Diligent Android users may have done the right thing and factory reset their devices before selling them, but researchers have shown personal information can still be recovered from dozens of devices, even after they've been wiped.
As many as 500 million smartphones running older versions of Android may still be carrying data including Google and Facebook account details, SMS and email content that users would likely assume would be deleted from their devices after a factory reset.
Cambridge University security researchers Laurent Simon and Ross Anderson tested 21 Android devices from Samsung, HTC, LG, Motorola, and Google that were running Android versions 2.3.x Gingerbread to 4.3 Ice Cream Sandwich bought on eBay in the UK and from phone recycling companies.
Worryingly for anyone selling on their old Android device, many of the handsets tested didn't properly wipe the data partition where account details are stored, offering fraudsters numerous options to scam the smartphones' former owners or access their online accounts.
"We were able to retrieve the Google master cookie from the great majority of phones, which means that we could have logged on to the previous owner's Gmail account. The reasons for failure are complex; new phones are generally better than old ones, and Google's own brand phones are better than the OEM offerings," Anderson wrote on his Light Blue Touch Paper blog.
To illustrate the impact on users, the researchers ran a factory reset on their own phone and recovered its Google master token, which could then be used to access content from Google accounts.
"We then created the relevant files and rebooted the phone. After the reboot, the phone successfully re-synchronised contacts, emails, and so on. We recovered Google tokens in all devices with flawed Factory Reset, and the master token 80 percent of the time. Tokens for other apps such as Facebook can be recovered similarly. We stress that we have never attempted to use those tokens to access anyone's account," they said.
In total, they estimate that 500 million old Android handsets may not have properly sanitise the relevant data partition while a further 630 million may only have partially sanitised their SD card - where multimedia files may be stored.
The source of the problems were numerous, including how OEMs implemented data erasing features and failing to include drivers that support data sanitisation on the handsets.
Read more on Android security