July 11th 2014
Smartphone users have been warned that simply deleting data from their devices may not be sufficient to wipe it, enabling others to see it after it has been disposed of.
The warning comes after security firm Avast used readily-available forensic security tools to extract thousands of images from used phones sold on eBay – which included naked selfies. Other data included Google searches, emails and texts.
Most smartphones come with a factory reset option, designed to wipe their memory and return it to the state it was in when new. According to the Czech security firm, however, some old models erase only the data indexing and not the data itself, leaving them wide open for anyone to find personal data easily using standard, downloadable forensic tools.
Avast told the BBC that of the 40,000 photos found on 20 phones purchased from eBay, more than 750 were of women in various stages of undress, along with 250 selfies of "what appears to be the previous owner's manhood". 1,500 family photos of children, 1,000 Google searches, 750 emails and texts and 250 contact names and email addresses were also extracted.
The company said: "Deleting files from your Android phone before selling it or giving it away is not enough. You need to overwrite your files, making them irretrievable."
Google has responded by saying that Avast used old smartphones and that the research did not provide a true picture of most users' phones today, with the security protection found in Android versions. The company said that all users should enable encryption on their devices before applying a factory reset to ensure files cannot be accessed, adding that this feature has been available for three years. This encryption feature is not enabled by default.
Apple has had built-in encryption for its hardware and firmware since the release of its iPhone 3GS model. The hardware encryption is permanently enabled and cannot be user-disabled. Additional file data protection is available by accessing the settings menu.
Computer security analyst Graham Cluley told the BBC that if a user is serious about privacy and security they should make sure their device is always "protected with a PIN or passphrase, and that the data on it is encrypted".
Another expert, Alan Calder, suggested that users who do not want their data to be discovered should simply destroy the device – adding that any other precautions simply delay somone else being able to access the data.
