Android Restore Factory Settings Is Not As Secure As We Thought, Says Avast
What would be the traditional way to wipe data from your smartphone before selling it on eBay or Amazon? Right, backing up your data and restoring factory settings, so that your Android device does not carry any personal information about you, including those photos. Well, folks, Avast has some bad news for you – that stupid selfie you took of yourself wearing nothing but a cowboy hat might as well be restored by a smart teenager who bought your used smartphone on Craigslist.
Antivirus and security products vendor Avast conducted a research that casts a huge shadow of a doubt over Android Factory reset feature, which was a go-to solution for Android users globally for wiping their data off their phones before selling or giving away their used devices.
Avast bought 20 random used Android smartphones on eBay and ran a data recovery program through them. Brace yourselves because they recovered over 40.000 images, 750 emails, 250 contacts, four identities of phone previous owners, and even one completed loan application. There was over 250 male selfies à-la nu style and more than 750 female selfies in different stages of nudity, over 1500 photos of children, over a thousand Google searches, and nothing stood in the way of recovering the deleted data.
Avast even suggests one of the 20 smartphones had a security suite installed (not that of Avast) and that device revealed the most of the previous owner’s personal details!
Is Avast promoting something?
Yes, avast Anti-Theft, but who cares if the results of their research are authentic? You can easily do the same at home with your old devices – download Recuva or any other un-delete/recovery software, connect your device to your PC, or get a mobile recovery app and run the analysis. We wrote a detailed guide on how to recover deleted files and images on Android devices.
Why It Matters
According to Avast, over 80.000 used smartphones are on sale online every single day. Avast focuses on the U.S. market only, so the worldwide data would be far greater.
You may think no one cares for your old pictures, but what if whoever has your phone can add that information to your geo-tagged Facebook messages, phone contacts and Google searches for specific jobs and in specific areas? That someone can as well take loans in your name, impersonate you in banks, stalk or blackmail you, or worse, exploit the insider information about you to harm you or get close to you, or even sell you identity information on the black market.
Image Source: Avast Blog
So, how do you wipe your data now?
The answer is pretty simple – use wiping software, file erasers, shredders, or whatever developers call them. Here is a list of Windows file shredders, both paid and free. For example, if you use Spybot Search and Destroy (Spybot S&D) or AVG Internet Security 2014, these suites have shredding option. When you transfer files from your Android device to your computer, simply shred the files with the help of a PC-based program. Here are some suggestions:
In order to wipe your devices properly, you must understand how deleting differs from wiping or shredding. The regular ‘delete’ option both in smartphones and computers does not physically delete the files. Instead, it only removes file headers, so that the system does not ‘see’ these files. However, they remain on the drive until you write something new to it. Each time you add new files and folders to the drive, previously ‘deleted’ files get overwritten, and are more difficult to restore. Thus, the best way to wipe data is to have it shredded using multi-step overwriting. Spybot S&D offers 7, 35 and 100 passes, the ultimate being paranoid. The more overwrite stages you choose, the longer the process, but the results are recovery-proof.
The same file shredding software can be used to wipe entire disks – the feature is called wipe or erase free space, and it overwrites even the free space, successfully wiping the previously deleted but recoverable files.
Alternatively, you can go the extra-mile and encrypt your device -> do a factory reset -> load fake files -> do another factory reset.
When you encrypt your device, the encryption basically will make recovery impossible without a special key to decrypt it. You can use this detailed guide on how to encrypt your Android device, or follow a direct route to Settings -> and tap Encrypt Phone.
Factory Reset Stage 1
Go to Settings -> Backup & Reset -> Factory Data Reset or Restore Factory Settings. Make sure you have the backup of all your data before you do that.
The truly meticulous users may want to load tons of irrelevant data to their phones – odd images, movies and music. Just make sure none of those carry metadata that is relevant to you. For a detailed insight on metadata and how to delete it, read this guide. The best option is to upload something from the Internet. And remember not to use your Google accounts and social network profiles on the device (if your aim is to wipe your data prior to selling the device). Also, load fake contacts.
Factory Reset Stage 2.
Perform another factory reset erasing the fake data you just uploaded to your device. It will erase it, but most importantly it will cover the previously deleted authentic and encrypted data even more. The paranoid folks can as well repeat the procedure as many times as they want, but my guess using file shredders is faster and more efficient.
Combining the above-mentioned methods will provide the secure results, especially if you use 26-100 shredding passes AND encrypt your device, then do the factory reset.
So, now your Android device is ready for testing, so connect it to your PC and run Recuva.
Just in case you might think wiping your smartphone cleans anything other than smartphone, you are wrong. Deleting your photos from your Android device does NOT delete them from the accounts you used to sync or store them – Google +, Gmail, Picasa, Instagram, Google Drive, DropBox or OneDrive and so on, while your Google Play account still bears the ID of your Android device.