Editor’s note: This is a contributed post by Samantha Greenaway, a freelance researcher and writer of security within technology. She is currently working as a researcher for the University of Birmingham, UK. You can contact her via email.
When ‘sell your phone’ companies exploded onto the scene a few years ago it changed the way we dealt with our unwanted smartphones. When the contract expires or when the device falls apart from a bad fall, you can recycle it at a company and reclaim a bit of extra cash at the same time. As we are contributing to the environment and making a little extra money, we often forget that we are in fact sending off a device that once held a considerable amount of personal information – to a complete stranger!
(Image source: Xraijs_)
As smartphone technology continues to advance, we are trusting our mobile devices with more and more with our personal data. From the type of media we consume, to passwords, contact and account details. Could we potentially be dropping our guard, too low, when giving our phones away?
Concerns regarding the erase of sensitive files is certainly not a new fret, it was even tackled well here before but thanks to technological developments, removing data from smartphones has become much trickier.
Recommended Reading: Are Smartphones Putting Your Data At Risk?
Doing It Properly
If like most people, you use your smartphone for things like online banking, where you are required to insert codes/pins that give you access to bank accounts and savings (something that was unheard of a few years ago). Even if you delete the Banking App and its history, the data could still be left on your phone without you realising.
The deleted information can be recovered with software called Forensic Data Retrieval. For years the police have been using this to recover data for criminal investigations, primarily cases surrounding child abuse.
Now forensic software like Oxygen Forensics and Encase Forensic have been made available to the general public and at incredibly affordable prices. This means, even if you were to delete your smartphone’s data or perform a factory reset, if the person that buys your phone has forensic software, they can recover it all back.
This kind of software can retrieve:
- photos, videos, SMS history
- calendars, apps
- phonebook details, call information
- Wi/Fi history, web connections
- GEO event positioning
- device logs
- deleted messages and more.
How Permanent Data Removal Should Be Done
At one point simply deleting your phone data, re-installing the software or performing a factory reset would have been an adequate option. Sadly and worryingly this is no longer the case.
Phone recycling experts Bozowi explains that 99% of mobile devices store data in separate locations within a flash chip known as "solid state memory". Reinstalling the operating software or performing a factory reset will only affect the software and the paths that lead to the data, not the data itself.
This means hackers that are using good forensic software will be able to distinguish new pathways to your data, whether the original ones are there or not.
Guarding By Removing
The only known way of preventing forensic software from retrieving data off your smartphone is with permanent data removal tools. Using tools like these can be quite time-consuming compared to a factory reset, but this is because it actually wipes the whole of the data, not just the paths that lead to it.
Unfortunately only few phone recycling companies offer permanent data removal services, but it is worth choosing the ones that do, even if it is just to permanently remove the data (you could always recycle the phone somewhere else afterwards).
At the moment the only company that offer this fully as a separate service are a UK-based Recycling company called Bozowi, but I’m sure more recyclers will offer it as smartphone data protection awareness increases (just keep your eyes open for it).
How To Check If It Has Been Done Properly
As of August 25th 2013 The EU declared that smartphone users should be held responsible for the protection of their phone data, not phone recyclers (this will hopefully change soon though, I’m sure). So until the EU change their policy, it seems the few "sell my phone" companies that do offer permanent data removal will charge you for it.
If you’re going to pay for it, you need to make sure you are actually going to get it. First thing to do is make sure the company give you a serial number and a tracking ID (it should be stated on their website). This means you are able to monitor the process as the procedure happens.
Also make sure you receive a "certificate of destruction" which confirms the process has been completed, this also puts the responsibility on the company make sure they live up to their promise.
There is no reason why any company that offers this service should refuse you either of these.
Another area to be aware of is "Data Delete Tools", do not confuse this with a real permanent data removal. Smartphone recyclers often use this term to mask a glorified factory reset."Permanent" is the key word here and if it’s not mentioned, it usually means it’s not offered.
To avoid giving you an anxiety attack over this, I should stress that it is still safe to sell or recycle your smartphone without fearing that your personal content will end up in the hands of a hacker. You must however, be careful and patient enough to put it through a permanent data removal service beforehand.
It maybe more time consuming than a simple factory reset and even cost a little extra too, but for the sake of your security and general peace of mind, it is worth it.