Why Data Deletion Fails? A Study on Deletion Flaws and Data Remanence in Android Systems

Smart mobile devices are becoming the main vessel of personal privacy information. While they carry valuable information, data erasure is somehow much more vulnerable than was predicted. The security mechanisms provided by the Android system are not flexible enough to thoroughly delete sensitive data. In addition to the weakness among several provided data-erasing and file-deleting mechanisms, we also target the Android OS design flaws in data erasure, and unveil that the design of the Android OS contradicts some secure data-erasure demands. We present the data-erasure flaws in three typical scenarios on mainstream Android devices, such as the data clearing flaw, application uninstallation flaw, and factory reset flaw. Some of these flaws are inherited data-deleting security issues from the Linux kernel, and some are new vulnerabilities in the Android system. Those scenarios reveal the data leak points in Android systems. Moreover, we reveal that the data remanence on the disk is rarely affected by the user's daily operation, such as file deletion and app installation and uninstallation, by a real-world data deletion latency experiment. After one volunteer used the Android phone for 2 months, the data remanence amount was still considerable. Then, we proposed DataRaider for file recovering from disk fragments. It adopts a file-carving technique and is implemented as an automated sensitive information recovering framework. DataRaider is able to extract private data in a raw disk image without any file system information, and the recovery rate is considerably high in the four test Android phones. We propose some mitigation for data remanence issues, and give the users some suggestions on data protection in Android systems.