Factory reset memory wipe FAILS in 500 MEELLION Android mobes Half a billion Android phones could have data recovered and Google accounts compromised thanks to flaws in the default wiping feature, University of Cambridge scientists Laurent Simon and Ross Anderson have claimed. The gaffe apparently allows tokens for Google and Facebook, among others, to be recovered in 80 per cent of …
To me, this article is similar to one that says, "File deletion fails in all versions of Windows and Linux because deleted data can still be recovered in 90% of cases." Yes, we knew that. It's because the file delete function was never *intended* to prevent data from being forensically recovered.
Similarly, unless the manual clearly states otherwise, I have always expected a "factory reset" operation to behave similarly to a "file delete" operation, in that it makes the phone *appear* to the normal user to be the same as when first sold, but I have never assumed that it did so by *wiping* any data, any more that a re-install of the OS will get rid of data you have on your laptop's HDD (which is surely analogous to a "factory reset").
In fact I would not even assume that data held on a user-supplied SD card will be deleted or made inaccessible, because that card was not a part of the system when it left the factory. (Though I would not assume that it will *not* be deleted either).
"It isn't like an OTA could be sent out to all phones to update it so the manufacturers and carriers would need to do the update and if they were going to go to all that trouble of writing the core files into their customised version, testing and delivering it then they would just update to the latest version anyway which is designed to work better on older devices (although that's debatable)."
Well, maybe, but I've had a few phones that due to the unusual radio files (Samsung Stratosphere for example had a Via -- yes Via, not Qualcomm... Via CDMA/EVDO/GSM chipset and Samsung LTE chipset, so if you evaded Samsung's lame firmware lockdown and put a newer kernel on, the radio files would absolutely not work with it. The Stratosphere II I have now has a more normal radio but a similar situation. It's pretty common to see on Cyanogenmod forums and the like that some devices will run a newer kernel, but with no radios. I doubt Samsung'll update either of these phones at all, but if so I'll be shocked if it gets anything other than a "x.x.(current +1)" update, or a vendor implemented patch.
"That doesn't seem to stop Apple, who managed to backport full-disk encryption and make it available for every device sold in the past few years as part of their regular update process. It wasn't *ooh* *whimper* sooo *sniff* haaaaaard *sob* like it was for Google. It's a core OS function that isn't dependent or reliant on manufacturer customizations, and should be updatable."
Apple didn't backport full-disk encryption to older iOS versions, they made sure iOS was installable on somewhat older devices. Not the same thing at all. Also, Apple only ships a handful of models of phones. For vendors that follow Google's recommendations (i.e. not too many nasty hacks and binary blobs), if the vendor doesn't bother to release updates, CyanogenMod does. I really would prefer if all vendors at least made it so CM could release functional updates. If you do want to make sure to actually get updates, there are several lines of Android devices that do actually receive official updates for a guranteed length of time.
So whats the real problem here?
the stupid yuppie marketing model by which western rich gits treat new-spec phones as having a one-year use period before sending them on for resale / resuse else where.
Its not a fault with the phones - past experience with computers should be enough to show that anything is potentially recoverable given the right tools. The problem is with the mindset. Anyone with a brain who sends a PC on for resale or scrap shreds the drive - either physically or with a third party electronic tool such as DBAN. Why should a phone be treated any less differently? Especially when solid-state drives are a lot harder to nuke than a "real" hard drive.
The answer is......stop treating phones as disposable fripperies. Keep them and use them until they're knackered and then take the hammer and shredder to them. Get your moneys worth from them, then destroy them. DON'T sell them on
Given that for many people the phone has become the primary computing device, including banking and other financial type transactions, it's really a pretty serious problem that it can be nearly impossible to get the OS updated.
My guess is that sooner or later someone - Google, carrier, manufacturer, maybe all three - is going to get clobbered with a massive lawsuit alleging significant negligence in not providing timely and easy security updates.
I have seen this first hand on two used phones I purchased. I did not even have to use extensive methods to see the previous owner's content. I tried the factory reset a couple of times and the content remained. Same for my phone I was replacing. I used a custom recovery's wipe function and the content was no longer visible. I do not know if the content was actually removed or not.
I do know that some older Samsung Galaxy S2's will brick if the eMMC secure erase function is called due to another bug. Other models and makes of the generation may have the same bug.
Kinda funny, I recently read something about solid state storage can lose data over varying periods of non-powered state. I guess it's a matter of losing data when you want to keep it and data persisting when you want to lose it. Seems normal.
It's not hard. Just pretend you are a normal, rational human being and use the phone until it doesn't work anymore. At that point, it's worthless, throw it away. (Or destroy it in any manner you please if the data matters enough.) Along the way, you've saved enough by not buying unnecessary new dorky consumer tech-head gear every few months to treat yourself to a holiday at the destination of your choice.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
