What’s the first thing you do when buying a new Android phone? Well, unless you are a bit paranoid, you hook it up with your Google account (it’s kinda difficult not to). What’s the last thing you do before passing it on? Hopefully a factory reset (even if you are not paranoid). In between you probably do the usual stuff: enter your credit card number to buy digital goods, do some online banking, store naughty pics of your better half,… in short, let the phone gather a lot of sensitive information over time.
Here’s an interesting study by Laurent Simon and Ross Anderson finding that pretty much all current Android devices do not properly sanitize their flash storage upon factory reset, potentially allowing the next owner to recover private information such as passwords.
It’s really time that Android gets a removable/disposable system memory that is not an SD card.
