Factory Reset On Millions of Android Devices Doesn't Wipe Storage

Bismillah writes: Ross Anderson and Laurent Simon of Cambridge University studied a range of Android devices and found that even though a "factory reset" is supposed to fully wipe storage, it often doesn't. Interestingly enough, full-device encryption could be compromised by the incomplete wiping too. ITnews reports: "The researchers estimated that 500 million Android devices may not fully wipe device disk partitions. As many as 630 million phones may not wipe internal SD cards. Five 'critical failures' were outlined in the researchers' Security Analysis of Android Factory Resets paper.

Re:All using ancient devices

[gstoddart]

Yes, and how many of those devices are supposed to support the factory reset which wipes all the storage?

What's that? All of them?

Full disk encryption is one of 5 problems they found, but not the main one.

the researchers found that all retained at least partial amounts of data from contacts information, images and video, SMS, email, and data from third-party apps like Facebook.

They were able to recover Google authentication tokens in all devices with flawed factory reset, and were able to access master tokens in 80 percent of cases.

To test their findings, they used one of the recovered master tokens from a reset to restore the credential file.

Disk encryption, in theory, should make the factory reset more robust. But the sense I get is that the factory reset is complete garbage independent of encryption on some of these devices.

Which mostly reaffirms that I have no interest in anything but the stock Google Android. Because by the time another entity has gotten their hands on it and tweaked it to advance their own commercial interests , you really have no idea of what holes they've introduced, and you have no idea how long before they'll drop support for it.

Carrier certification is shorthand for "all of our crapware needs to be checked if we get around it". The shit carriers put on phones is for their benefit, not ours. Because it's intended to drive traffic to their garbage.

Re:New news about Old software

[thegarbz]

Since then, Android has released major versions (4.4 Kitkat, 5.0 Lollipop) and various major updates within those families (4.4.2, 4.4.4, 5.1). To put this in perspective, they're talking about risks in 2018 from software no newer than 2013 while writing and publishing in 2015.

More than half of current devices in the hands of people have the versions which they tested.

There were many fixes in Android security systems in 4.4 and also in 5.0.

Which has nothing to do with factory reset, a function implemented by the manufacturer and not a function of Android itself. Unless the manufacturers have picked up on it, 5.0 devices are just as likely to preserve user data as previous devices.

5.0 now supports hardware encryption on e.g. HTC and OnePlusOne platforms among others.

Supports means nothing. No actually it means a lot. Hardware encryption is currently supported by a tiny TINY portion of the handsets out there. But here's a fun fact for you, supported doesn't mean the end user will use it. 5.0 does not mandate encryption by default. It's not an opt out process. I don't even need to guess how many users went out of their way to turn this feature on.

but in this case the hype cherry-picks data that ignores two years of active open-source development and many security updates

All which mean diddleysquat in practical terms if the updates haven't filtered down to the population, and the updates mandate proper security practices. Neither of which has occurred in the past 2 years.

Re:Android. The "PC" of mobile devices

[DigiShaman]

So what you're saying is that you want companies to do your thinking for you?

If you mean "innovation", then yes. Make a product that I like and conforms with my life, and I'll be inclined to make a purchase. Life is too short. I don't have time to think of everything.