When it comes to mobile phones, the “circular economy” gives second-hand devices a longer life in the hands of users, reduces the need for purchasing brand-new phones, preserves resources and reduces the impact of digital waste on the environment.
This often involves recycling materials and reusing components such as the microprocessor and memory storage in mobile devices. For example, if a smartphone has been damaged and doesn’t boot up anymore, chances are high that those components (and others) are fully functional. It is simply a matter of de-soldering and cleaning them so that they are ready to be used again.
However, one of the hazards of giving a mobile phone a second life is that data from the previous user could be discoverable by later owners.
Second-Hand Android Devices Hold Onto Data After Factory Reset
Blancco participated in the SustainablySMART project funded by the European Union, and the team presented results from the project session “Smartphones: Repair, Remanufacturing and Reuse of Components,” at the 2018 CARE Innovation, Vienna.
Below is a summary of what we discovered through our analysis, as well as links to the full reports and presentations.
Paper 1: “Implications of Circular Economy on Users’ Data Privacy: A Case Study on Android Smartphones Second-Hand Market”
For this first study, we focused on the IT asset disposition (ITAD) business in Europe. We purchased 100 Android smartphones from various ITAD operators. These phones had been reset to factory settings on the ITAD’s premises. Our goal was to analyze whether those devices still retained data from previous users.
The sample covered all Android OS versions from 2010 (Gingerbread, 2.3) to 2016 (Nougat, 7.0). For each device, the process started with a manual check using the phone’s user interface. Then, we accessed the device’s memory via forensic tools or low-level hardware techniques. Finally, we conducted the analysis and classified the results.
During this process, we were able to recover data on 19 percent of the sample (19/100), with ten of those phones containing non-critical data (SMS and call logs from the carrier). More concerning, however, was that on eight phones, we recovered critical personal data. One phone had critical corporate data.
We talk more about these results in our paper, “Implications of Circular Economy on Users’ Data Privacy: A Case Study on Android Smartphones Second-Hand Market.”
Paper 2: “Analysis of Data Remanence After Factory Reset, and Sophisticated Attacks on Memory Chips”
For our next analysis, we wanted to expand a recognized Cambridge study on Android’s factory reset performance. This study analyzed versions from Gingerbread (2.3) to Jelly Bean (4.3).
Using a sample of 68 phones, we focused again on the most popular models circulating on the European market. Our goal was to analyze later OS versions up to Nougat (7.0).
The idea was to simulate the user’s real experience using our own test data and accounts, populating the device with multimedia files, SMS, contacts, email accounts, social media, etc. After that, we performed a factory reset, then a memory extraction via forensic tools. We then analyzed the results.
In the end, we were able to recover data on 14 phones (20 percent of the sample). Most of them were running old Android versions, but we also recovered data from an Android 4.4 device. We discovered data on this last device within our research lab, using a physical connection to perform extraction on the memory chip.
To expand and validate our study, we sent one of the best-selling phones in history running on Android Lollipop (5.0) to an external data recovery laboratory. While we didn’t find any data using our in-house methods on this phone, this external lab performed the most sophisticated hardware techniques to finally retrieve SMS messaging data. This validated that the Android factory reset failed at removing data completely.
You can find the details of this analysis in the full paper, “Analysis of Data Remanence After Factory Reset, and Sophisticated Attacks on Memory Chips.”
What These Two Data Recovery Studies Tell Us about the Second-Hand Mobile Phone Market
In conclusion, our first study suggests that many IT asset disposal facilities can fail to successfully sanitize a significant percentage of Android devices. Despite claims of phones going through data sanitization processes, previously owned devices still stored user data.
This did not seem to depend on the OS version, as data was found up to Android OS 6.0. Further, our second study suggests that the factory reset function built into Android OS also fails to permanently erase user data, at least on older versions of Android OS (from 2.3 to 5.x). The effectiveness of factory reset, however, seems to depend on both the OS version and the underlying memory technology.
To get a more detailed overview of the SustainablySMART project and these data recovery studies, including testing setup diagrams, download the two-part presentation I gave at the Going Green – CARE INNOVATION 2018 conference in Vienna, Austria.