CourseLover
$10/per page/Negotiable
i need it in less then 20 minute just a summary.
1:Introduction
An increasing amount of used smartphones hitting the market renders ever more users vulnerable to the theft of personal data[10]. Gartner found sixty four percent of users who upgraded their phones put their phones on the used market, generating seven billion USD in 2014[10]. If users grow concerned about their ability to sanitize personal information from the phone, that lucrative market could well be cut to the quick. Worse, depending on the nature and publicity of the theft of personal user data, users' privacy concerns could affect the entire smartphone industry. The specter of legal liability for the loss of sensitive data is another potential choke on a currently vibrant industry. This potential theft of personal data can be guarded against by sanitizing the smartphone which “refers to a process that renders access to target data on the media infeasible for a given level of effort”[2:1]. Smartphone users are instructed to accomplish this by means of a “factory reset” in which the device is theoretically returned to it's initial state fresh from the factory. Reports from 2014[4] have raised concerns as to the effectiveness of this service. More recent and involved investigation[3] reveals that for many Android devices the “factory reset” demonstrably does not sanitize the device at all. This paper examines the implications of these facts to the security of the personal data of a device reseller. The paper begins with a brief overview of Android devices, particularly the difficulties in sanitizing their solid state memory, and their distributed production(2). It follows with an overview of what sanitizing an Android device entails and why completely sanitizing an Android device in a manner that leaves it fit for resale may not be viable in many Android devices(3). The paper then discusses the economic value of stolen data(4) which form the thrust of our contribution to the ongoing conversation. The results from that support our thesis that:
It is infeasible to completely sanitize most Android devices in a way that leaves them intact, but it is possible for the typical user to secure their data sufficiently to render theft uneconomic.
The remainder of the paper consists entirely of a summary of the paper(5) and our references(6).
2: Android Overview
Android is an OS developed by Google targeted primarily at smartphones, though they have expanded to other and built around the linux kernel. There are two things that make sanitizing Android devices trickier than sanitizing other forms of media. The first is that Android devices are manufactured by many different vendors, many of whom are rather lax about updating[11]. While Google puts out standards for hardware, their ability to rigorously enforce those standards is lacking.
The second issue is common to most smartphones, that the memory is a solid state drive, for a number of reasons having to do with speed and access, but predominantly because the motions a phone will go through tend to be unhealthy for the disk drives used in other computing devices. The greatest difficulty with SSDs is how they differ from generally better understood hard disk memory drives, as “An SSD’s owner might apply a hard drive-centric sanitization technique under the misguided belief that it will render the data essentially irrecoverable”[1:3]. Solid state drives are difficult to overwrite from a user level because is place overwrites are not possible in a SSD[1:3] leaving theoretically overwritten data Cleared, or sanitized against non-invasive digital techniques by NIST standards[2:17] but not digitally sanitized, accessible via the firmware [1:2]. Completely preventing the data from being accessed by lab techniques or purging[2:17] the data is exceptionally difficult without just destroying the SSD, as most SSDs possess more physical space than they present as possessing logically[1:3] in order to prolong the life of the SSD which by it's nature supports only a limited number of read/write operations before decaying. While it is functionally impossible to overwrite a single file[1:7], techniques to sanitize the entire drive do work most of the time. When it exists, some SSDS do have a sanitize command that will wipe the entire drive[1:4], but that requires that it be included and implemented correctly. In most cases two complete random filling of the SSD will sanitize all of the data on the drive[1:6], which while not perfect for all cases, is better than nothing. If the entire SSD is encrypted, sanitizing the drive becomes as quick as deleting the encryption key[1:6], which works well, so long as the key is properly sanitized, which some Android devices have trouble with[3:7].
3: Sanitizing an Android Device
There are a couple of simple ways for the owner of an Android device to sanitize it before putting the device on the second-hand market. The focus of this section is on simple ways to sanitize the device that do not require root access, working with the understanding that any user with enough technical aptitude to root the device will also possess sufficient aptitude to sanitize it. Be advised that the following techniques are only capable of sanitizing a device on a logical level which is essentially Clearing in the NIST 800-88[2] standards. If the data on the Device is sensitive enough to require more thorough sanitization, they can be purged as per the NIST 800-88 standards via physical and complete destruction of the memory. Degausing will not work[1:6], and the memory must be completely physically destroyed. Note that even resorting to such expedient as shooting the device may leave some memory recoverable[2:24].
The easiest way for the user to sanitize the device is based on Google's recommendation[3:7] of enabling full disk encryption and then once the device is fully encrypted, triggering a factory reset as described below. Note that not all devices support full disk encryption for external media[3:7], so the reseller may wish to remove any sd cards before placing the device on the second-hand market. It is important to note that the encryption is based on the user's password which while stored in a salted hash is not deleted by a flawed factory reset, so a weak password may render the encryption breakable, leaving the supposedly sanitized data exposed[3:7].
Some Android devices, particularly old ones that are sold when getting an upgrade, may not have full disk encryption capabilities, so they will need to fall back on the protection offered by a “factory reset”. There are applications available on Google's application store, many of which are free, which purport to attempt to overwrite the entirety of storage, thus providing a logical sanitization. Those apps do not work. That technique could be functional, but only if a device is rooted, otherwise the limited access means it will not overwrite everything as noted in section (2)[3:7-8].
The “factory reset” present in many Android devices will not effectively sanitize the device at even a logical level[3][4]. As of tests run in 2014 “Android devices did not delete most emplaced user files in the [factory] reset”[4:14]. Google's own nexus phones seem to be the exception, with a “factory reset” completely clearing the userdata section of the phone's memory[5:86] and confirmed in [3:4].
5:Summary
-Strong review of key conclusions.
-Strong integration with thesis statement.
--Essentially repeat thesis here, tie it into key conclusions.
-Insightful discussion of impact of the researched material on topic.