If you're planning to sell your old Android smartphone then you need to think again because there is a weakness in the Android Factory Reset option that could be exploited to recover your login credentials, text messages, emails and pictures even if you have wiped its memory clean.

Computer researchers at the University of Cambridge conducted a study on Android devices from 5 different vendors and found that more than 500 Million Android devices don't completely erase data after the factory reset.

"Factory Reset" function, built into Google's Android mobile operating system, is considered to be the most important feature to wipe all the confidential data out from the smartphone devices before going to sold, or recycled.

However, the computer researchers found that the data could be recovered from the Android device even if users turned on full-disk encryption.

The second-hand market is huge and based on the study; the researchers estimated that over 500 Million smartphones may not properly erase disk partitions where credentials and another sensitive data is stored.

Moreover, about 630 Million devices may not completely wipe the internal SD cards where multimedia files such as pictures and video are kept.

The study highlighted five critical Reset failures:

  1. The lack of Android support for the proper deletion of the disk partition in devices running versions 2.3.x of the mobile operating system.
  2. The incomplete upgrades pushed to flawed devices by smartphone vendors.
  3. The lack of driver support for proper deletion shipped by vendors in newer devices such as versions 4.1, 4.2 and 4.3.
  4. The lack of Android support for the proper deletion of the internal and external SD card in all versions of mobile operating systems.
  5. The fragility of full-disk encryption to mitigate those problems up to Android version 4.4 KitKat.

The new findings are published in a research paper (PDF) titled "Security Analysis of Android Factory Resets," which is enough to give a wake-up call to large enterprises as well as individual users.

The researchers study the implementation of Factory Reset on 21 different Android smartphones that ran versions 2.3.x to 4.3 of the mobile operating system and were sold by five different vendors, including Google, HTC, LG, Motorola and Samsung.

After running factory reset in every smartphone, the researchers were able to retain at least some crumbs of old data, including text messages, Google account credentials, conversations on third-party apps such as Facebook and WhatsApp, text messages from SMS and emails, as well as images and videos from the camera.

Moreover, the researchers were also able to extract the master token from 80 percent of the smartphones. Master token lets you access your most of the Google data, including Gmail and Google calendar.
During their experiment, the researchers Factory Reset their phone and recovered the master token. They then created the relevant files and rebooted the phone.
"After the reboot, the phone successfully re-synchronised contacts, emails, and so on," researchers reported. "We recovered Google tokens in all devices with flawed Factory Reset, and the master token 80% of the time. Tokens for other apps such as Facebook can be recovered similarly. We stress that we have never attempted to use those tokens to access anyone's account."
Among all the phones, Google Nexus 4 performed the best, however, the phone too had some issues. The smartphone makers are held responsible for the issue due to bad design and terribly slow upgrades of their handsets.

However, the final body to be blamed is still Google, which makes the Android mobile OS software that runs on all the tested handsets.

So, it is hard to say that your data is fully gone once you run a factory reset. Also, manually deleting every message, photo and app doesn't destroy those files from your phone because phones use flash memory that is notoriously difficult to erase.

So, what to do when I have to sell my old phone. Am I left with just one option? Do not hand off my old phone. Instead just Smash it!

Google has yet to respond to this issue though the company suggests its users to try a combination of things:
  • Remotely wiping the smartphone by hitting "factory reset" as if the phone were stolen
  • Updating the phone to a new version of Android OS that allows for encryption with a passcode

However, even this solution is not 100 percent reliable, according to the researchers.

Fortunately, Google offers an option to protect your Google-related services such as Gmail, Maps and Drive documents. Thus, you can open your Gmail account, head to the Google dashboard and revoke the device's access to your Google account.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.