Cartoon of Author
via Mastodon

@zackeryfretty

Secure Erasing Android Devices Guide for the Super Paranoid Seller.

🗓

Any of my friends would tell you that I'm crazy paranoid about malicious users--especially when I sell off my old electronics. I'm the type of guy who'd prefer to put a nail through an old device. Unfortunately I'm also the type of guy that likes to buy the new Nexus devices every time they release--so I prefer to sell my old devices to help fund my new purchases. To do this I had to come up with a way to make myself feel good about selling my old devices. Now I know one really easy way to do this is to enable encryption on your device and then format it. For some reason when selling my HTC One X the encryption just kept failing and the SD card is non removable so I needed to find a way to get piece of mind and still sell the device--which led me to come up with this method.

I'm not 100% sure, but I believe you might need BusyBox/Root installed to do this--or it's possible you can do it using just using the Android SDK (which, you will need) but I am going to assume anyone who understand that factory resetting your device doesn't actually remove any data are more than likely the same type of people who'd be rooting their android devices.

Also just as a side note, I'm not saying this is the most secure thing in the world but it's what I do and it makes me feel pretty good. I've confirmed by running Recuva in deep scan mode that I wasn't able to recover any data from the /sdcard, however, I have no way to confirm for the /data partition. I'm just assuming it works just as well as it did for the internal SD card.

This process essentially includes 2 steps

  1. Formatting the Storage
  2. Zeroing out /sdcard, and /data

So let's get started...

Step 1 -- Formatting the Storage

This is a pretty basic deal and when you buy a phone online that's used it's likely as far as the other user has gone to secure the data--which I assure you isn't much at all. All this is going to do is tell the OS that where your data used to be is now "Available" so that the OS can write over it. If you were to run a tool like Recuva after running a simple Factory Reset you'll be able to recover much of the files. This isn't just an Android thing--it applies to all storage mediums though not so much to flash media as hard drives. The reason I used this as a starting point is to tell the OS that everything is "available" for writing, which is how we want it. To do this you can either use your recovery or by going to Settings > Backup and Reset > Factory Reset and let the OS do its thing.

Step 2 -- Zeroing out /sdcard and /data

Now that we've labeled all the data on the device as available for the writing, it's time to start "Zeroing Out" the data. Which essentially means writing 0's over the data that we previously marked as "Available". Ideally after doing this if someone attempts to restore your data they'll be restoring the 0's and not your personal data. On older HDD's it's a good idea to do this multiple times but many experts have suggested one pass is all that's necessary on flash media.

First thing you'll want to do is fire up the Android SDK using the command line and navigate to the platform-tools folder where you'll find fastboot and adb. It's found in /androidsdk/platform-tools.

Once in your platform tools run the following command:

./adb devices

If you get a print out with a serial number you are good to go--this means that your computer is reading your phone just fine. If you don't get anything be sure to go into your Developer Settings and enable USB Debugging.

Once you've got the phone and the SDK speaking together type the following command to access the shell of your device:

./adb shell

You should be greeted by a bash as shown in the image below:

Once in your phones command line run the following command:

dd if=/dev/urandom of=/sdcard/junkfile

You won't get a response for a while, what this is essentially doing is creating a file filled with random data on your phones SD Card until it's completely full--at which point it will be brought to a hault. You can verify this by going into Settings > Storage and watching the % free on your SD card continue to go down.

When the process is all done you should get a message like the following, that details the amount of space written. It should resemble the size of your SD Card.

Once the process is complete we'll want to repeat the same line, with a slight modification as follows:

dd if=/dev/urandom of=/data/junkfile

This will create another junk file on your device with random data, except rather than being in /sdcard it'll be in /data. /data is where all the settings for your various apps are stored. The way that I verified this process was still running was by opening a another terminal window and using ./adb shell to run ls -all -h to watch the size of the file continue to grow as shown below:

You can see the size of "junkfile" going from ~600MB to ~1.5GB. Once the /data folder is completely full you'll not only get a confirmation on the shell but your Android device should pop down a message in your notification window that the data partition is full and system functions might start breaking--for once this is good!

So at this point you've successfully filled your /data and /sdcard folders, the two main areas where personal information is stored on Android, with a bunch of random data.

The next and final step of the process is to simply return to Step 1 and Factory Reset the phone one last time. This will mark the data as "Available" and give the new owner of your device a "new phone" experience. It's not necessary I suppose, but I'm guessing the buyer of your phone won't take too kindly to turning on a phone filled with error messages. ;)

I'm not expert, however, as I stated before when running recovery software I was unable to recover any data from my HTC One X when I sold it--so I'd say this method is pretty handy at cleaning the device from 99.9% of users out there.

A little over the top? Definitely. That's exactly how I like it!

———