I’m putting my consumer hat on for a bit. With all the billions of Android devices out in the wild, there are, at any given time, many thousands for sale (about 80,000 are on eBay at any given time). Many of these phones are from folks who tried Android on for size and found it lacking while others may have been used for quite some time — thus containing oodles of personal information.
Smart sellers are using the built-in Factory Reset feature to clean those devices before passing them onto a new owner. After doing that, everything should be good — no photos, emails or personal information should be on the phone, right? As it turns out, that may not be entirely true. Security researchers say they can retrieve all kinds of photos, emails and more from these “wiped” phones.
To retrieve this personal data, all you need is an off-the-shelf digital forensics application such as FTK Imager. This tool will allow the buyer to retrieve all kinds of personal information from a phone that was “reset.” Have a look at what they’ve retrieved.
The folks at Avast were able to recover gobs of personal information from 20 phones purchased off eBay, including:
- 40,000 photos (many of the NSFW variety)
- 750 emails and text messages
- 250 contacts
- Identities of 4 previous owners
- A loan application
So, how do you wipe an Android device?
Good question… until this is fixed for real, Avast has a solution. We’ll keep an eye out for more solutions in the future, but if you are selling your Android phone, think twice about who you’re selling it to and realize that they could potentially retrieve some of your personal information and use it for nefarious purposes.