The ongoing high-profile legal fight between Apple and the government might give the impression that modern smartphones have evolved into impenetrable, encrypted fortresses. After all, even the FBI, with all its tools and resources, can’t hack its way into a 3-year-old iPhone.
Outfitted with the latest security technology, late-model iPhones and Androids are indeed very effective at hiding information. But they make up only a small subset of the billions of smartphones in the world. Much of the rest of the smartphone market is outdated, buggy, and downright leaky.
Smartphones with poor security can continue to be dangerous even after they part ways with their owners. Researchers at Avast, a European software-security company, found more than 2,000 personal photos, emails, and text messages on 20 phones they bought at pawn shops in four cities.
The pawn-shop owners said the smartphones were reset to factory settings and wiped of previous owners’ data before hitting the shelves. But Avast found that half the phones that had been reset suffered from a bug in an outdated version of Android that leaves data vulnerable to recovery, even after it has been deleted.
Phones with this software bug continue to be sold today, said Gagan Singh, Avast’s president of mobile security.
But more often than not, the presence of easily recoverable data wasn’t the phone’s fault—it was the owner’s. Twelve of the 20 phones examined were not, in fact, factory reset.
On some, owners tried to delete their files manually. In those cases, researchers were often able to dig up the deleted files with free data-recovery tools available online. Other owners hadn’t even tried to delete files or perform a factory reset before selling their devices—and two phones were even still signed into old Gmail accounts.
It may not come as a surprise that the pawn-shop owners made less-than-accurate claims about the smartphones they were reselling. In fact, it could be that the smartphone owners that didn’t reset their phones to factory settings were not planning to sell their phones: Pawn shops often end up with lost and stolen electronics.
In the end, the researchers compiled a massive trove of recovered information. They found more than 1,200 photos, including nearly 150 of children; 300 emails and texts; three invoices; and one contract.
And, in keeping with CSI lore, some of the recovered data was potential blackmail material. Researchers found 170 Google searches for porn, 200 explicit photos, and one adult video.
Advanced recovery methods can find even more: A pair of researchers at Cambridge University were able to extract passwords and encryption keys from buggy Android phones that had been factory reset.
As new smartphones ship with stronger and stronger encryption, used phones are becoming less likely to cough up previous owners’ information. The difference is stark: When Avast’s researchers ran a similar experiment last year, they found 40,000 emails, texts, and photos. That’s a 95 percent decrease in just one year.
Current iPhones, for example, are outfitted with full-disk encryption, which renders data indecipherable without a passcode. This technology, which has locked the FBI out of many phones it wants to access, has also led to a drop in smartphone thefts.
But the newest, shiniest smartphones are out of reach for many in the U.S. and abroad. If a CEO leaves an iPhone 6S in a taxi and it’s stolen, an assistant can lock it remotely and expense a new one the next day. But for those who can’t afford a $650 phone, cutting-edge encryption is not the default. And that means that someone selling their entry-level smartphone at a pawnshop—perhaps for some cash between paychecks—can be putting themselves at risk of potentially disastrous credit fraud or identity theft.