Issues on Android Factory Reset Flaw

Recently, a research paper [1] reported that Android phone was found a flaw in factory reset, which may not properly sanitise data inside the phone and it may cause sensitive information leakage. To evaluate the risk and apply the best protection for user, HKCERT provides the following summary and advisories.

Summary

• Researchers from University of Cambridge in England found that some data in Android phones cannot be sanitised after they had run factory reset.
• They study the implementation of Factory Reset on 21 second-hand Android smartphones from 5 vendors running Android versions v2.3.x to v4.3.
• The result shows they could recover some data on the devices presenting a flawed Factory Reset.
• The recovered data credential information, installed apps, contacts, browsing, WiFi setting, multimedia, conversations, etc.
• Vendors may not apply sanitisation command properly, therefore the data partition is not secure deletion.

Advisories

• User can use Android v4.4 or above and enable Full Disk Encryption (FDE) [Fig1] in the device. In addition, user selects a strong password to thwart brute-force attacks.
  
  
  Fig 1. Encrypt phone
   
• For wiping an external memory card, user could use secure erase tool [2] in PC to overwrite and wipe data inside the memory card.
• If information destruction is required, user can perform the destruction through physical destroy.

Remarks

• Mobile apps come with remote wipe functions, which are not an alternative to a flawed built-in Factory Reset.
• The report does not present results of other devices, including Motorola Defy (Android v2.1.x), Nexus 4 and Nexus 5 (Android 4.4), in the sample.
• There is no similar research on other mobile platforms.

[1] Reference: http://www.cl.cam.ac.uk/~rja14/Papers/fr_most15.pdf

[2] Remark: Data Permanently Deletion Tools https://www.hkcert.org/security-tools#DatProTools