You know those Android phones you thought were wiped of confidential data
before you or your business
got rid of them? Security firm Avast Software has found the data may still be recoverable.
The Prague-based company bought 20 used Android smartphones, and was able to recover tens of thousands of personal files. They included personal photos, e-mails, text messages, and even nude selfies of the owners.
The inventory of recovered files included some 40,000 photos, including more than 1,500 family photos of children, 750 photos "of women in various stages of undress," and 250 selfies of nude men. There were also 1,000 Google searches, 750 e-mails and text messages, 250 contact names and e-mail addresses, four previous owners' identities, and even one completed loan application.
Amount of Data 'Astounding'
Jude McColgan, Avast's President of Mobile, said in a statement that "the amount of personal data we retrieved from the phones was astounding."
The Android devices were purchased from a variety of sellers in the U.S., according to the company. The previous owners of the phones had all performed a factory reset or a "delete all" command to remove their data. Generally available recovery software, rather than specialized tools, were used to retrieve information that supposedly had been erased.
"The take-away," McColgan said, "is that even deleted data on your used phone can be recovered unless you completely overwrite it."
Used smartphones are available for sale in the thousands. Avast noted that, on any given day on eBay, there are more than 80,000 used smartphones on sale.
Consumers and businesses who thought they were getting rid of empty devices, McColgan said, "may not realize they are selling their memories and their identities." He pointed out that these kinds of files, in the wrong hands, can be used for identity theft, blackmail or even stalking.
Strict Policies and Procedures
Avast itself, as one might expect, offers a wipe app that it says does the trick. A variety of other techniques, apps and steps that purport to accomplish the same purpose are also available online.
Laura DiDio, an analyst with industry research firm Information Technology Intelligence Consulting, pointed out to us that this problem is complicated in those companies that have a "bring your own device" policy.
In those cases, she said, containers -- such as those offered by Samsung (to be available in the next version of the Android OS) and BlackBerry -- can separate business files from personal ones, thus at least collecting the problem data.
For those files, and in other cases, DiDio advised that companies maintain and enforce "strict policies and procedures that basically mandate you follow specific guidelines" to remove the critical files to the satisfaction of the IT department. She noted that attention to this is especially important in small- to medium-size businesses (SMBs), which are "less able to sustain damages" resulting from confidential information ending up in the wrong hands.