BBC
London
Using the ‘factory reset’ option to wipe Android phones may leave behind valuable data, warn security experts.
The reset function may also fall short when used to remotely wipe a phone that has been lost or stolen, report Cambridge University researchers. For their analysis the researchers bought used Android phones to see what sort of data remained on the handsets.
In some cases they retrieved key files that let them access a former owner’s Gmail account. The study of 21 phones, running Android versions 2.3 to 4.3, was carried out by Prof Ross Anderson and Laurent Simon from the University of Cambridge computer science department.
The flaws they found could mean that up to 500 million Android devices might be at risk of leaving data available to attackers after being reset, the researchers warned in a blogpost. ‘These failings mean that staff at firms which handle lots of second-hand phones (whether lost, stolen, sold or given to charity) could launch some truly industrial-scale attacks,’ they said.
All of the phones analysed left some data behind after a factory reset, they said. In most of the phones tested, data generated by apps for WhatsApp and Facebook was left behind. In addition, images, videos and text messages were also recoverable. In 80 percent of the Android handsets the two researchers managed to get at an important file known as the ‘master token’ that is used by Android to give a phone access to Google services such as Gmail. The reasons for the failings were complex, said the pair, but some came about because of the way that phone memory is made and because software to make sure data was deleted had not been updated.
Google declined to comment on the findings. However, the search firm has acknowledged the problem in the past and introduced changes with several versions of Android to make resets more thorough. Android 3.0 brought in an improved erasing mechanism to prevent data being retrieved. Updates to the reset system have also been brought in with Android 5.1 that was released earlier this year. Many Android phones now use encryption to scramble data so it cannot be read even if it is retrieved. However, the Cambridge researchers found that, on some phones, other files they could retrieve helped to get at this scrambled data. The Abel Fanfare, composed by Klaus Sandvik, was performed by musicians from the Staff Band of the Norwegian Armed Forces as the Abel Laureates entered the University Aula. They were accompanied by members of the Abel committee, the chair of the Abel board and the president of the Norwegian Academy of Science and Letters. H.M. the King entered the Aula escorted by Ole Petter Ottersen, rector at the University of Oslo, and Øivind Andersen, secretary general of the Norwegian Academy of Science and Letters.
As a prelude to the award ceremony the audience was invited on a journey into the history of the Abel Prize presented in pictures and words. The president of the Norwegian Academy of Science and Letters Kirsti Strøm Bull also dwelled on the history of the prize in her opening speech. The first initiative to establish a mathematical prize in the name of Niels Henrik Abel was taken by another Norwegian mathematician, Sophus Lie, already in 1898. But it would take more than 100 years before the Abel Prize became a reality in 2002. Interestingly enough there is a mathematical connection between Sophus Lie and this year’s Abel Laureates, Kirsti Strøm Bull explained.