Diligent Android users may have done the right thing and factory reset their devices before selling them, but researchers have shown personal information can still be recovered from dozens of devices, even after they've been wiped.
As many as 500 million smartphones running older versions of Android may still be carrying data including Google and Facebook account details, SMS and email content that users would likely assume would be deleted from their devices after a factory reset.
Cambridge University security researchers Laurent Simon and Ross Anderson tested 21 Android devices from Samsung, HTC, LG, Motorola, and Google that were running Android versions 2.3.x Gingerbread to 4.3 Ice Cream Sandwich bought on eBay in the UK and from phone recycling companies.
"We were able to retrieve the Google master cookie from the great majority of phones, which means that we could have logged on to the previous owner's Gmail account. The reasons for failure are complex; new phones are generally better than old ones, and Google's own brand phones are better than the OEM offerings," Anderson wrote on his Light Blue Touch Paper blog.
To illustrate the impact on users, the researchers ran a factory reset on their own phone and recovered its Google master token, which could then be used to access content from Google accounts