Android's factory reset has a security problem. Here's how to fix it

How do you sell a phone without giving away the data on it? If you've used a phone even briefly, it's filled with all kinds of sensitive data, including passwords and login tokens alongside personal texts and photos, all of which need to be erased before you can safely put the phone up for sale. The standard answer is a factory reset, which wipes the memory and restores the phone's setting, but there's a growing body of evidence that, for Android phones at least, the factory reset isn't enough.

A study published last week revealed methods that can dig up incredibly sensitive data from supposedly wiped phones, including the login token used to sign into Google accounts. The core of the problem is flash memory, which limits how often a given block of memory can be overwritten. As a result, a factory reset will often designate data as logically deleted (that is, available to be overwritten) without actually overwriting it, so as to prolong the life of the hard drive. Using a variety of database recovery tools, two Cambridge researchers were able to scan the wiped phones for portions of the hard drive that had been designated as logically empty, recovering photos, passwords, and chat logs. In theory, the factory reset is supposed to wipe all that data, but thanks to the quirks of flash memory, it wasn't being wiped all the way.


Those flash memory issues aren't new, but combined with the way mobile apps handle logins, they have serious consequences for Android users. Once you've logged into a mobile app, the phone preserves that login with a local authentication token — essentially a password that only your phone sees. If that token falls into the wrong hands, attackers can use it to log in, just like a stolen password. Since those tokens all live in the memory of the phone, they're a prime target for thieves — and if the factory reset doesn't erase them, thieves could use those tokens to compromise every app on your phone.

The quick fix for this is simple: encrypt the data on your phone before you get rid of it. (You can find the option at Settings > Security > Encrypt Phone, for any Android version since 3.0.) Adrian Ludwig, the lead engineer for Android security, recommended preemptive disk encryption for anyone giving up their phone. "If you plan to resell or discard your device and you haven’t already, encrypt it and then perform a factory reset," Ludwig said, when asked for comment on the Cambridge paper. If the phone's hard drive is encrypted, any unerased data will be scrambled and effectively useless. Disk encryption mostly protects against attackers with physical access to your device, so it's often overlooked in favor of network-based security measures like two-factor authentication — but for this attack, it's the single most important protection you can have. It's not complete protection, since it's possible to use brute force to crack the simpler disk-encryption passwords, but the more complex a password you choose, the more difficult and expensive it will be for attackers to break through.

Disk encryption is also why, for the most part, iPhones are already protected. iPhones use the same solid-state memory as Android phones, but iOS devices have provided full disk encryption since 2009, when iOS 3.0 was deployed. More importantly, that encryption is supported by Apple's own hardware. Today's iPhones have a co-processor devoted entirely to security measures, known as the Secure Enclave, which manages keys and performs the grunt work of actually decrypting the data. In theory it would be possible to recover scraps of encrypted data and decrypt it through brute force, but it's a risky and difficult process, enough to scare off all but the most determined attackers.

That's why, when security companies dive into the problems with factory resets, they generally pick on Android rather than iOS. When the security company Avast tried to dig up data from 20 wiped Android phones last year, they were able to search for specific patterns that would indicate photos, texts, or other sensitive data, resulting in 250 nude male selfies. But the iPhone's encryption scrambles those patterns, leaving researchers back at square one. "iOS forensics is much harder to do than Android, as you have to deal with encryption," said Jaromír Hořejší, a researcher at Avast. "You might be lucky to recover the key to unlock the encrypted files, but the key may or may not work as the encryption algorithm is not public."

Google built similar protections into the Nexus 6 and 9, but providing that level of security across Android has proved significantly more difficult, despite significant support in the codebase. Encrypting the entire file system means the phone has to actively decrypt any data it wants to use, which can seriously hurt performance if the phone doesn't have enough processing power. The iPhone solves that with a dedicated co-processor, but setting aside that computing power is expensive, and many cheaper Android phones simply aren't equipped for it. Google had initially planned to make full disk encryption a default setting in Lollipop, but backed off the promise earlier this year when the performance issues proved too difficult to overcome. That's less of an issue if you're encrypting the phone before a factory reset, but when a phone is lost or stolen, the default setting can be the only thing keeping your data safe.

It's a classic security quagmire, playing off the intersection of hardware vendors, application security, and Android at large, with no easy solution from any angle. The good news for users is that harvesting data from factory-reset hard drives is slow work, and most of what’s recovered is low-value data like texts and contact lists. For now, criminals seem to have decided it's not worth the trouble. The Cambridge researchers have also been working with Google to plug up the security holes from the Android side, so hopefully the attacks will become even more daunting as time goes on. "It's good to see the improvement in Android 5.0," said Ross Anderson, one of the Cambridge researchers. "We hope that phone resellers will take appropriate procedural measures to manage the residual risk."

Comments

Just to expand on this a bit. Whenever you format a storage device with the "quick format" button, it doesn’t actually wipe the files off (they aren’t reset to all 0s). Instead, the quick format simply deletes the table allocation blocks of your hard drive to different files.

It is trivial to recover files from storage media that has been quick formatted, so if you are actually worried this might happen, please us a proper file shredding program.

When you’re using flash memory (and this includes SSDs), file shredding programs do not work. Flash uses wear balancing algorithms in order to prolong the life of the hardware (it can only have it’s 1s and 0s flipped a finite number of times) so the actual area a shredding program overwrites may be no where near the original data of the file. Some SSDs may offer proprietary hooks to avoid this, but I don’t think they’ve been standardised yet, so it’s unlikely your OS device driver will use it.

As a side note, iOS devices (iPhone 4s and onwards I think) get around some of this by storing parts of the encryption keys in an area called Effaceable Storage. This is a special part of the flash memory where the OS has the low level direct access to the hardware it needs to allow it to be securely erase the contents. It is a very small area (around 960 bytes on iPhone 4s – not sure how large recent devices are) but that’s all it needs to be. Once the encryption key in that part is erased, everything on the phone is unrecoverable because it cannot be decrypted. It’s a nice solution that I’d love to see Android devices adopt.

I wonder how Samsung Pay/Google Pay are going to solve the security issue.

Now even with finally better Swedish fingerprint sensor SGS6 can theoretically be used for payments.

However, there is no Secure Enclave in those. This means that safety of users is totally in hands of current version of OS and its inevitable vulnerabilities. Also, with Huawei Ascend Mate 7 devices that also have good fingerprint sensor, there are chances that OS updates will not come for long.

This means that safety/security of all of those devices are fundamentally undermined.

Samsung claims the Pay section is Knox-ed. However, if you root your Galaxy device you’re losing the Pay feature indefinitely. As for Knox itself it’s super secure as it passed all the US gov certs it would have needed. It’s practically equal to Blackberry.
Don’t know much about Huawei. Maybe they have a secure enclave, maybe not(being from China and all).

This thing is NSA-approved; not sure how good is that.

iOS versus Knox never got NSA-approved, despite its security measures, and one might wonder, why.

I similarly remember that the UK PM was annoyed by end to end encrypted chat apps, imessage, whatsapp, etc. Oddly, no one said anything about Blackberry, which I remember still represents the security standard in this environment. There were also those BB issues with India, Saudi Arabia regarding encryption that suspiciously "sorted" themselves.

Maybe all these certifications don’t mean what we naively think they do and are actually the opposite. "Known quantities".

There are some apps which encrypt their own appdata.
So it isn’t really an issue if the developers does it properly.

"hard drive"?

How quaint. Next thing we’ll be talking about those floppy SD cards…

Wonderful.

Here’s hoping simple odds are in our favor for those of us who have sold our old Android devices. Maybe if one of mine is exploited I’ll buy a lottery ticket…

Couldn’t Android remedy this by adding a couple of steps to the factory reset process?

1) reset as it currently does (designate as "deleted")
2) fill all memory with some meaningless data
3) repeat step 1

Obviously it doesn’t address the encryption issue, but I’ve done this with hard drives before tossing them. Is there some reason all factory resets don’t do this?

It would make a factory reset take an hour instead of 2 minutes.

If implemented as a special, optional feature it would still make perfect sense for this particular use case.

That’s a good point. "Are you keeping your device?" → short version. "Are you re-selling or disposing of your device?" → long version.

Windows 8 does just this.

Technically 5.1 tried to fix it by suggesting the encryption on first setup.

This article is bad advice, as mentioned in the paper itself and other articles:

One of the most concerning findings is that data users presume has been wiped during reset in many cases can be recovered and read even when a phone has been protected with full-disk encryption. That’s because the file that stores the decryption key isn’t erased during the factory-reset process. While the key is itself encrypted with a cryptographic salt and a user-selected PIN or password, recovery of the "crypto footer," as the encrypted file is known, gives an attacker everything needed to perform an offline cracking attack. Based on the data supplied in this post, security consultant White estimated successful cracks would take a matter of seconds for typical PINs and a matter of a few hours to a day for longer passwords.

Meanwhile, on iOS:

Securely erasing saved keys is just as important as generating them. It’s especially
challenging to do so on flash storage, where wear-leveling might mean multiple copies
of data need to be erased. To address this issue, iOS devices include a feature dedicated
to secure data erasure called Effaceable Storage. This feature accesses the underlying
storage technology (for example, NAND) to directly address and erase a small number
of blocks at a very low level.

-from Apple’s April 2015 iOS security white paper

Hmmm, what’s an Android user to do, then? I read the comments at the link you provided, and it appears that encrypted Android 5.x is probably more secure, but I didn’t see any consensus on how much more secure.

There’s not much you can do.

Repeated encryption should work as the key would be replaced/overwritten too. When I sold my N5 I did the encrypt then wipe process several times.

Resetup the phone another time and encrypt it then wipe again.
Flash memory shouldn’t be recoverable when overwritten with data once.

but full disk encryption means it doesnt matter if data isnt erased…

To be honest, that article is assuming weak passwords. That’s not entirely fair. Yes, pins are brute forced trivially easy. But the crypto is solid. If you use a 10+ character password with capitals, numbers and some special characters, you’re not getting through it in hours or even years.
Now nobody wants to be typic such long passwords just to unlock your phone. But there are several smart lock features that let you skip the password if you are in certain areas or using face unlock/voice or an android wear device. I wish Google would just let you choose a long password to encrypt your key and a pin to unlock your phone. And only ask for the decryption password during boot.

More importantly though, the advice in this article is useless for a whole other reason. Encrypting your device will just encrypt what’s on there right now and wear leveling on the storage ensures the encrypted data is most likely written back to completely different physical cells. If you’re only using 10% of your storage, it’s likely that almost none of the encrypted storage is written back to the cells that held the unencrypted data and as a result almost all of the unencrypted data is still recoverable.
Even if the storage is entirely in use, storage chips use over provisioning to replace failed cells. These are also part of the wear leveling algorithm. Meaning that cells that used to hold data, may suddenly not be writable and cells that weren’t available step in to replace them. In the end, there is always a small percentage you can’t get to. Say 10%.

The only real solution is encrypt from day 1 using a strong password. Before entering any sensitive data into the device.

If you read the paper, I think you’ll find Ars overstated this a little bit. Even once the footer is recovered, a brute force attack is necessary to crack the encryption. It’s true that, in some cases, it’s possible to recover the key, but it’s not trivial to do so, just as it’s not trivial to decrypt the data once you’ve uncovered the internally-stored version of key. All these things take time, and the more time it takes, the harder it is for criminals to perform these attacks at scale.

Given that, I’m not sure why you think it’s bad advice. The point here isn’t to give perfect protection. If you want that, you shouldn’t be reselling your phone in the first place. The question is, what reasonable measures can a person take to protect their data? Factory reset alone isn’t enough, but in conjunction with FDE, it is.

View All Comments
Back to top ↑