Doing a factory reset to wipe the data off smartphones does not work, and the data can be recovered, warned Avast.
The company recovered tons of data, including more than 40,000 stored photographs, from 20 used Android phones purchased from eBay.
Device owners need to overwrite their files to make them irretrievable, Avast said, touting one of the applications it offers.
“I am not at all surprised because RAM-based memory still uses the same file system as hard drives, and … PC files do not really get deleted either,” Stu Sjouwerman, CEO at KnowBe4, told TechNewsWorld.
What About iPhones?
Avast did not analyze iPhones, but “in general, on iOS, recovery is much more complicated,” Tomas Zeman, its mobile product manager, told TechNewsWorld.
“It depends on the version of iOS, the version of the device, and whether files on the device are encrypted,” he continued.
Both Android and iOS are based on Unix-like operating systems, and both use NAND flash storage, “so it’s highly likely” that data on both can be retrieved after it has been deleted, Dave Jevans, founder and CTO of Marble Security, told TechNewsWorld.
Tablets are just as vulnerable to data retrieval.
Avast’s Rich, Sometimes X-Rated, Harvest
More than 1,500 family photos of kids, 750 photos of women in various stages of undress, and more than 250 selfies of men’s nether regions were among the photos Avast recovered.
The identities of four previous owners of the devices, one completed loan application, more than 250 contact names and email addresses, more than 750 emails and text messages, and more than 1,000 Google searches also were recovered.
One phone had another vendor’s security software installed — but that device gave up the largest amount of personal information gleaned, Avast said.
How the Data Was Obtained
Avast used the program FTK Imager to mount the image of a partition containing user data. Devices whose users did not store data on removable micro SD cards or internal storage could be connected by a USB cable to a computer, which mounted the storage as removable storage.
Devices that don’t support mass storage had to be rooted and a mass storage application such as Media Transfer Protocol was used to transmit media files.
In some cases, the cellphones were backed up using Android Debug Bridge and the data was converted to a .tar archive using an Android Backup Extractor.
The Numbers Tell the Story
More than 80,000 people list their smartphones on eBay daily, Avast said.
The market for used smartphones is growing, with Apple, big box stores such as Walmart and Best Buy, and carriers all running phone buyback or trade-in programs. Also, carriers have leasing programs that let users get a new device at regular intervals.
Companies like Gazelle, which buy used smartphones, erase and resell them. In May, Gazelle accepted its 2 millionth device and hit its 1 millionth customer mark.
That makes things more dangerous for smartphone owners.
Easus, which offers free and paid versions of its MobiSaver Android data recovery software, also offers something similar for iOS.
Solutions to the Problem
Smartphones, whether owned by an enterprise and provided to staff or owned by consumers, must be wiped before they are reissued, discarded or sold, KnowBe4’s Sjouwerman said.
“Use encryption in corporate applications for BYOD phones,” Marble’s Jevans suggested.
Enterprises may not wipe the hard drives of smartphones they own before reissuing them to other staff.
NAND flash “only has a limited lifetime for reads and writes before it wears out,” Jevans said.
Erasing the contents of files “is not only slow, but would reduce the life of the memory considerably,” he continued. “That’s why it’s generally not done.”