Researchers (Laurent Simon and Ross Anderson) from the University of Cambridge thus held a study on 21 second-hand smartphones operating on versions of Android ranging from 2.3.x (Gingerbread) to version 4.3 (Jelly Bean) to try to highlight the fact that the "Factory Reset" would not keep its promises. And the results are really scathing for Android.
The automatic procedure is thus supposed to erase all traces of previous use and to restore the device to its original state, as if it had just been bought. In practice, the result is very different. All brands are affected, and according to researchers' estimates, 500 million smartphones circulating in the world would be affected by the problem.
During the procedure, it was established that 80% of smartphones kept data from the previous user. Worse, the researchers were able to recover Google authentication data allowing them to access previously configured accounts on the device (Gmail, and associated services). The researchers were able to recover emails, text messages from chat histories … as well as videos and photos.
The problem is that the term "Factory Reset" is incorrect, since the procedure does not involve the complete formatting of the device. In reality, the procedure simply makes the path to access the previously used memory areas disappear. It is only when the new user uses their smartphone and reinstalls data on these sectors that the data is really lost.
By knowing where to look and snoop, it is therefore possible to recover sometimes sensitive data on the terminals. One of the solutions to the problem would be to encrypt all of the data on the smartphone, so that if data were to be recovered, it would be unusable. But not all smartphones currently offer this option. And since the smartphone will always keep some of the data, it might be possible to recover enough elements to hack the encryption key.
Finally, the only effective solution would be for manufacturers to install their own data erasure system. The study does not say what it is about Android 5.0 and versions, so we do not know if Google itself has solved the problem in the meantime.