Performing a factory reset on an Android device does little to erase private data left on the hardware.
Investigations carried out by a security researcher found that Android devices, such as the Hudl by Tesco, can be hacked and data retrieved, despite a factory reset being carried out.
Ken Munro of Pen Test Partners bought 10 Hudl tablets from eBay and exploiting a flaw in the Rockchip processor’s firmware allowed him to recover information on the devices.
“There’s a flaw in the firmware, which allows you to read from it as well as write,” he told the BBC.
A freely available tool on the internet could allow anyone with such an Android device to find “deleted” information.
“Customers should always ensure all personal information is removed prior to giving away or selling any mobile device,” a Tesco spokesperson told the BBC.
“To guarantee this, customers should use a data wipe program.”
The spokesperson said that any device returned to stores would have personal data completely wiped.
In a statement, Google said that users should take a number of stops to ensure information is protected.
“If you sell or dispose of your device, we recommend you enable encryption on your device and apply a factory reset beforehand,” said a spokesman.
Marc Rogers, principal researcher at Lookout, said that most manufacturers used Android’s built-in data wiping features, but even this had problems.
“But all that does is remove the index of where data is and does not delete data at all,” he told the BBC. As a security professional it blows my mind that people do not do this to get rid of the data.”
Vice president of Global Marketing and Client Solutions at Teleplan, Sven Boddington said it was “worrying to find tablet devices are being sold with data still on them”.