Want To Ensure Your Personal Android Data Is Truly Wiped? Turn On Encryption 91
MojoKid writes We've been around the block enough times to know that outside of shredding a storage medium, all data is recoverable. It's just matter of time, money, and effort. However, it was still sobering to find out exactly how much data security firm Avast was able to recover from Android devices it purchased from eBay, which included everything from naked selfies to even a completed loan application. Does this mean we shouldn't ever sell the old handset? Luckily, the answer is no. Avast's self-serving study was to promote its Anti-Theft app available on Google Play. The free app comes with a wipe feature that overwrites all files, thereby making them invisible to casual recovery methods. That's one approach. There's another solution that's incredibly easy and doesn't require downloading and installing anything. Before you sell your Android phone on eBay, Craigslist, or wherever, enable encryption and wait for it to encrypt the on board storage. After that, perform a wipe and reset as normal, which will obliterate the encryption key and ensure the data on your device can't be read. This may not work on certain devices, which will ask you to decrypt data before wiping but most should follow this convention just fine.
"It's just matter of time, money, and effort." (Score:5, Interesting)
It's well established that plenty of consumers discard or donate hard disks without taking any precautions, and are playing roulette with their identity. It's also well established that hundreds of millions of tons of this equipment is replaced, resold, stolen or discarded, and most people who wind up with the secondary device lack either the time, money, or effort to scavenge data off the phone. If in fact someone is in the identity theft business by buying phones on ebay, they'd profile themselves pretty well after a dozen phone purchases (what do these data-theft-victims have in common?). And who knows how many phones they'd have to buy which had been wiped in some way (and required more time, money and effort)?
This isn't a bad article in that it birddogs simple things you can do before selling your used phone, and if it elevates the perception of risk in order to get people to do something easy, that's appropriate. But in response to people who are shooting and burning their devices to be "100% sure" that no one spends the time, money and effort to follow them... that's appropriate if you are a high risk target. If you have stuff on your phone of interest to the FBI or KGB, the amount of time+money+effort may be less than or = the amount of risk. Your call.
But there is a lot of hyperbole out there about the percentage of identity theft which is traced to secondary market devices, and the billions of dollars in secondary market sales on sites like ebay represent time+money+effort interest in new product makers to spend fanning flames. Again it's appropriate that the article raises concerns and then points to simple efforts a consumer can take to increase the barrier-to-entry to their personal data. But the army of ebay buyers getting their porn fixes by buying and then de-encrypting cell phones to retrieve ugly selfies seems exaggerated. Warn people about sharks if they are swimming in shark infested waters, don't tell people that most swimmers will be attacked by sharks.
Tear your mail in 8 pieces and someone could dig it out of the trash and tape it together, but the time+money+effort that represents is significant. I remember people selling paper shredding equipment in the 1990s who described armies of Iranian students or Chinese peasants who could be buying torn paper and taping it back together. If they know it's the President of the USA's mail, they no doubt will expend that time+money+effort... Presidents should assume they are swimming in a shark tank. For most of us, ebay resales are a swimming pool, and warnings of shark attacks get tiresome.
Re:srm -v -z (Score:4, Interesting)
>Furthermore, the wear-leveling strategies used in flash mass storage devices negates any attempt to securely wipe them short of physical destruction.
Well, it confounds it at any rate. But completely filling the device's memory 33 times in a row is pretty likely to overwrite everything at least once or twice - even the hidden "failure reserve" space if it's included in the wear leveling (and if it's not, then it doesn't yet hold any sensitive data, so there's no problem). Guttmann's values may be irrelevant to today's storage media, but that many repeated rewrites of anything still mostly does the job.
I don't know that I'd trust it to wipe vital military secrets, but it should do a good enough job for most anything in the civilian realm.