Suhan Gorya
I'm about to sell my phone, and I want to erase my data. Are the
built-in methods secure? Could someone with data recovery software still uncover my private information?
Sincerely,Total Wipe of the Phone
The
good news is that, in general, most phones are pretty good at securely
removing your data when you're done with the device. There are still
some measures you need to take to protect yourself before you pass the
handset off, though.
What Everyone Should Do
- Remove your SIM card: While most of the data that you store is kept
on your internal storage or micro SD card, it's still possible for
contacts or call logs to be kept on your SIM card. The person you're
selling it to has no need for this, so always be sure to remove it. - Remove
your micro SD card: Similarly, if your phone has a micro SD card,
chances are you don't really want or need to give it away. To truly
ensure that the data on your micro SD card is secure, keep it to
yourself. - Erase and format your SD card: If you absolutely have
to include your micro SD card with your phone, then you'll at least want
to erase and format it. You can usually do this via the Settings app.
You can also do it by connecting it to a PC, but if you format it with
the wrong file system for your phone, it might not recognize the card.
Again, though, the best way to secure your data is to keep your card.
you've taken care of all this, the only thing that's left should be
your device's internal storage. iOS and Android have slightly different
ways of handling this, but both are mostly straightforward.
How to Securely Wipe Your Phone
the rest of this, we're going to talk about how to secure your internal
storage, but first it's worth explaining a bit about how flash memory
works. As you're probably aware with normal platter hard drives, data
isn't really erased when you delete something. The internal flash memory
in your smartphone isn't quite the same. Because it's not a magnetic
storage medium, the methods used to recover data on an old hard drive
won't be the same as tools to pull from your phone. Among other things,
this means that while rewriting data seven times is a standard method
for erasing magnetic media, it won't do much to make your data more
secure.
That being said, for most of the average user's needs,
your phone already has the tools built in to securely erase your phone's
data. If you carry military secrets around on your unprotected Galaxy
S4, well...for starters, you probably shouldn't. But if you do, you
should probably consult someone with a PhD in something before you lose
your phone in a bar. Everyone else may continue.
iOS: Use the Default Erase Setting
iOS users, your job is pretty simple. The iPhone has built-in options
that securely erase your phone. On old phones, it goes through a long
secure erase process, but on the iPhone 3GS and iOS 3.0, Apple moved to
hardware encryption on its phones. From that point on, all data you
store on the internal storage (which, aside from anything on the SIM
card, is everything) is automatically encrypted. Your phone uses a
device-specific key that's never stored anywhere but your handset.
When
supported iOS devices wipe your phone, what's really happening is that
the hardware-specific encryption key is securely wiped. Everything else
on your phone is left an unintelligible mess,
even if someone were to use a fancy forensics lab to physically examine
the memory chips which 99% of you will probably never have to deal
with.
So what do you need to do to securely erase your phone? Just head t
Settings > General > Reset > Erase all Content and Settings.
That's
it. On any iPhone including or following the iPhone 3GS (as well as all
iPads and any iPod Touch 3rd Generation and later), this will use the
hardware encryption method described above. It will be very fast, yet
still leave your data secure. For any older devices, the process will
actually take a lot longer, as iOS will overwrite all of your data with
random information to prevent it from being read later. Either way,
though, this should be as secure of a wipe as you can get.
Android: Encrypt Your Phone, Then Erase
phones are set up a little differently from iPhones (shocker, I know),
and they vary somewhat from manufacturer to manufacturer. However, in
general the default options are mostly secure. We talked with Android
security researcher and Elite Recognized Developer on XDA jcase and he gave us a few pointers in the right direction.
Unlike the iPhone, Android encryption
is not done on a hardware level. For starters, this means if you want
to have your phone encrypted, you'll need to enable it manually in
Settings. This process will take a while and, from then on, you'll need
to enter a PIN when you first boot your phone (not to be confused with
your lock screen PIN). It can also cause some slight performance
decreases, so keep that in mind. This process also can't be reversed
without wiping your phone, so consider carefully before you commit.
Now,
on Android, you have two options for wiping your phone: you can either
do a factory reset (located in different places depending on your phone,
but should be under something like "Backup & reset") which will
wipe everything you've ever stored in any user-accessible area of storage. For most people, this will be enough to ensure that no one will be able to access data you've ever stored.
How
effective a basic wipe is can depend on how well the manufacturer
implemented its factory wipe. When we spoke to jcase, he said that some
manufacturers' methods can still leave behind recoverable data.
Additionally, if you root your phone and use a custom recovery, wiping
via the recovery might not do everything properly.
While, ideally,
you shouldn't have to overwrite your phone to erase data using a
factory reset, if you're unsure or want to be extra safe, encrypting
your phone (usually found in Settings under "Security") before wiping it
can provide some reassurance. Just be aware that it may be redundant on
certain phones. Still, better safe than sorry.
Of course, the last line of defense before you sell your phone is to vet your buyer.
If you're using a CDMA device, be sure to deactivate your phone with
your carrier before handing it off. And while you're at it, make sure
you've taken care of your phone and are selling it for as much as possible. Alternatively, there's the ultimate security tool if you're worried about someone pulling data from your phone: don't sell it.
No comments:
Post a Comment