Today we unveil two papers describing serious and widespread vulnerabilities in Android mobile phones. The first presents a Security Analysis of Factory Resets. Now that hundreds of millions of people buy and sell smartphones secondhand and use them for everything from banking to dating, it’s important to able to sanitize your phone. You need to clean it when you buy it, so you don’t get caught by malware; and even more when you sell it, so you don’t give away your bank credentials or other personal information. So does the factory reset function actually work? We bought a couple of dozen second-hand Android phones and tested them to find out.
The news is not at all good. We were able to retrieve the Google master cookie from the great majority of phones, which means that we could have logged on to the previous owner’s gmail account. The reasons for failure are complex; new phones are generally better than old ones, and Google’s own brand phones are better than the OEM offerings. However the vendors need to do a fair bit of work, and users need to take a fair amount of care.
Attacks on a sold phone that could not be properly sanitized are one example of what we call a “user-not-present” attack. Another is when your phone is stolen. Many security software vendors offer a facility to lock or wipe your phone remotely when this happens, and it’s a standard feature with mobile antivirus products. Do these ‘solutions’ work?
You guessed it. Antivirus software that relies on a faulty factory reset can only go so far, and there’s only so much you can do with a user process. The AV vendors have struggled with a number of design tradeoffs, but the results are not that impressive. See Security Analysis of Consumer-Grade Anti-Theft Solutions Provided by Android Mobile Anti-Virus Apps for the gory details. These failings mean that staff at firms which handle lots of second-hand phones (whether lost, stolen, sold or given to charity) could launch some truly industrial-scale attacks. These papers appear today at the Mobile Security Technology workshop at IEEE Security and Privacy.
Writeups on Ars Technica and CNN.
And now also The Register and softpedia.
Individuals wanting to sell on old Android devices should first encrypt their device, where possible, via the security settings and then perform a factory reset. Additionally it would be prudent to employ 2-step-verification on one’s Google account. Without a special code, downloaded ahead of time or sent via SMS, in addition to one’s password the account cannot be accessed. It might also be advisable to change all passwords of any accounts used on said device.
Of course the more foolproof method would be to encrypt, wipe and then physically destroy the device. Since the second hand value of such devices is low anyway, my advice would be to take the latter option or just keep it on your shelf.
It must also be remembered that such risks apply to many computer devices. If a hard drive has sensitive information on it, it would be best to destroy it rather than sell it on
It is regrettable that what you say is true. It seems wrong to be destroying items that can be reused by others, but the risks are real. As far as I can tell by reading comments on other sites, even the encryption route isn’t that safe on stock Android ROMs – “wiping” simply means removing the encryption keys, which leaves the possibility of brute-forcing (I’m not techie enough to know what the likelihood of this is is, nor whether it would be worthwhile for a buyer to do this for random second-hand phones). Some comments also suggest that the data-wiping is more effective if a custom ROM (CyanogenMod etc) is installed, but it hasn’t been verified by people such as Ross anyway, so it is nothing more than an assumption. It is beyond most users’ capabilities to do so.
And now also the BBC.
Things are actually improving. Android 5.0 does encryption by default, and I’ve been playing with such a device for the past month. It’s still a bit buggy; I’ve had two uncommanded factory resets in the past month. I just upgraded to 5.1 and hope that will make it a bit more stable.
One thing you notice when you go through the reset / recover process several times is that vendors did not really design the experience properly. Some of the stuff on your phone is backed up and other stuff isn’t; you get back your gmail but not your texts, for example. This needs attention just as much as the “security” aspects. And if people start using more-secure facilities such as TrustZone in any significant way, then recovering that is going to matter too.
As for brute-forcing an encryption key, I doubt most people need worry about that. Ed Snowden certainly should, but if you give a second-hand phone to charity having used a four-digit PIN and then done a factory reset, do you honestly think a crooked staff member at the phone charity is going to try to do that? If you also revoke the phone on Google dashboard, you’re probably in pretty good shape.
Thanks, Ross – I really didn’t think brute-forcing would be a likely problem, but my knowledge isn’t enough to be able to state it with certainty.
The problem re: backup is a nuisance. I’ve tied several custom ROMs on mine, and the loss of SMS is a nuisance. It really is something that needs addressing.
A detailed and thoughtful writeup on The Verge.
Another piece in Secure Computing Magazine.
What about iphones?
We didn’t test any