Second-hand mobile phones leak user privacy? It's not difficult to "fight back"

In recent days, a report from CCTV has made the privacy and security of second-hand mobile phones the focus of many friends. On the one hand, it is surprising enough that sensitive files can still be restored through technical means even though all personal information in the phone has been deleted and the built-in "factory reset" function has been used. On the other hand, there are actually businesses that specialize in such business, which means that "extracting sensitive information from second-hand mobile phones" may have formed a black industry chain.

Obviously, this is not good news for many ordinary consumers. However, looking through the relevant reports, we did not find any truly scientific and detailed answers to the questions of “why information can still be extracted from a phone that has been restored to factory settings” and “how to prevent yourself from becoming a victim”. Such reports that only emphasize the threat without explaining or conveying preventive measures may, to some extent, cause unnecessary misunderstandings and even further increase user panic.

In view of this, we at Sanyi Life have decided to explain to you as simply and popularly as possible the things behind the privacy leaks of second-hand mobile phones, and inform you of some prevention methods.

Why can deleted data on a mobile phone be restored? Because of the characteristics of flash memory

First of all, we need to explain the most core knowledge point in this whole incident, that is, how "restoring a second-hand mobile phone to factory settings led to user data leakage" was achieved.

As we all know, mobile phones usually have a "factory reset" function. After restoring the factory settings, all user data in the phone will be deleted, and all software installed by the user will disappear and be replaced by the pre-installed software at the factory.

Obviously, "factory reset" essentially involves two steps, first deleting user data and all settings, and then installing the pre-set factory apps. The "problem" is naturally in the step of deleting data.

Because when your phone completes the "factory reset" operation, the original data inside it may not be deleted at all.

Why is this the case? To understand this, we need to go deep into the phone and see how the phone's flash memory chip (the chip that stores data) actually works.

To put it in a simple way, the flash memory chip in a mobile phone is like a library. The "lattice" structure responsible for storing information is like the bookshelves in the library, and the data stored by the user is naturally equivalent to books.

So let's imagine a scenario like this: when you return a large number of books to the library at one time (writing a large amount of content to the flash memory), how should these books be put into the bookshelf?

Are they put into the free bookshelf (written into the blank flash memory space) in the order of return (writing)? Actually, this is not the case. Because flash memory has a very important characteristic, that is, its internal structure (that is, bookshelf) will gradually "wear out" as the number of times it is used increases. If the data is written into the unused space in the flash memory in the order of "first come, first served", then there will be a problem, that is, the number of times the block at the head of the flash memory and the block at the tail will be seriously different. It is like in a library, if the bookshelf at the door is often used, and the bookshelf at the back is rarely used, the final result is of course that the bookshelf at the door will break first. And reflected in the flash memory, that is, the commonly used blocks will be damaged first, resulting in the loss of user data.

For this reason, in modern flash memory chips, manufacturers will design a mechanism called "wear leveling". Just like the administrator in a library, when a user writes data, the data will not be written directly to the flash memory, but will be kept in the memory first, and then the wear leveling algorithm will split the large blocks of data and give priority to writing those infrequently used blocks in the flash memory. It is like a librarian piling the returned books in one place first, and then putting them into the newer bookshelves when they are free. In this way, the "wear" degree of all bookshelves (flash memory lattices) will tend to be consistent, which will slow down the appearance of bad blocks and extend the overall life of the "library" (flash memory).

But this creates a new problem. Because the written data is actually split and shuffled on the flash memory and filled in many scattered locations, in order to accurately find them when reading data, the wear leveling algorithm will count each piece of data and their actual location on the flash memory, and establish a corresponding table between the file and the actual storage location. This table is called FTL, which is the Flash Translation Layer.

Now that we understand the above, we can talk about what happens in the flash memory when you "restore factory settings" on your phone or delete files in daily life. It's very simple. When receiving the "delete file" instruction, the wear leveling algorithm will first find the location of the file to be deleted in the FTL, and then erase the "note information" of these locations in the FTL, that is, re-mark them as "blank areas". This completes the "deletion operation".

I believe everyone has discovered where the problem lies. When we perform a deletion operation, what is actually deleted first is only the file location information in the FTL, while the real file itself still exists on the flash memory, but it cannot be found. In this way, as long as you use data recovery software that can directly scan the entire flash memory content, you can naturally read out the "deleted" files. This is why user information can still be read after the smartphone is "restored to factory settings".

How to avoid privacy leakage? The method is actually very simple

Why does the flash memory only delete the location information in the FTL when deleting files instead of directly deleting the files themselves? This is actually a special design to extend the life of the flash memory and improve performance. As we mentioned in the previous article, the flash memory itself has a "wear leveling" mechanism, and the wear leveling algorithm will also play a role when deleting files on the flash memory. It will first only delete the file location record in the FTL, and then when the device is idle, the wear leveling algorithm will automatically process the flash memory called "garbage collection", that is, actually delete the files marked as "deleted" and free up the corresponding physical space.

So as long as we start the "garbage collection" function on the phone, the files marked as "deleted" in the flash memory will really disappear. For Android phones, starting the "garbage collection" of the flash memory does not require any complicated operations. Just plug the phone into the charging cable and keep it turned on, and then leave it alone for one night, and the flash memory will be triggered to automatically "garbage collect" and truly eliminate those "deleted" files.

In other words, after you restore your phone to factory settings, you need to restart the phone once to enter the system interface, and then plug in the charging cable to let it charge overnight. At this point, as long as the phone manufacturer has not "magically modified" the Android system, the files you deleted should no longer exist in the flash memory.

Some friends may worry that if their mobile phones do not have this function of automatically triggering flash memory garbage collection after long-term charging, what should they do? In fact, it is easy to solve, because when the garbage collection mechanism "deletes" a file, although the file itself does not disappear immediately, the flash memory area where it is located has been marked as a "usable" blank area. So we just need to copy a large number of files that do not involve privacy content to the mobile phone at one time (for example, you can transfer hundreds of GB of Calabash Brothers to the mobile phone at one time), and these newly written files will directly overwrite the physical location of the "deleted" files on the flash memory. Then we restore the phone to factory settings, and the file information retained in the flash memory at this time is already the newly written insignificant files.

Of course, we can even repeat the operation of "restore factory settings - copy in irrelevant large-capacity new files" several times to completely ensure that the important data in the phone is completely overwritten. Imagine that a malicious second-hand mobile phone store takes the newly received mobile phone and tries to recover the user's private data. In the end, what is recovered is hundreds of GB of useless files. Isn't this a surprisingly pleasant feeling?