Think you’ve wiped your mobile phone? Think again

Have you ever sold an old phone handset on eBay? Given it to a loved one or friend? Or indeed traded it in for a newer version? You will be interested to know that even though you may have manually deleted the data on that device, things like apps, photos and even Google searches can still be recovered – even if you perform a full factory reset.

It’s a scary but very real scenario. Mobile devices have become woven into the fabric of our lives, with the vast majority of us choosing to store sensitive personal information on them, whether that’s pictures of our friends and family, private email messages, passwords to access our online banking services – the list goes on. Additionally, we’ve seen a significant increase in the number of people using the same handset to store sensitive business information, without due regard for the security ramifications if they were to lose that device.

With incentivised trade-in and buyback programmes being increasingly offered both by the likes of online recycling sites and the retailers themselves, the need to thoroughly and effectively wipe the device is imperative. In fact, with hundreds of millions of devices expected to be traded by 2018, flaws in smartphone sanitisation functions will become an increasingly severe threat with regards to privacy, unintentional data loss or theft.

Simple wipes aren't enough

Consumers may believe that a simple wipe or reset of the mobile device done at home or even in-store will permanently delete all data. However, tests now prove that conventional methods of wiping the phone of all its content have been woefully inadequate. For example, according to Laurent Simon and Ross Anderson from the University of Cambridge, it is estimated that up to 500 million devices may not properly sanitise their data partition where personal or sensitive information may be stored. The vast majority of current legacy wipe standards were designed for computer hard drives and, therefore, are not relevant or effective to the smartphone world. Rather, they should now meet stringent National Institute of Standards and Technology (NIST) Purge standards – the highest standard of wireless device data erasure – to help ensure that all personal data on the device is unrecoverable, even by forensics software.

As we change devices with increasing frequency, meeting these standards is now more pertinent than ever as consumers are now offered a continuous flow of handset upgrades and an incentive to part with their old handsets by mobile retailers, exaggerating the need for phone wiping to be thorough. In fact, mobile retailers suggest that prior to trading in or selling your phone that you perform a full factory reset. In relation to Android retailers specifically, 90 per cent recommend the default factory reset function, which simply isn’t thorough enough and leaves residual data on the device.

How to sanitise a mobile device

There are numerous and more stringent methods which should be considered when looking to sanitise a mobile device. However, even before you plan and attempt to wipe a device, data encryption is a vital part of keeping information safe. Using appropriate encryption technology will cause the data on the device to be ‘scrambled’, meaning that even if the wipe doesn’t fully delete all of the data, the residual information left on the device will be encrypted and need a special ‘key’ to unscramble it. A further safeguarding step, if the device supports it, is enabling ‘Full Disk Encryption’ (FDE) on the first use of the handset.

This helps ensure the most effective and thorough wipe of the phone when seeking to sanitise it at a later date. Alternatively, loading the device with 'fake data' may appeal to the average device user. Loading fake photos and contacts onto a device and then carrying out a full factory reset of the device will make it even harder for individuals to get access of the real data, as it will be buried below and among the 'fake data'.

With mobile devices underpinning everything we do at home and at work, this enhanced connectivity has attracted heightened attention from criminals focused on physically stealing and infecting our mobile devices with malware. Consequently, there is now an abundance of anti-virus support and apps available for smartphones which often have built in 'remote wipe' features in the event that your device is stolen. However, this method of wiping is not the same as ‘sanitising’ and should only be considered a last resort when your device has been misplaced or stolen.

In light of this, solutions are on offer that deliver a thorough and effective wipe of data. Advanced technology enables vendors and retailers to provide easier and efficient mobile device customer service, ensuring the original owner of the handset is left with peace of mind all personal and sensitive data is removed from the device. In turn, this helps mobile retailers to distinguish themselves from the rest of the pack, giving them a competitive edge.

Presently, there is an ongoing debate on the best and most thorough method to wipe a smartphone. However, what is agreed is the paramount importance of ensuring there is no residual data left behind as the repercussions are far too harmful to be gambled with.

Amir Shani, Director, Mobile Lifecycle Products, Cellebrite