Have you ever sold a second-hand phone? What about given an old tablet away to a charity shop? Like any sensible tech-savvy user, you probably ran a factory reset on your device, and thought no more about it. But new research has shown that deleting data from an Android device with a factory reset does virtually nothing to delete users' sensitive information.
Three separate investigations of Android's data deleting systems found it was possible to recover information in almost every instance. In some cases, the reset simply removed the archive entry for the data, but didn't delete it – the equivalent of removing all links to a webpage, but leaving it online.
Tesco's Hudl tablet was singled out as a particularly egregious offender, having been found to contain a flaw that let attackers get at data saved to onboard memory. That's because of a a known bug in the Rockchip processor that powers the Hudl.
The research was carried out on second-hand devices sold via auction sites such as eBay. Ken Munro from security firm Pen Test Partners was part of the research team.
"There's a flaw in the firmware, which allows you to read from it as well as write," he explained. All modern devices can be flipped into a "flash mode" so the onboard firmware can be updated and data written to memory.
Using a freely available software tool, Mr Munro was able to easily read data from Hudl tablets to which the factory reset facility had been applied.
In response, a Tesco spokesperson said: "Customers should always ensure all personal information is removed prior to giving away or selling any mobile device. To guarantee this, customers should use a data wipe program."
The spokesperson added that any tablets returned to Tesco had all personal data wiped.
Google, who develops the Android operating system, said anyone selling a used gadget should follow several steps to protect information.
"If you sell or dispose of your device, we recommend you enable encryption on your device and apply a factory reset beforehand," said a spokesman.
The case brings to mind another experiment conducted earlier this year, in which analysts working with a Channel 4 investigation bought three second-hand mobile phones from the high street second-hand electronics shop CEX, which claims to delete data from phones once they are bought. However, the researchers were able to recover huge amounts of sensitive data from each.
One phone even yielded a total of 5,000 files, including SMS messages exchanged with his girlfriend, and his web browsing history, including visits to porn sites.