Security

Android's factory data reset comes up short

Resetting an Android device using the factory data reset is supposed to remove the owner's data. According to AVAST researchers it does not. Find out what they learned and a possible solution.

avast.png
 Image: AVAST Software

Security pundits (including me) have pontificated on the importance of resetting a smartphone to factory-default condition before selling it, giving it away, or even recycling the device. Why the reset? To make sure all personal and financial information is removed from the phone's storage.

Resetting may not remove personal data

There are experts who now say resetting an Android smartphone does not necessarily remove the owner's data, something commonly believed to happen since the process is called "Factory Data Reset." The Android smartphone may look like it was reset. However, those having expertise in digital forensics and the right software tools are finding bits and pieces of personal information -- important remnants people more than likely rather not see publicized. Case in point, AVAST randomly purchased 20 Android smartphones from eBay. Here's what they found on the phones:

  • 40,000 photos of which 1,500 were family photos including children
  • 750 email and text messages
  • 250 names and associated email addresses
  • Identifiable information from four owners
  • 1 completed loan application

Deleted or reset makes a difference

As for the data found by AVAST, the press release said, "All 20 sellers had reset their phones to factory settings or had deleted all their files."

That "or" statement immediately begs the question: did the data come from phones reset to factory default, phones where owners just deleted the files, or both? Let's break it down and see why that is important -- first file deletion. As with Windows, the term delete is a misnomer. Files are never actually deleted.

Simply put, hitting the "Delete" key tells the Android device's processing system to no longer reserve the memory space allocated for the deleted file's digital information -- meaning it can be overwritten. However, until the overwrite happens the data is there for anyone to access and read. When and if the memory space is overwritten is anyone's guess.

Next is factory reset. A simple process, just go into Settings, the Accounts tab, and tap the "Backup and

avast-2a.png
Reset" option when it appears. Within a few minutes, the Android device is back to factory default.

The screenshot to the right gives one the impression that personal data should be gone. However, AVAST found that was not the case. AVAST claiming that factory resetting does not work is a bit unsettling to one who wrote how important it was to reset Android devices. Wanting to be absolutely sure, I contacted AVAST.

What AVAST really found

Caroline James, AVAST public relations manager, provided hard copy from a question and answer session with Jaromir Horejsi. Horejsi and David Fiser, Android forensic-analysis researchers for AVAST, were the two who determined factory resets did not remove (overwrite) the owner's data. Here are the relevant questions:

How did Avast confirm that these phones were indeed wiped or restored using the factory-reset function?

Horejsi: The majority of the phones were factory reset, however there were some cases when the phone was started by our virus lab, it initiated the default setup.

Did the techs try a controlled study, in which they reset a phone themselves and forensically tested it afterwards?

Horejsi: Yes, we did a proper factory reset on some phones (in case, the owner had not done this) and we were still able to find data (meaning we were able to replicate our experiments).

What versions of Android did you find?

Horejsi: Several different Android versions were present, most of the phones were using an Android 4.x.x version.

What were the brands/models of the smartphones?

  • HTC: EVO V 4G, One X, Thunderbolt ADR6400L Verizon 4G, and Sensation 4G Pyramid
  • Motorola: Droid RAZR (4 phones), Droid Razr MAXX XT912M, and Atrix 4G MB860
  • Samsung: Galaxy S2 (2 phones), Galaxy S3 (3 phones), Galaxy S4 (2 phones), and Galaxy Stratosphere SCH-I405
  • LG: Optimus (2 phones)

For those who are interested in the forensic process, the two researchers supplied details in this blog post.

What is the solution?

There are many apps that claim to overwrite existing data during a reset. However, that requires additional trust on the part of the device's owner who already has serious doubts. I wanted to find a nondestructive way to ensure the data was unreadable. John Lehr is an expert at finding data on mobile devices. He does it for the San Luis Obispo Police Department. He is an evidence technician for the city as well as a mobile-device forensics instructor for Teel Technologies.

Lehr is especially good at retrieving data from phones reset by criminals. His hope is to determine the original owner. Lehr said, "I've seen a trend in recovered stolen devices over the past few years. The bad guys are rapidly restoring devices to factory settings to prevent them from being tracked by the owner or law enforcement."

When it comes to resetting the phone and making personal data on the phone unreadable, Lehr mentioned

avast-2.png
that Google recommends users encrypt their device and then use the factory reset option from recovery mode.

This is effective because the data is first encrypted and then the data and cache partitions are formatted upon reset. Lehr added a note of caution. He said, "It should be noted that encryption is not available to the user in devices running Gingerbread or older."

Lehr, during our conversation, stressed a little known fact. Even in the latest Android releases, device encryption and factory reset do not necessarily apply to SD-card partitions. The SD-card partitions can be securely written in some Android implementations, but must be done separately in the settings as shown in the screenshot at the right.

Something else important to understand is that a factory reset will not wipe, delete, or reformat SD-card partitions. Lehr mentioned, "It is here that I find user data in restored devices or devices that I cannot root or JTAG."

Lehr then cautioned users to remove, wipe (overwrite), or destroy the MicroSD card if one is installed and wipe the internal SD card if possible. There was something else that concerned Lehr. He said:

There may be apps to assist with this, but the term 'wipe' is used very loosely in both apps and the stock recovery. Wipe should mean -- always -- the overwriting of data. It can be done with a pattern, zeroes, or random data, it really doesn't matter. More often, however, the term is used incorrectly and means something else entirely.

Last thought

The question now becomes what of those applications advertising the ability to remotely wipe an Android device if it is stolen?

About

Information is my field...Writing is my passion...Coupling the two is my mission.

18 comments
Avineet09
Avineet09

My question is how do we use this to our benefit? For example if I have deleted file through a factory reset, then am I able to recover these files? Attempts made to do this has resulted in messages claiming files are not recoverable due to them being overwritten. Any thoughts on this?

michael
michael

I read the original blog post by Avast which gives the technical details of the investigation http://blog.avast.com/2014/07/09/android-foreniscs-pt-2-how-we-recovered-erased-data/ and then I re-read this TechRepublic article & now I'm confused.

The original Avast post says NOTHING about the fact that the phones were factory reset.  That information appears only in a comment on the bottom.  The entire thrust of the article is that deleted data is not truly wiped, which as anybody who understands file systems knows, but the general public does not.

While I believe that the information later provided to Michael Kastner is true & the phones were factory wiped, I cannot understand why it's not mentiond inthe original blog post, as that makes a huge difference. 

Why was this piece of information, upon which Kastner's entire article is based,  omitted from the original blog post?  Something about that bothers me.

frylock
frylock

In a way, this is a VERY old story. The "delete command doesn't delete data" thing is true of probably any popular filesystem. And truly erasing any kind of non-volatile storage has always been difficult. Why is anyone surprised that a phone is any different?

Gisabun
Gisabun

This is almost an old story. Saw it probably last week. The original story had a comment from Google who said that they were most likely old phones [as who'd sell a Galaxy S 5, right?].

Also, who would leave an SD card in the phone unless they forgot to take it out.

Michael Kassner
Michael Kassner

@Gisabun


I wrote it last week. That is not exactly true about just old phones. You should read the article by Mr. Lehr. 

cfwags1
cfwags1

I recently reset my phone because the data usage had gone up significantly despite no changes in my usage. I found 2 options to reset the phone for my Samsung Galaxy S4. First was to backup and reset and second was just a straight factory reload back to like new. I am curious if this 2nd option clears the personal data better than using the 1st which backs up and uses the backup to restore data to phone after reset.

Michael Kassner
Michael Kassner

@cfwags1


I do not believe so, but I will query the research team to see what they say. Thank you for asking. 

authorwjf
authorwjf

Hello Michael!

As always wonderful article. It does a great job of bringing to the attention of the general public a real misconception about smart phones and the factory reset option. I wanted to reaffirm your statement that this is the same scenario faced on your average desktop or laptop computer. In my mind this is an information dissemination problem more than a technical one. By that I mean this is not an issue unique to mobile phones. This is just how our drive / storage solutions work. So as we must take precautions when getting rid of an old laptop or hard disk from a desk top machine we must also be vigilant when disposing of or recycling phones or tablets. In fact nearly identical best practices can and should be applied. I applaud you on your efforts to get the word out. Often because mobile devices were a phone first we forget that at its core a smart phone is a pocket sized computer. If as many manufacturers hope wearables take off we will be facing these same privacy risks with watches, glasses, and who knows what else. Until there is a significant shift in how our underlying disk technologies operate (at the logical layer not the physical layer) it will be up to users to police up after themselves. This may mean the average user has to get a bit more tech savvy or third party apps / services will need to work harder to educate the public on the value they can bring.

ejakob
ejakob

Recently I had to send my HTC One X + in for repair and performed a factory reset. After that I connected the phone to my computer and found that all the photos were not deleted (music etc. I cannot say, as I don't use my phone as an mp3 player). So the factory reset does NOT delete nor wipe all data, although it says it does.

laman
laman

While I don't understand why people are leaving their external SD cards in the phones while selling, I don't understand either why the researchers believe that information on the SD card should be wiped by Android OS. This has nothing to do with Android.

Michael Kassner
Michael Kassner

@laman


What you say may be true, but Android will encrypt the SD card, "so why not format it" is my guess as to what people are thinking. 

zion4887
zion4887

so is this also the case when you enter recovery mode and wipe the cache as well as factory resetting your device.

Sara Provenzano
Sara Provenzano

I know that perfectly ...but I will find out a way ....

Editor's Picks