Don’t worry boys, I’ll have the NSA delete it for me / White House
If you’re selling an old Android smartphone on an online auction site you could be giving away rather more than you intend to, according to a recent investigation by anti-malware company Avast.
Going through phones that had supposedly been “factory reset”, the company’s researchers were able to view photos taken by the phone’s original owners. In addition to the usual harmless photos of the family cat were naked selfies that the original owners would never have wanted them to see.
What’s more, the researchers were able to do this simply by using a range of free smartphone forensic tools that are easy to use by technical enthusiasts as well as professional forensics experts.
How it works
Electronic data, stored either on a solid state drive or a traditional hard disk, persist even when we think we have wiped the storage device. Many readers will naturally assume that when you delete a file, it has been removed from your phone or computer.
The way it actually works is that the link (or reference) to the file is deleted, but the original file is still there – so that inappropriate selfie is still in your phone’s storage even if you can no longer see it in the photo browser. What’s worse is that, unless the file is fully overwritten, you may find that the dodgy pictures remain for some considerable time.
The issue spotted by Avast is that the “factory settings” feature of some older Android phones does not overwrite every “bit” of data, instead it simply removes the file references.
Which phones are affected?
Based on their research, it is only Android devices that are affected. iPhones encrypt their storage, which adds a layer of strong security. So even if you could see that the data existed, you couldn’t see what it was as you won’t have access to the original security keys.
It would seem that Windows and Blackberry phones are not affected either. Researchers may yet discover issues, but as it stands there are no concerns.
How to protect your data
The best advice I can give if you intend to sell on your Android phone is to first consider carefully how you may have used the device. If there are – or were, ever – any pictures or data on the phone that you do not want to fall into the hands of others then keep the phone, do not sell or give it away.
There are also ways that you can encrypt your Android, and this is a technique worth considering.
But the only truly secure way to destroy the data is to smash the phone into little pieces then throw it into a bonfire.
Personally I prefer to store only impersonal and chaste data on my phone. Best not to take pictures of your cat unless you really want others to see your kitty.
Andrew Smith is a Lecturer in Networking at The Open University in the UK. He does not work for, consult to, own shares in or receive funding from any company or organisation that would benefit from this article, and has no relevant affiliations. This article was originally published on The Conversation. Read the original article.