Want To Ensure Your Personal Android Data Is Truly Wiped? Turn On Encryption 91
MojoKid writes We've been around the block enough times to know that outside of shredding a storage medium, all data is recoverable. It's just matter of time, money, and effort. However, it was still sobering to find out exactly how much data security firm Avast was able to recover from Android devices it purchased from eBay, which included everything from naked selfies to even a completed loan application. Does this mean we shouldn't ever sell the old handset? Luckily, the answer is no. Avast's self-serving study was to promote its Anti-Theft app available on Google Play. The free app comes with a wipe feature that overwrites all files, thereby making them invisible to casual recovery methods. That's one approach. There's another solution that's incredibly easy and doesn't require downloading and installing anything. Before you sell your Android phone on eBay, Craigslist, or wherever, enable encryption and wait for it to encrypt the on board storage. After that, perform a wipe and reset as normal, which will obliterate the encryption key and ensure the data on your device can't be read. This may not work on certain devices, which will ask you to decrypt data before wiping but most should follow this convention just fine.
Re:And then throw it in a fire (Score:5, Informative)
This.
What is the value of a used device? Compare that to the risk of the data on that device going to a malevolent third party.
I've had people saying "oh, look at all these hard drives, you should totally sell them on ebay and I bet you could get $10 apiece for them!" Adding up the time I would waste running DBAN or sdelete or whatever, and keeping track of which ones have been wiped, and double checking to make sure everything is really gone, it's not worth the time.
A big hammer and a punch, driven deeply through the thin aluminum cover and down the platter area, takes about a second and leaves nothing anybody would bother trying to recover. You can quickly look at a drive and say "yes, this drive has been taken care of", or "hey, there's no jagged hole here, this drive isn't destroyed." The aluminum cover contains the shards if the platters are glass. I don't care who handles them after destruction. There's no worries about toxic smoke. And if you have to inventory them before shipping them to a recycler, the serial numbers are still readable.
Smashing a phone wouldn't destroy the data on the chips, so a fire is a somewhat safer option.
Unsafe Advice (Score:5, Informative)
Any marginal blocks mapped out before you encrypt will remain unencrypted and may be available to a determined attacker. Same goes for hard drives, and SATA secure erase is not provably trustworthy. Always encrypt your storage before you put any data on it. If you do not trust your hardware AES to not be backdoored then use software crypto.
Re:Full-disk wipe or only current data? (Score:5, Informative)
According to the android documentation it is full-disk encryption [android.com] based on dm-crypt.
Re:srm -v -z (Score:4, Informative)
Not quite - modern magnetic drives still have tracks wider than the read-write head so that atomic-level alignment isn't necessary. There may be far less "overwrite" than there once was, but if a newly recorded track is not *perfectly* aligned with the last recording then there may well be several percent of the previously recorded track that remains unaltered (consider the worst case scenario case that the previous recording in this track was written at the smallest radius allowed by actuator tolerances, while this pass is at the maximum radius allowed). Now, recovering that data will probably require removing the platters and analyzing them with much higher resolution read heads, but it can be done.
I was more addressing the problems with flash though - in order to disguise degradation modern flash drives typically include more capacity than is addressable by the host system. Fill it to the brim so there are zero bytes free, and there's still several percent of the total drive capacity that is sitting unused in the reserve pool. The only way to overwrite that (barring a OS-accessible "secure wipe" command implemented on the drive) is to generate sufficient churn that the internal wear leveling algorithms cycle through every byte of the reserve capacity at least once. And since you probably don't know the exact algorithm used or wear levels of the drive to begin with, more is better - after all you have to tease out the most heavily used page currently sitting in the reserve.