We have discovered that the "wipe" function on Android does not reliably delete data on all devices. On a Nexus S running Android 2.3.6, we were able to recover user data after running a "wipe" both using the "factory data reset" from the menu and by wiping the device from recovery. To recover data, the device must be rooted. This can be done after the wipe by using e.g. the zergRush root exploit. (Note that the official way which includes unlocking the bootloader must not be used - that one does securely wipe the memory). After rooting the device, the memory can be dumped using cat /dev/block/platform/s3c-sdhci.0/by-name/userdata Move the dump to a PC by piping the cat output into nc, then recover using any common recovery software. This means that if a locked device affected by this is lost/stolen, it is possible to access the data by first wiping the device (to remove the screen lock), then rooting and recovering. Note that we do not know the full range of affected devices. Manufacturers may have made customizations that fix this, and Android 3.x and 4.x (Honeycomb/ICS, about 5% of devices) seem to have fixes according to the code. The Android security team has been notified. Further details can be found in our blog post: https://www.hatforce.com/blog/android/wipe Kind regards, Jan, from the Hatforce team Hatforce (https://www.hatforce.com) is the first crowd-sourced security testing startup world-wide. The services comprise web- and mobile application pentests. Since its launch, Hatforce got extensive positive feedback, especially from the Forbes magazine: "This service is stroke of genius! [...] This is a great business concept and one that could make a huge difference in how safe your application, and brand, is."
