[ISN] Flawed Android factory reset leaves crypto and login keys ripe for picking

http://arstechnica.com/security/2015/05/flawed-android-factory-reset-leaves-crypto-and-login-keys-ripe-for-picking/ By Dan Goodin Ars Technica May 21, 2015 An estimated 500 million Android phones don’t completely wipe data when their factory reset option is run, a weakness that may allow the recovery of login credentials, text messages, e-mails, and contacts, computer scientists said Thursday. In the first comprehensive study of the effectiveness of the Android feature, Cambridge University researchers found that they were able to recover data on a wide range of devices that had run factory reset. The function, which is built into Google’s Android mobile operating system, is considered a crucial means for wiping confidential data off of devices before they’re sold, recycled, or otherwise retired. The study found that data could be recovered even when users turned on full-disk encryption. Based on the devices studied, the researchers estimated that 500 million devices may not fully wipe disk partitions where sensitive data is stored and 630 million phones may not wipe internal SD cards where pictures and video are often kept. The findings, published in a research paper titled Security Analysis of Android Factory Resets, are sure to be a wake-up call for individual users and large enterprises alike. […]