The churn of Android devices, whether older smartphones being traded in or sold online, makes device sanitization imperative. The native feature in the OS, however, may not be doing as thorough a job as advertised.
A paper, “Security Analysis of Android Factory Resets” (pdf), published by Ross Anderson and Laurent Simon of the University of Cambridge in the U.K., throws back the curtain on the incompleteness of Android Factory Reset, leaving as many as half a billion devices exposed to data loss, including credential theft and exposure of personal emails and chats. Another 630 million devices, Anderson and Simon said, are likely not properly erasing the internal SD card where multimedia files are stored.
The researchers studied the behavior of 21 Android smartphones from five vendors running different versions of the OS starting at Froyo (2.3) to Gingerbread (4.3). Most flagrant was the recovery of Google credentials from all devices with the flawed reset option, Anderson and Simon said, putting backed up data at risk as well as access to other services. They added that even the use of full-disk encryption on a device doesn’t completely mitigate the issue because the shoddy reset leaves behind enough of the encryption key that it is recoverable.
Anderson and Simon said the economic trickle down and accountability fostered onto vendors is real.
“So data sanitization problems have the potential to disrupt market growth. If users fear for their data, they may stop trading their old devices, and buy fewer new ones; or they may continue to upgrade, but be reluctant to adopt sensitive services like banking or healthcare apps, thereby slowing down innovation,” the researchers wrote. “Last but not least, phone vendors may be held accountable under consumer protection or data protection laws.”
The failures, they said, range from a lack of support from the OS for proper deletion of the data partition in flash memory in older 2.3 devices, incomplete upgrades pushed to flawed devices by vendors, a lack driver support in newer devices to properly address deletion, a lack of Android support on internal and external SD cards in newer devices, and the inability of full disk encryption in newer versions of the OS to help.
“When removing a file, an OS typically only deletes its name from a table, rather than deleting its content,” the researchers wrote. “The situation is aggravated on flash memory because data update does not occur in place, i.e. data are copied to a new block to preserve performance, reduce the erasure block count and slow down the wear.”
The best level of sanitization, Anderson and Simon said, would be Analog or Digital sanitization which makes data reconstruction impossible, even in a firmware bypass. In most cases, however, Android settles for Logical sanitization, which erases flash blocks via standard hardware interfaces such as eMMC or even the ioctl system call in the Linux kernel. Android’s Logical implementations, however, are incomplete, the researchers found, putting data stored in the data partition (application private directories where Google and third-party credentials are stored), internal SD card (stores multimedia files), or the external SD card (which can be physically removed and behaves similar to the internal card).
The results, the researchers said, were not pretty. Data partition sanitization degrades over time; in older versions, such as Froyo (2.2) sanitization was logical using the yaffs2 file system, which ensured that a partition could not be reformatted without proper sanitization. Froyo also used ioctl’s MEMERASE command for digital sanitization. When Gingerbread rolled around, eMMC had replaced yaffs2 and partitions were able to be reformatted without being sanitized, Anderson and Simon said. They said 90 percent of the data partition was sanitized insecurely, at most a few hundred megabytes deleted. Only the HTC Wildfire S passed muster since it stuck with yaffs2, they said.
“We verified that the phone binaries indeed contained the newest code from AOSP, i.e. with logical sanitization support. We then turned our attention to lower level code, and found that vendor upgrades likely omitted device drivers necessary to expose the logical sanitization functionality from the underlying eMMC,” the researchers wrote. “In practice, this means that the secure command BLKSECDISCARD is not supported by ioctl.”
As for the primary, or internal, SD card, it has never been logically sanitized putting up to 340 million devices at risk, while the researchers said the Android doesn’t even attempt to sanitize the external SD card at all.
Anderson and Simon said they used SQLite file-carving to recover multimedia files from the partitions, and pattern matching techniques to recover the remaining data since it sticks to rigid and distinct file formats.
“For example, we recovered some ‘Conversations’ (SMSes, emails, and/or chats from messaging apps) in all devicesĀ using pattern matching. Compromising conversations could be used to blackmail victims,” the researchers wrote. “Gmail app emails were stored compressed. By searching for relevant headers, we were able to locate candidates and then decompress them. We found emails in 80 percent of our sample devices, but generally only a few per device.”