A new research from Cambridge University revealed that the factory reset feature in Android devices does not actually wipe out all your data, including text messages, email, pictures, videos and other content stored in your mobile device that runs the Google-built operating system.
So if you are planning on selling your Android phone, no matter the brand, think again.
It turns out even your most sensitive information could be retrieved from your phone after it has been reset. The market is now abounding with second-hand Android devices that had been wiped clean of the data owned by their previous owners. They count by the hundreds of millions, according to statistics. That means a large number of Android users who have already sold their phones now face the risk of having their data exposed to malicious users who want to do harm to others.
There are many implications from the research findings. One, it shows that Google does not provide an easy way to wipe your device clean of user data once you longer want to use it (thus could sell it as a second-hand device.)
According to researchers at Cambridge, approximately 500 million mobile devices running Android do not completely clean the data partition that stores credentials and other user information while more than half a billion handsets do not clean the internal memory card when reset. These devices run the Android versions 2.3 to 4.3, and cover various brands such as Samsung, HTC, Sony, and other handsets toting Android. Newer versions of Android could also be affected by the problem.
Because the internal memory has not been wiped clean through the factory reset function, multimedia files such as videos, photos and music can be stolen or retrieved by other users. Even handsets with full-disk encryption are vulnerable since the factory reset is not able to delete the crypto footer that stores the decryption key.
The researchers point the blame to the physical nature of memory chips that prevent data from being erased. Handset vendors also share the liability for failing to incorporate drivers for deleting content from the flash memory in the handsets they sold. Another issue found in the factory reset function is the ability of the reset device to re-sync contacts and email after a reboot. This is due to the retrievable master token that is used to access Google accounts.
Fortunately, there are quick solutions to this problem. You can implement a full-disk encryption upon the first use of the device, not after resetting it as the latter would prevent a complete digital cleanup. The option can be found in Security settings.