Security Guru: Don’t Sell Your Android Phone Until Turning it into Swiss Cheese

We like to think that doing a factory reset on our old phones and tablets is enough to keep our private data safe before selling them for an upgrade to the latest gadget, but a new survey of phones, tablets and computers purchased from Craigslist proved that a factory reset is essentially worthless on Android phones and tablets.

Just how bad is it?

Security evangelist Robert Siciliano of McAfee told GottaBeMobile, that he wouldn’t, “let a Droid out of my hands,” and recommends turning your old Android smartphone into swiss cheese if you value your privacy.

When it comes to a factory reset, Android phones are the worst. The iPhone and iPad are much better at removing personal information.

Robert purchased 20 laptops, notebooks, tablets and smartphones on Craigslist in the Boston area and sat down with a forensics expert who was able to pull a shocking amount of information off of the old gadgets — even those that had been factory reset.

What’s Left After a Factory Reset?

“lots and lots and lots of porn.”

When it came to mobile phones, Robert told us that the most commonly found information was porn, “lots and lots and lots of porn.”

Advertisement

But, that was hardly all that they found during their search of gadgets purchased on Craigslist. Second hand devices included the following information even after the seller did a factory reset or a reinstall of the operating system.

  • shhhPorn
  • Court records
  • Social Security Numbers
  • Resumes
  • College applications
  • Cookies
  • Child support documents
  • Employee records
  • Bank statements
  • Credit card statements
  • Tax returns
  • Emails
  • Contact lists
  • Photos
  • and more.

All of this information came from devices which had been factory reset or had an operating system reinstalled. Obviously, some of this private data was found on notebooks, but with more and more of our financial, personal and work life taking place on our phones and tablets, you have more than emails, contact lists and photos at stake.

Take a minute to think about your browsing history, any financial PDFs you’ve downloaded to your smartphone or other personal documents you’ve accessed on your smartphone over the last year.

In 5 minutes of searching I was able to find a free tool that recovered photos, the email address from the phone and my Google Book reading history. I also found other Forensics tools which others have used to find email history, contacts, Google search history and text messages.

In the video below, I show how easy it is to recover simple information like photos from a formatted Android phone. This may not seem like a big deal, but if you are anything like me, your photo history will contain photos of documents, phone numbers and other documents which I have saved to Evernote or emailed, but don’t want in the hands of a stranger.

While I wasn’t able to recover as much as the forensics expert, it became clear that there are many tools out there to recover more data.

Why You Should Worry

There’s definitely cause for concern given the 13% rise in identify theft in the last year. It gets even worse, Javelin Strategy & Research found that 7% of smartphone owners were victims of identity theft, higher than the average person.

Javelin Strategy & Research believes that the increase of identity theft among smartphone owners is related to the lax security they use, but the real problem is that 32% of smartphone owners admitted to storing usernames and passwords on their phone. Even improvements to security in future versions of Android operating systems won’t protect everyone. The survey found that nearly a third of smartphone owners don’t upgrade to newer versions.

This information, combined with the information gleaned from any social networks and contact lists left after a factory reset only makes it easier for identity thieves to take over your identity by buying your old Android phone for $50 on Craigslist.

Robert used a forensics expert, but anyone with an Internet connection and the know how to use basic software tools can learn to extract this information with DIY data recovery tools and guides.

Identity Theft

Criminals can use this information to steal your identity, your accounts and undertake other nefarious activities. Robert explains that a $20 to $100 Windows PC purchased on Craigslist could result in thousands of dollars of value for identity thieves. The to main attacks are taking your identity to open new accounts in your name and using the information left behind to take over your current accounts to run up charges and drain cash.

Scams

If a criminal has your contact list and photos, they could also run a spear phishing scam on your friends and family, asking them to send money to help you out of a jam, even including a photo to sell the story. This might sound far-fetched, but the Grandparent Scam happens with compromised Facebook accounts all the time, and it isn’t limited to grandparents.

Blackmail

If your phone has porn left on it, a Craigslist buyer could even use your browsing history, photos and contact list to blackmail you.

iPhone Factory Reset Is More Secure

Android Factory Data Reset

Android Factory Reset won't remove all data.

When it comes to mobile devices, Android phones are the worst at securing your private date with a factory reset. This is why Robert told GottaBeMobile, “I don’t even know if I’d let a Droid out of my hands.”

While Android devices can’t keep your personal information safe with a factory reset, Blackberry and Apple devices fared better.

Robert tells us that BlackBerry does the best job of deleting information when the phone is factory reset, but Apple isn’t too shabby either.

On an iPhone they tried to access, they found nothing, and on an iPad, they only found an email address and some songs. Good news for iPhone 4S and iPad 2 owners who plan to sell their old Apple gear to pay for the iPhone 5 and iPad 3.

We’ve asked Google for comment on the security of factory resetting Android phones, but have not received a response.

What to Do With Old Phones?

Android Bullet Holes

When Factory Reset Fails.

If you have an Android phone you no longer plan to use, your best bet is to stick it in a drawer as a backup device in case your new phone breaks, or you could put it in a vise grip and drill holes through it until it looks like swiss cheese. If you have a gun handy, target practice is another option.

These findings have me rethinking selling any of my old Android phones, like the HTC Thunderbolt, which many of you would line up to shoot.

The only semi-safe option would be to lend or give it to a trusted friend or family member who won’t turn around and sell it in a month.

When it comes to MicroSD cards or SD cards, Robert suggests breaking them to pieces, and never including them with a device you sell to someone on eBay or Craigslist.

As long as you perform a factory reset on your iPhone, iPad or BlackBerry, you should be safe to sell it to a third party, just be careful if you meet a Craigslist seller in a desolate parking lot.

Advertisement

Shhhh! and Bullet Hole images via sxc.hu

Comments

  1. DNel says

    It was just a couple of days ago that GBM posted how to clean/wipe your android phone. Now reading this, I wonder if those steps are good enough. 

    • omgwtfbbq1 says

      Considering this article only deals with “factory reset”, but the linked article mentions erasing the SD card as well, those steps are decent. If you are more concerned, download an SD card erase software such as SD formatter: https://www.sdcard.org/downloads/formatter_3/ or if you are extra paranoid, simply replace the SD card

  2. omgwtfbbq1 says

    Thanks for spreading misinformation. Rather than giving useful advice on how to sell your android phone, you tell people to destroy it, obviously ensuring a complete loss of resale, and maybe making someone think twice about buying an Android phone in the first place, not to mention being able to spread additional FUD about security on Android.

    Anyone who has ever used an Android phone notes that there are two seperate distinct bits of storage on the device, one is the phone’s internal memory, and one is the SD card. A “factory reset” simply clears the internal data without clearing the data stored on the SD card (which is where photos, videos, and other personal data which is accessible is stored). A second option “wipe SD card” makes that data unavailable, or if you are afraid of the ability of a forensic investigator being able to recover that data, then a simple $10 purchase of a new SD card would make your personal data such as you have listed above unaccessible. (note that this is impossible with an iphone, which means any forensic ability to read erased data off an iphone would NEVER be able to be protected against, unlike this very simple and foolproof option available to Android owners)

    But rather than providing this simple solution to ensuring your data is safe before resale, you recommend “turning your phone into swiss cheese”. Perhaps you should consider giving your readers useful advice that allows them to keep the resale value of their phone?

  3. gmich says

    I’ve been a GBM reader for a long time, and this is one of the most frustrating articles I’ve read here. As another commenter said, just a few days ago you published a “how to” about how to wipe an Android device. Now this gives completely different advice. So which is it? I have a mint condition Galaxy S II, and I’m really hesitant smash it to bits when I can sell it for at least $300. Are you really advocating every Android phone get destroyed rather than sold (which is a kind of recycling)? I’ve never read advice like this anywhere else on the web–including on Android-only sites. Is this responsible reporting, or just an effort to get hits to your site?

    • Guthrie says

      Look at the amount of articles that are lists or fanboy bait.  Then you tell me if they seem to be primarily fishing for hits these days.  GBM used to have a totally different feel.  It’s like a factory for the most part lately.

  4. HildyJ says

    Without knowing where the data resided, it’s hard to believe this is anything other than people leaving in SD or SIM cards, neither of which are wiped by a factory reset and neither of which should be included when you sell your phone.

    I’d be willing to bet that McAfee will be offering a new “must have” security app.

    As far as Javelin’s contention that smartphone users are more likely to be victims of identity theft, well duh. Smartphone users are more wealthy. As once famous bank robber Willie Sutton said when asked why he robbed banks: “because that’s where the money is.”

  5. Julesv1 says

    with ice cream sandwich and honeycomb use the native full disk encryption….and get rid of the SD card before you sell it!   100% effective
    works on galaxy nexus…

  6. Harold says

    I performed a factory reset of my Android device yesterday and haven’t used it at all. I expected it to be free of data I had input into the device prior to the reset. After reading this article, a few minutes ago installed and used the same program the author of this article used, EaseUS’ Data Recovery Wizard, to see what might come up on my device. Just as the author showed, I discovered data that I thought I had removed from the device. Tons of data.

    After reading some of the comments regarding the SD card, I suspected much of that data might be located on the external storage, so I unmounted and physically removed the card, hoping I might be able to run the recovery software on the device without the SD card inserted. Unfortunately I found that the device could no longer be recognized by my PC. No USB mode prompt displayed on the device, nothing. I rebooted the device but still, no recognition. So in order to continue with my testing I had to insert the SD card back in to the device to remount it.

    Since I couldn’t test with the SD card physically removed, I wiped (erased) the SD card clean and then ran the data recovery program again. Again, I discovered data. Though things appeared to be a bit different, it appears that the same amount of data could still be recovered.

    I’m glad I found this article; the stock ROM I had backed up to distribute to others will have to be put on hold until I can be assured my personal data is truly wiped from the device.

  7. Noodle says

    This is nonsense.

    Yes a factory reset only restores factory settings. It tells everything on the storage that it’s ok for the disk to write over that info. This is not a destructive wipe. It does not destroy the information on the disk. Just tags it to be written over.
    THIS IS TRUE OF EVERY OS – ANY TIME YOU DELETE ANYTHING

    For Android I’m sure there is an app to securely delete everything. Otherwise:
    1) Factory Reset.
    2) Boot the device DO NOT LOGIN TO YOUR GOOGLE ACCOUNT
    3) Fill the device with information (fill it full of music or movies) this ensures that all the information tagged to be “deleted” is overwritten.
    4) Once the device or/and SD card are full. Factory reset.

    Any one reading what’s tagged to be overwritten on your device will now only find the data you used to fill the device (movies and music)

  8. GRIMMEDIC says

    Yeah Noodle is right, dont let the media scare you, do as he says and your information will be overwritten no matter what they have they will not be able to pull up your old information//!!!!

  9. Gust says

    Not nonsense… but there are other solutions besides shooting holes in your phone (which by the way was not the least bit helpful). A quick search on Google for “android secure erase app” returned results for multiple apps to securely remove data. I haven’t yet tried them but probably will the next time I swap out a phone. Also, in reference to the comment about forcing the phone to overwrite deleted data by adding music and movies until storage is filled, what do you think about this (from http://www.securedeletion.com/, an android secure wiping app’s site):

    “Standard countermeasures do not help, such as overwriting files with random data, due to special features of the Android’s file system (namely the use of journaling).”

    PS: Always remove your media (ie MicroSD) card from your phone if you do not know how to securely wipe it. If you have a Mac and a MicroSD card reader, you can easily, securely wipe it with Disk Utility (make sure to select an appropriate Security option, ie 7-pass deletion). Not all personal data is stored on media cards – the most important stuff is usually included on the phone’s internal storage, so make sure you don’t just securely wipe the MicroSD card and think you are safe.

Leave a Reply