android phoneLeading mobile security application company, Avast, recently conducted a mini “study” where they bought 20 Android phones off of eBay that the sellers had wiped out all their personal data – or so they thought. Avast then used some easy (and widely available) recovery software to see what they could extract from the phones. The results – which have been picked up by CNET, the BBC, FierceCIO and more – were disconcerting. Despite the phones supposedly having been wiped, the analysts were able to find “more than 40,000 stored photos . . . more than 750 photos of women in various stages of undress . . . [and] one completed loan application” (read the full findings here).

Should you be concerned about your corporate and personal data being accessible to the next user of your mobile phone or tablet?

A couple of things to note:

Google responded that Avast used outdated smartphones and that their research did not “reflect the security protections in Android versions that are used by the vast majority of users.”  The takeaway here is: the older the phone, the less mature the security protection it has.  This means that newer phones and phones in the future will have better security measures.  Security experts already know that older phones never had the most effective ‘factory reset’ option.

Avast apparently claimed that encryption is not effective.  In Android devices, you must turn on the encryption – it is not the default.  (On Apple iOS devices encryption is on by default and is not an optional feature).  While encryption does not offer absolute protection, it is a useful deterrent since it is unlikely that anyone will invest the extra effort required to recover the average person’s data. We recommend encryption for any corporate mobile device – laptop, phone or tablet.  See this Fierce IT post for their comments on encryption as well.

Some security experts interviewed claim that the only truly secure way to keep your data from being recovered is to destroy the device.  But just like other data storage devices – hard drives from computers, laptops, servers, and storage arrays, you should consider the type of data on that device and the risks associated with it.  For some types of data, in some industries, physical destruction may be the right answer.  But for most businesses, using a certified vendor with professional erasure tools and audited processes will ensure full destruction of your data and the ability to resell the hardware.

LifeSpan’s process for data erasure on mobile devices is subject to the same rigor as for magnetic and SSD hard drives.  In addition to erasure, factory reset and reloading the operating system to the device, we perform the same QA process that we do for hard drives.  Our own forensics checks have shown that we can fully erase data from mobile devices.  If we find a device that could not be fully erased by our process, we will destroy it.

To learn more about the risk based approach to data destruction processes for SSD and flash drives, download this whitepaper “Advances in SSD Erasure Solutions.”