recommended reading

Used Phones Are Full of Previous Owners’ Data

simone mescolini/

The ongoing high-profile legal fight between Apple and the government might give the impression that modern smartphones have evolved into impenetrable, encrypted fortresses. After all, even the FBI, with all its tools and resources, can’t hack its way into a 3-year-old iPhone.

Outfitted with the latest security technology, late-model iPhones and Androids are indeed very effective at hiding information. But they make up only a small subset of the billions of smartphones in the world. Much of the rest of the smartphone market is outdated, buggy and downright leaky.

Smartphones with poor security can continue to be dangerous even after they part ways with their owners. Researchers at Avast, a European software-security company, found more than 2,000 personal photos, emails and text messages on 20 phones they bought at pawn shops in four cities.

The pawn-shop owners said the smartphones were reset to factory settings and wiped of previous owners’ data before hitting the shelves. But Avast found that half the phones that had been reset suffered from a bug in an outdated version of Android that leaves data vulnerable to recovery, even after it has been deleted.

Phones with this software bug continue to be sold today, said Gagan Singh, Avast’s president of mobile security.

But more often than not, the presence of easily recoverable data wasn’t the phone’s fault—it was the owner’s. Twelve of the 20 phones examined were not, in fact, factory reset.

On some, owners tried to delete their files manually. In those cases, researchers were often able to dig up the deleted files with free data-recovery tools available online. Other owners hadn’t even tried to delete files or perform a factory reset before selling their devices—and two phones were even still signed into old Gmail accounts.

It may not come as a surprise that the pawn-shop owners made less-than-accurate claims about the smartphones they were reselling. In fact, it could be that the smartphone owners that didn’t reset their phones to factory settings were not planning to sell their phones: Pawn shops often end up with lost and stolen electronics.

In the end, the researchers compiled a massive trove of recovered information. They found more than 1,200 photos, including nearly 150 of children; 300 emails and texts; three invoices; and one contract.

And in keeping with CSI lore, some of the recovered data was potential blackmail material. Researchers found 170 Google searches for porn, 200 explicit photos and one adult video.

Advanced recovery methods can find even more: A pair of researchers at Cambridge University were able to extract passwords and encryption keys from buggy Android phones that had been factory reset.

As new smartphones ship with stronger and stronger encryption, used phones are becoming less likely to cough up previous owners’ information. The difference is stark: When Avast’s researchers ran a similar experiment last year, they found 40,000 emails, texts and photos. That’s a 95 percent decrease in just one year.

Current iPhones, for example, are outfitted with full-disk encryption, which renders data indecipherable without a passcode. This technology, which has locked the FBI out of many phones it wants to access, has also led to a drop in smartphone thefts.

But the newest, shiniest smartphones are out of reach for many in the U.S. and abroad. If a CEO leaves an iPhone 6S in a taxi and it’s stolen, an assistant can lock it remotely and expense a new one the next day. But for those who can’t afford a $650 phone, cutting-edge encryption is not the default. And that means that someone selling their entry-level smartphone at a pawnshop—perhaps for some cash between paychecks—can be putting themselves at risk of potentially disastrous credit fraud or identity theft.

(Image via /

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.