User data retrievable from second-hand smartphones

Thinking of selling your old smartphone? Watch out, as its data may be retrievable even after wiping it!
User data is routinely retrievable from second-hand Android devices that have been wiped through a factory reset, a new Cambridge study has warned.
Most Android handsets offer no easily accessible way of deleting user data including access tokens, messages, images and other content, researchers said.
The factory-reset shortcomings uncovered by researchers at the Cambridge University affect an estimated 500 million Android handsets, and pose a problem for organisations that routinely resell such devices.
Researchers said up to 630 million people do not properly wipe multimedia files.

They examined 21 second-hand devices running Android versions 2.3 to 4.3 from five manufacturers that had been wiped using the operating system's built-in factory reset feature, 'Tech Week Europe' reported.

Researchers said the problems also exist with third-party data deletion applications. Similar problems are likely to persist in newer versions of Android.
The team was able to recover data including multimedia files and login credentials from wiped phones, and many of the handsets yielded the master token used to access Google account data, such as Gmail.
Such data can be recovered even from handsets protected by full-disk encryption, researchers said.

The problem results from multiple issues, including the inherent difficulty of fully deleting data from the flash memory used in smartphones, something due to the physical nature of such memory chips, according to the research.
The researchers were able to recover the master token in a device and found that after reboot, it successfully re-synchronised contacts, emails and other data.
The master token, used to access Google accounts, was found to be retrievable in 80 per cent of the devices that had a flawed factory reset mechanism.