The Android “factory data reset” feature is supposed to remove all private data from a device. But does it? As the IT security company “Hatforce” discovered, it is possible to recover the deleted data on many Android phones. When a phone is sold, the buyer could thus gain access to the private data of the previous owner, like photographs, application data or stored passwords – even if the previous owner “wiped” the device as recommended by many web sites.
While the “deleted” data is not accessible through regular means anymore, it is still present in the memory of the device. Using special software, the new owner can access the memory and read its contents. Hatforce describes the technical details in the company blog . “Unfortunately, this means that there is no easy way to securely delete all personal data on many android phones”, says Jan Schejbal, the Hatforce team member who discovered the issue.
Hatforce has informed the Android security team regarding the issue. It is unclear which devices are affected – the test was performed on a Google/Samsung Nexus S running Android 2.3.6. The source code indicates that the newer versions Honeycomb and ICS (3.x and 4.x) do securely wipe the memory on factory data reset. However, these newer systems currently represent only around 5% of the devices .
Hatforce (https://www.hatforce.com) is the first crowd-sourced security testing startup world-wide. The services comprise web- and mobile application pentests. Since its launch, Hatforce got extensive positive feedback, especially from the Forbes magazine: “This service is stroke of genius! […] This is a great business concept and one that could make a huge difference in how safe your application, and brand, is.”
The Hatforce Team