That basically means that your login data, mails, contacts, SMS, images, and videos can be retrieved at least partially. Not even a Full-disk encryption is of much help here: The flawed Android factory reset leaves behind enough data for the key to be recovered.
The study unveils five critical failures:
- “The lack of Android support for proper deletion of the data partition in v2.3.x devices
- The incompleteness of upgrades pushed to flawed devices by vendors
- The lack of driver support for proper deletion shipped by vendors in newer devices (e.g. on v4.[1,2,3])
- The lack of Android support for proper deletion of the internal and external SD card in all OS versions
- The fragility of full-disk encryption to mitigate those problems up to Android v4.4 (KitKat)”
The researcher examined 21 Android phones that used version 2.3.x to 4.3 of the OS and were sold by five different vendors. Apart from being able to recover said data, they could also recover Google authentication tokens: “We recovered Google tokens in all devices with flawed Factory Reset, and the master token 80 percent of the time. Tokens for other apps such as Facebook can be recovered similarly. We stress that we have never attempted to use those tokens to access anyone’s account.”
So what to do if you want to sell your mobile? The study recommends filling up the partition of interest with random-byte files, to overwrite all unallocated space. In order for this to work you would have to install the third-party app that would fill the partition manually though because otherwise the Google credentials stored on the file system would not be erased.
Take a look at the study to find out more.