Sensitive data, such as user credentials, can be easily recovered from an Android handset after performing a factory reset, according to a University of Cambridge report.
The feature, which is claimed to "erase all data" from the device and is especially recommended come resale time, will not work as advertised on up to 630 million Android handsets.
A factory reset will not properly wipe the data partition, where "credentials and other sensitive data are stored", on up to 500 million handsets, while on a further 130 million devices it will not properly clean the user-accessible storage. Even worse, relying on encryption to secure sensitive data does not help.
When encryption is turned on, the report says, it is still possible to recover the encryption key, which allows recoverable data to be decrypted. The security researchers claim that they "could recover Google credentials on all devices" - 21 popular Android smartphones, made by five different vendors, running Android versions ranging from 2.3 Gingerbread to 4.3 Jelly Bean were used for the purpose of the study.
According to Google's own data, those distributions power 50.2 per cent of all Android devices that are currently in use. Those include tablets, of course, but, fundamentally, Android is the same across all devices that run it - so, the factory reset security problems should not be limited to Android smartphones.
The report says that, among other things, an attacker could exploit the weakness of the Android factory reset to access Google accounts and backed up data linked to them - the latter includes contacts, calendar entries, Drive files, Wi-Fi credentials and more; basically, what is selected to be synced with your Google account is at risk.
Part of the blame lies with vendors, for not delivering drivers and updates that effectively fix the problem, and the other part lies with Google, which has not implemented "support for proper deletion of the internal and external SD card in all OS versions. One of the problems pointed out is that factory reset is not consistently implemented - triggering it from Android allows the user to also use it for the microSD card, but this option is not provided when using the feature via recovery mode.
Vendors are apparently aware that a factory reset might not work as expected, with HTC revealing on its One (M8) help page that "A factory reset may not permanently erase all data from your phone, including personal information".
There are issues even on Android 4.4 KitKat, which, in the Android Open Source Project flavor, supports full disk encryption (FDE), like every Android release after, and including, version 4.0 Ice Cream Sandwich.
FDE is said to be "more appropriate" for users, but it has to be turned on from the get-go to be effective. Enabling it before the factory reset, like with other distributions, may also make sensitive data easily recoverable. The problem is not all smartphones support FDE, nor FDE for the aforementioned data partition.
So what can you do? Well, the researchers seem to imply that there is little an ordinary user can do to make sure their personal data is secure, after performing a factory reset.
The report does, however, provide a number of recommendations for vendors. To read the whole report, hit the link in the third paragraph.