Google 'Master Cookie' remains after Android factory reset

News by Adrian Bridgwater

Millions of Android smartphones 'may not properly sanitise' internal SD card and data partitions... leading to residual data staying on 'wiped' devices

A new May 2015 report emanating from the University of Cambridge's computer laboratory security group has aired doubts over the effectiveness of the ‘Factory Reset' function in smartphones shipping with the Android operating system.

University of Cambridge professor of security engineering Ross Anderson and student associate Laurent Simon write in the white paper ‘Security Analysis of Android Factory Resets' the assertion that, “With hundreds of millions of devices expected to be traded by 2018, flaws in smartphone sanitisation functions could be a serious problem.”

The pair studied the implementation of Factory Reset on a total of 21 Android smartphones from five vendors running Android versions v2.3.x to v4.3.

According to the Cambridge researchers, the factory reset function on most Android phones doesn't work properly and more than 340 million phones are vulnerable.

Sanitised, for your protection?

“We estimate that up to 500 million devices may not properly sanitise their data partition where credentials and other sensitive data are stored, and up to 630 million may not properly sanitise the internal SD card where multimedia files are generally saved,” write the pair.

The implications of non-sanitised smartphones for users are twofold. Previous owners may risk their banking, social or other personal information being passed onwards to new users. Equally, new users may be susceptible to the risk of malware operating on what they believe to newly wiped devices.

Anderson explains that he was able to retrieve the ‘Google master cookie' from the ‘great majority' of phones he tested; meaning access to a user's Gmail account would be straightforward enough for serious hackers.

Cookie monster problem?

Google's developer pages state that users can clear (delete) single cookies, all cookies in a selected ‘frame group', or cookies from a specific domain. The pages also detail the relationships that exist between various cookie groups all the way to the master cookie.

Speaking to this weekend, Anderson said that all users need to sanitise a phone when they buy it (so you don't get unexpected malware) and again before you sell it for privacy.

“I now turn on encryption on my phone so that if it's lost or stolen the data will be harder to recover. And if that happened I'd also blacklist the phone on Google dashboard so that even if the thief gets access to my credentials he still won't be able to log on to my gmail account,” he said. 

Anderson continued, “In the long run, vendors must fix the problem. At least with Android 5, encryption is turned on by default. Yet the vendors still have some work to do to make backup, reset and recovery functions all work properly."

Writing separately on the University's Light Blue Touchpaper blog, Anderson says that the reasons for this functionality miscarriage are complex.

He laments the fact that many security software vendors offer a facility to lock or wipe a phone remotely when a device is lost or stolen, plus it's a standard feature with mobile anti-virus products. But these ‘solutions' only work so far because they are essentially user-initiated processes.

“These failings mean that staff at firms that handle lots of second-hand phones (whether lost, stolen, sold or given to charity) could launch some truly industrial-scale attacks,” writes Anderson.

Would you buy a second-hand smartphone?

Various tech trade and business media sources have suggested that the market for traded second-hand smartphones is ‘about to explode' over the next half decade.

Toni Sacconaghi of investment research firm Sanford C Bernstein has estimated that used phones will ‘cannibalise' as much as eight percent of total new smartphone sales by as soon as 2018.

Rajinder (Raj) Tumber is a senior cyber security consultant and auditor within the aerospace and defence sector. Tumber spoke to to reinforce the understanding that in a world of advancing cyber-attacks and surveillance, complete data privacy is of the utmost importance.

“But looking at this case specifically… in the aftermath of performing a Factory Reset, the ability to recover user credentials, SMSes, emails and chats can, for example, lead to the risk of blackmail. With the recent uptake of Bring Your Own Devices (BYOD), sensitive corporate data as well as personal data can be compromised,” said Tumber.

Risks outside of Android?

He continued, “Whilst this study is appreciated, it is limited to Android smartphones. Further research needs to be undertaken to investigate Factory Resetting upon additional mobile devices and operating systems.”

The original report referenced above critical failures here (and the reason for this issue arising) are likely to be due to the lack of support by the Android OS and/or vendor-shipped drivers for secure deletion.

The report authors suggest that there is a responsibility now for both Google and handset manufacturers to mitigate these future risks.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews