in new product makers to spend fanning flames. Again it's appropriate that the article raises concerns and then points to simple efforts a consumer can take to increase the barrier-to-entry to their personal data. But the army of ebay buyers getting their porn fixes by buying and then de-encrypting cell phones to retrieve ugly selfies seems exaggerated. Warn people about sharks if they are swimming in shark infested waters, don't tell people that most swimmers will be attacked by sharks.
Tear your mail in 8 pieces and someone could dig it out of the trash and tape it together, but the time+money+effort that represents is significant. I remember people selling paper shredding equipment in the 1990s who described armies of Iranian students or Chinese peasants who could be buying torn paper and taping it back together. If they know it's the President of the USA's mail, they no doubt will expend that time+money+effort... Presidents should assume they are swimming in a shark tank. For most of us, ebay resales are a swimming pool, and warnings of shark attacks get tiresome.
Gently reply
Last time I checked the standard Android encryption will not do the sdcard partition (I mean not the physical card, but the partition on the internal flash, usually the biggest chunk of it, like let's say 11 out of 16GB). YES, some manufacturers like Samsung and Motorola (possibly many more) have their own solution (I bet a really crappy one but never mind that) and it would do mostly everything, including the big sdcard partition and (if needed) even the physical sdcard.
Anyway bottom line is that:
a. depending on the phone you might not be able to encrypt at all /sdcard
b. ANY activity, including storing random (non-private) crap on the phone and then removing it helps. However, this is no maggic bullet.
This.
What is the value of a used device? Compare that to the risk of the data on that device going to a malevolent third party.
I've had people saying "oh, look at all these hard drives, you should totally sell them on ebay and I bet you could get $10 apiece for them!" Adding up the time I would waste running DBAN or sdelete or whatever, and keeping track of which ones have been wiped, and double checking to make sure everything is really gone, it's not worth the time.
A big hammer and a punch, driven deeply through the thin aluminum cover and down the platter area, takes about a second and leaves nothing anybody would bother trying to recover. You can quickly look at a drive and say "yes, this drive has been taken care of", or "hey, there's no jagged hole here, this drive isn't destroyed." The aluminum cover contains the shards if the platters are glass. I don't care who handles them after destruction. There's no worries about toxic smoke. And if you have to inventory them before shipping them to a recycler, the serial numbers are still readable.
Smashing a phone wouldn't destroy the data on the chips, so a fire is a somewhat safer option.
John
Data cannot be destroyed, that is a fundamental axiom of physics. Someone might read your data based on the smoke your chimney emits.
Troll is not a replacement for I disagree.
Any marginal blocks mapped out before you encrypt will remain unencrypted and may be available to a determined attacker. Same goes for hard drives, and SATA secure erase is not provably trustworthy. Always encrypt your storage before you put any data on it. If you do not trust your hardware AES to not be backdoored then use software crypto.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
The "special values" were from Guttmann's paper on wiping MFM/RLL drives. It is pointless on any modern magnetic drive or solid state memory. He points out in his newer paper on solid-state memories that multi-level flash (now used everywhere other than the most performance critical applications) is particularly hard to recover data from. Furthermore, the wear-leveling strategies used in flash mass storage devices negates any attempt to securely wipe them short of physical destruction. You're just practicing cult cargo voodoo.
I am becoming gerund, destroyer of verbs.
>Furthermore, the wear-leveling strategies used in flash mass storage devices negates any attempt to securely wipe them short of physical destruction.
Well, it confounds it at any rate. But completely filling the device's memory 33 times in a row is pretty likely to overwrite everything at least once or twice - even the hidden "failure reserve" space if it's included in the wear leveling (and if it's not, then it doesn't yet hold any sensitive data, so there's no problem). Guttmann's values may be irrelevant to today's storage media, but that many repeated rewrites of anything still mostly does the job.
I don't know that I'd trust it to wipe vital military secrets, but it should do a good enough job for most anything in the civilian realm.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
This is not required.
https://security.web.cern.ch/s... is relevant.
This actually investigates the physics behind overwriting - in short - once is quite enough today.
There are concerns about reallocated space on hard disks - but 99.99% of the data has gone
away, and recovering the rest is at best expensive.
Simple: the need of multiple passes has just been a myth. People thought that it would be necessary, but it has now been proven that it isn't so.
Well, it confounds it at any rate. But completely filling the device's memory 33 times in a row is pretty likely to overwrite everything at least once or twice - even the hidden "failure reserve" space if it's included in the wear leveling (and if it's not, then it doesn't yet hold any sensitive data, so there's no problem). Guttmann's values may be irrelevant to today's storage media, but that many repeated rewrites of anything still mostly does the job.
If you were an engineer in charge of destroying data printed on paper, and you decided on shred then burn then stir the ashes in water, how many times would you repeat the cycle in order to be sure the data was destroyed? Hint: if your recommendation is greater than one (in order to be pretty sure), check your job title, because you're probably Dilbert's pointy-haired boss.
Drives today work almost nothing like the drives of 20 years ago. They don't paint bit-bit-bit in a stripe, they encode a set of bits in every pulse of the write head. Alter it a tiny fraction, and it becomes a completely different set of bits, one that error correction won't be able to overcome.
Old disks were recoverable because the mechanisms weren't precise, and the data was written with big chunky magnets to assure it was readable. All that slop has been engineered out on order to achieve today's remarkable areal densities. One overwrite is all it takes - as long as you're overwriting it all.
John
Not quite - modern magnetic drives still have tracks wider than the read-write head so that atomic-level alignment isn't necessary. There may be far less "overwrite" than there once was, but if a newly recorded track is not *perfectly* aligned with the last recording then there may well be several percent of the previously recorded track that remains unaltered (consider the worst case scenario case that the previous recording in this track was written at the smallest radius allowed by actuator tolerances, while this pass is at the maximum radius allowed). Now, recovering that data will probably require removing the platters and analyzing them with much higher resolution read heads, but it can be done.
I was more addressing the problems with flash though - in order to disguise degradation modern flash drives typically include more capacity than is addressable by the host system. Fill it to the brim so there are zero bytes free, and there's still several percent of the total drive capacity that is sitting unused in the reserve pool. The only way to overwrite that (barring a OS-accessible "secure wipe" command implemented on the drive) is to generate sufficient churn that the internal wear leveling algorithms cycle through every byte of the reserve capacity at least once. And since you probably don't know the exact algorithm used or wear levels of the drive to begin with, more is better - after all you have to tease out the most heavily used page currently sitting in the reserve.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
"all data is recoverable"
Wanna bet? -- Lois Lerner
What is the value of a used device? Compare that to the risk of the data on that device going to a malevolent third party.
That depends on the device. The fact that you liken them to a $10 harddisk is a problem for your argument. A Galaxy S4 fetches some $300 used on ebay. A Galaxy S4 with a broken screen is still fetching some $150+
That's the value of a used device. Now take $300 in your hand right now, hold a lighter under it and ask yourself, would you light it up right now to maybe protect the data on your phone from the slight chance that someone wants the phone for your secrets rather than as a replacement for the one they dropped in the toilet? I wouldn't. I don't routinely burn money for slight maybe chances.
That said I don't have naked selfies on my phone either, or loan applications, and if I did they're on my external SD card which would not be going with the phone.
I have a better idea, just send me the $300, less waste that way.
...if it didn't force me to also use an alphanumeric password on my new phone. It's got a fingerprint scanner. I want to use that to unlock my phone. But that's disabled if I turn on encryption. Same with my new tablet. So no encryption for me on these devices. Both of my previous devices were content with a PIN which is considered as secure as the fingerprint scanner. Seems ridiculous that I can't determine the level of risk I'm comfortable with.
Careful when you burn that phone--you might elect a new Pope!