User Data, Including Full Bitcoin Wallet Access, Retrievable From Secondhand Android Phones
In a new study by Cambridge University, user data is routinely retrievable from secondhand Android devices that have been wiped through a factory reset. Most Android devices offer no way of easily deleting user data such as access tokens, messages, images, and other content. The problem doesn’t affect only a small percentage of Android users, it affects an estimated 500 million Android devices, this poses a problem for companies that resell used Android devices. In addition to the 500 million affected devices, up to 630 million people do not properly wipe multimedia files in their devices prior to getting rid of them (through either sale, gift or disposal.) Researched examined 21 secondhand devices running OS versions 2.3-4.3 from five different manufacturers that had been wiped using the built in factory reset function.
The problems faced by the OS also affect third-party data deletion applications, so Android users don’t have a good way to dispose of their data through either 3rd party applications or built-in OS options. Researchers were able to recover multimedia files, login credentials, and even the master token used to access Google account data such as Gmail, Adsense, Docs, and any other Google platform.
Even if the device is fully encrypted, this data can still be recovered. The problem comes from multiple issues including the fact that these devices use Flash memory which is considered to be one of the most un-volatile forms of memory (and fastest) available. It wouldn’t make sense to put a mechanical hard drive in a phone to use for storage, but things stored on flash memory are incredibly resilient, and the memory chips are very physical in nature.
When something is deleted off of a phone, it isn’t truly gone. Flash memory actually isn’t truly gone until it is overwritten. For example, if you delete an app on your phone, you will see that you have the extra space on your phone now, but the app won’t be truly deleted until you store something that would need the memory used by the deleted app. This property of flash-based memory is one of the only drawbacks of the cheap but powerful memory storage method. Data has been taken from discarded or secondhand flash drives that appear to be empty in the past due to the physical nature of the memory.
The problem with Android devices is a combination of the nature of flash based memory and an inherent problem with the OS in the ability to steal data after a full factory reset. Master tokens were retrievable in 80% of the devices with the faulty factory reset mechanism. Email accounts are a powerful thing these days, if someone has access to your email account, they will be able to access most online services you use through a forgot password function. This is a very serious issue that needs to be addressed quickly.
For Bitcoin users, this issue poses another threat. Fully encrypted wallet data is accessible (including passcodes to unlock wallets and spend funds.) With the popularity of mobile Bitcoin wallets and banking apps, Whoever owns your Android device (even after a factory reset) would have access to your banking accounts, your Bitcoin wallet, your email, and many images, texts, phone contacts, and other access data that belongs to you. Any application that lacks 2FA is totally out of your control at that point. As soon as someone has access to your Bitcoin funds, those transactions are irreversible.
To avoid these serious problems, hold out on selling or getting rid of your Android device, update to the latest OS version and wait until a hot fix has been put into place, and enable 2FA on any third-party application and service possible.
What do you think about the Android issue? Comment below!
Images via Android and Pixabay.