Here is Android security issue that affect more than half of all users of Google’s Android mobile operating system or at least 500 million devices. What’s the problem? A factory reset of devices running Android 4.3 or earlier did not erase the user’s contacts, emails, Facebook login, Google login and other sensitive credentials + data.

Cambridge University researchers Laurent Simon and Ross Anderson tested 21 Android phones and concluded that Android 4.3 (Jellybean) and earlier versions — more than half of all Android devices in use — have a serious, serious security flaw. That is, performing a factory reset, which should result in a clean device, actually results in a device that will allow the user, any user to login into and use a variety of services, including contacts, email, Google, Facebook and more.

They report their findings in the recently published Security Analysis of Android Factory Resets (PDF):

After the reboot, the phone successfully re-synchronised contacts, emails, and so on. We recovered Google tokens in all devices with flawed Factory Reset, and the master token 80 percent of the time. Tokens for other apps such as Facebook can be recovered similarly. We stress that we have never attempted to use those tokens to access anyone’s account.

They didn’t, but certainly others will or have.

So, “only” a little more than half of Android smartphones running older versions of the OS are affected, so what? Actually, this issue affects those selling or otherwise handing down Android 4.3 and earlier smartphones — gonna be the majority of second-hand devices currently available.

That said, the Android factory reset issue is just the latest in a long, long sad string of Android security issues — Android App Piracy, Malware: Hell Stew Stimies Devs, Mobile Malware? Think Android Malware, Inception Cloud Atlas Malware Loves Windows, Android . Again, Android malware accounts for over 95 percent of mobile malware…

That said, given that the Android factory reset issue only affects older (Android 4.3 and earlier), will Google or its handset + carrier partners even bother to fix it? I doubt it…

What’s your take?

Via Ars Technica