Tesco tablets vulnerable to file recovery issues

Sensitive data stored on Android devices such as the Tesco Hudl can still be accessed even if a user has carried out a factory reset, the BBC has learned.

Tesco tablets vulnerable to file recovery issues
Tesco tablets vulnerable to file recovery issues

Three separate tests on various Android tablets concluded that data is not actually removed, even after users have chosen the factory reset option, with some tests resulting in simply the list of locations being deleted and nothing else.

A secure wipe, however, removes the index as well as on-board memory, preventing it from being recovered by anyone else.

The situation mirrors the `index-only delete' security problem seen on Windows 95 and 98, and which resulted in users of those early Windows operating systems being able to use `disk doctor' utilities to recover the file indices and their locations, in order to reverse the file erasure process.

It remains unclear which versions of the Android operating system are affected by the problem, which the BBC says means that several tablets - most notably the Hudl, a budget quad-core tablet from Tesco and which sold 500,000 units by April of this year – may be vulnerable to the problem.

The issue means that data `deleted' from a second-hand Android device could - in many cases - be brought back from the dead. This could be a problem for portable devices sold on auction sites such as eBay, as well as via second-hand IT shops. 

Tesco says it is investigating the issue, but adds that customers should always ensure all personal information is removed prior to giving away or selling any mobile device. To guarantee this, the retailer says that customers should use a data wipe programme.

To solve the problem users should engage the encryption feature within Android settings and only then complete the factory reset. This then prevents the data from being resurrected.

Rob Bamforth, a principal analyst with Quocirca, the business and IT research house, said that the reset/non-delete problem affects several Android devices, and not just the Hudl, and can also affect Apple iOS-based units as well.

He says there are also other portable operating system platforms that can be affected, most notably the BlackBerry smartphone, where data has been recovered from units sold on eBay.

"This issue is becoming more of a risk now that, whatever you're doing to interact with someone - the government, banks, utilities and so on – it is likely to be using an app provided by the third-party organisation. The reality is that `online' has become synonymous with `on the move' and when you use a portable device, the security risks rise," he explained.

Bamforth says that, despite the security issues associated with using portable devices on the move, most users are generally pretty lax - and do little to protect things themselves.

The irony here, he went on to say, is that today's ‘selfie generation' often do not want to keep anything private anyway, as most of it will end up on their social media services.

"It might seem better that it's not in a vulnerable browser, but if the apps aren't storing data securely, who knows what might happen," he said, adding that the Hudl incident highlights - once again - the subtle differences between different versions of Android and their hardware.

One implementation of Android, he says, may be okay from a security perspective, depending on the hardware beneath the operating system, but, he adds, the question is who should be responsible for fixing this problem? Google, Tesco or Wistron, the company that makes the Hudl for Tesco?

"At least with Apple the buck has a slightly better defined stopping place. This latest security saga just goes to show that when it comes to finding vulnerabilities in mobile security, every little helps," he quipped.