Looks like the built-in factory reset function is not doing its job in most Android devices. According to a recent research paper, an estimated 500 million Android devices are susceptible to the recovery of personal information like logins, emails, contacts and more even after factory reset.
While this flaw doesn’t matter much as long as your Android devices remain with you, but if you sell your Android smartphone, lose it and remote wipe it or you use the company provided devices, which end up back with employers or in a landfill somewhere, malicious parties might take advantage of it.
“In the first comprehensive study of the effectiveness of the Android feature, Cambridge University researchers found that they were able to recover data on a wide range of devices that had run factory reset. The function, which is built into Google’s Android mobile operating system, is considered a crucial means for wiping confidential data off of devices before they’re sold, recycled, or otherwise retired. The study found that data could be recovered even when users turned on full-disk encryption,” wrote Ars Technica in a report.
The researchers tested 21 devices with varying Android versions (2.3 to 4.3) and found that they were able to extract the master token Android uses to give access to most Google user data, text-based conversations, contacts, data from third-party apps and more.
According to researcher, the consumers can do little to fix the issue apart from manually installing an application, which fills up the phone storage with random information to overwrite all space, or destroying their device. It is now up to Google and the device vendors to offer a solution.
You can read the full research paper here or Arc Technica’s coverage of the same.