Is It Safe to Share Your Android?

Private Property signPrivacy. It’s such a potent concept, provoking some level of discomfort when mentioned in just about any context. For many of us, the term is defined as a right for every citizen to have; for others the term is more negotiable, particularly as it relates to national security concerns. Within the context of personal computing, the right to privacy is a topic of continuous and often contentious debate; even a simple discussion about monitoring a teen’s activity on the Internet irritates as much as it informs.

I’m not particularly worried about someone monitoring my activity, but I do take some measures to ensure that my data is not freely disseminated throughout the Web. Lately I’ve found myself reluctant to place my Android phone into a stranger’s hands. You see, a little over a month ago I purchased my first Android device, a version of Samsung’s SCH-R720 smartphone branded “Vitality” for the prepaid cellular provider Cricket Wireless. The smartphone is a relatively unremarkable device, providing what many would consider an entry-level Android experience — and yet it’s still a capable little computer, allowing me to tap into and utilize many of the functions most computer users typically use. And use it I have, logging into and syncing my Google account, my two Facebook accounts, Twitter, and other social networks — and engaging in a variety of transactions that have required the insertion of my personal information into the device. Now, after a month of subscribing to a cellular data plan with Cricket, I’ve decided to turn my device into a portable media player. Here’s where my concerns about letting my device get into a stranger’s hands begin.

Since I’ll no longer be paying the wireless provider for its services, I’m seeking to do what many have done with their Android devices: flash the device’s ROM. (Flashing a ROM is “basically installing a custom Android version that a developer created.”) Once I flash the Vitality’s stock ROM for one of the customized ROMS available on the Internet, I’ll be able to utilize the device in a manner of ways I’m not currently able to, including overclocking its CPU and removing the software the cellular provider installed that I’m not interested in using. In order to perform the flashing procedure, however, I would like to first back up my device’s current ROM so that I’ll be able to return the device to its original state if I should ever desire (or need) to do so.

So I’ve set about learning everything there is to know about how to clone (that is, back up the device ROM of) my Vitality. Since this has been my first experience with a smartphone (or at least, my first experience with a modern-era smartphone, since I once owned a Symbian-based Nokia E62), I’ve discovered that there is a world of difference between creating an image of a PC (or a Mac) and an Android device. For one thing, the device is locked down — it is not simply a matter of using one of the plethora of applications available to produce an image of a hard drive (as is the case with PC and Mac imaging). With smartphones, a procedure known as rooting must be performed to grant me the administrative access I need to achieve my aims.

The rooting procedure is fairly commonplace, so that’s not a problem. The problem is, my privacy is at stake. I’ll explain.

In order for me to have fun with my device — that is, in order for me to flash the device’s ROM so that I’ll be able to use it in a way not expressly intended when it was distributed by Cricket Wireless — I need to first back up my phone’s stock ROM. (The ROM, by the way, is what needs to be imaged; there is no hard drive in an Android phone. Think of the ROM as the underlying code that runs your phone and retains all the data it needs to operate, much like a PC or Mac’s hard drive.) By backing up my phone’s stock ROM, I’ll have something to flash back to in case I find myself unhappy with one of the custom ROMs I experiment with.

I’m a cautious fellow — most of the time. This is due to my financial situation; I can’t afford to brick my Android and replace it with another, so I consider it a necessity for me to back up my stock ROM before experimenting with it. Now, with many Android devices, there are stock ROMs available to download so that you may flash your device back to its original state if you want to. Unfortunately, there is currently only one Vitality stock ROM available online, and it has been determined by some to be a faulty image. So I intend to back up my own ROM rather than find myself at some future point in need of one. Plus, I don’t like the idea of using someone else’s ROM. It just seems dirty. (I’ll try a custom ROM because I don’t know how to modify my device in the way that those developers do, but I’d prefer to use my own ROM if I have the choice.)

As I’ve been proceeding about this business, I’ve met other Vitality users who are less deterred about using someone else’s ROM. In fact, at least one other person wants mine. A few people have flashed their Vitality in order to enjoy the benefits of one of the two (as far as I know) custom ROMS available for our device, and in doing so they failed to back up their original ROM; now some of those users wish to revert back to the phone’s Cricket Wireless ROM in order to use the features that were originally available to them. For one reason or another, some Vitality owners wish to return or exchange their phones to Cricket (or to whatever vendor from which they purchased their device), and in order to do so they must have their device in its original state. Others have simply found the performance of whatever custom ROMs they’ve played with didn’t meet their expectations. Whatever their reasons, I’d like to be a good netizen and provide them with a backup of my stock ROM. Call me altruistic…

…or call me naïve. Should I be more cautious? My concern goes back to privacy. I’m willing to share my ROM with strangers, but I’m a bit wary of doing so before I thoroughly understand what I’m putting out there. Should I take it upon myself to distribute my stock ROM online — to potentially more than a few other Vitality users — how can I be certain the personal data I’ve entered into the device will not be discovered and then utilized for malicious purposes? Simply applying a factory reset to an Android phone does not necessarily remove all of the data one injects into their device; I’ve confirmed this by using a data recovery application with my own device. So how can I be assured that I’ll be distributing an absolutely “clean” ROM to strangers? How do developers who modify their own ROMs and distribute them ensure that their own personal data is not distributed along with the ROM?

Perhaps I am a bit more concerned with privacy than I thought.

Is it risky to share your Android phone with strangers? Some say that you simply need to remove the external memory (usually some type of SD card) from your device before selling or giving the device away, since the external memory is where some of your personal data resides. Yet I’m wary of this advice since my own personal experiments with recovery software seem to demonstrate that resetting an Android phone to its factory state does not, in fact, restore the device to a pristine state. Rather than go into all the details of my experimentation, though, I’ll simply ask those of you with more experience: What would you do to ensure that your personal data is completely removed from your Android before delivering it to a stranger? Are you at all concerned about your personal data being discovered and used for malicious intent?

CC licensed Flickr photo by Dru Bloomfield — At Home in Scottsdale

Article Written by

  • 2Hilarious

    I hate sharing my phone anyway. So for me, that’s unsafe because it’s too personal and with all the codes, the PIN credit cards  and the prepaid systems, you have to be very careful with whom you share your Android to.

    • Moeshakersten

      i definitely agree with you. good post by the way. today’s people are juqt too smart Hen it comes to do bad things.

  • Ori

    Well, after a factory reset your phone is cleaned of personal data. Yes, it’s not wiped so you can recover it, when “imagine” your rom it doesn’t do a sector for sector read, it only reads to os. So writing the image back shiuld leave nothing on intrest.

  • Harold

    Thanks for your comments, Ori. By some accounts, it’s quite easy to recover personal data after applying a factory reset to an Android. In one of the articles I read while researching this subject, the writer reported that Robert Siciliano of McAffee (“the world’s largest dedicated security technology company”) recommends destroying your Android phone rather than selling or giving it away to a stranger. Apparently, applying a factory reset to an Android device is inadequate at removing personal information, especially in comparison to applying an equivalent reset to an iOS device.

  • Brian Rodriguez

    If you’re afraid to share any data than the Image file that your phone currently needs to operate, then reformatting is the best bet for deleting any extra data.
    If you are afraid of any legal issues with Cricket wireless and your distribution of their firmware then you should probably read the legal documents published about that matter.

    • Harold

      Good advice, Brian. I have to admit my unease about sharing my ROM is far more due to my uncertainty about unintentionally sharing my private information than it is about the legality of distributing Cricket’s stock firmware. Still, I might hesitate even if I was certain my data was entirely absent from the device. I do try to maintain a sense of boundaries — I don’t illegally download software anymore, for example.

      Custom ROMs are probably illegal, though I see a significant difference between downloading and installing firmware as opposed to downloading and installing a PC game or Adobe Photosphop or something. Custom ROMs are actually encouraging a number of people to purchase hardware to run the firmware on. Contributing my stock ROM to the Android modding community might encourage a few consumers to purchase the Cricket device in order to experiment with it.

      Anyway, I’m putting my plans for sharing my Android on hold, for now.

      • Răzvan Balica

        Custom ROMs are NOT illegal! Android is open source. Even some hardware OEMs send hardware for development to custom ROM developers, such as those from the Cyanogen Mod team. This is not an iPhone man, stop confusing! The firmware from any carrier that you may have you may distribute to help others, with no legal issues.

        • Harold

          Sweet. Thanks for clarifying that. I’m well aware it’s based on open source code but wasn’t certain it legal to distribute vendor’s customized distributions. Though I’ll make sure to confirm that bit of information before I reconsider giving away the ROM, I’d appreciate any references to back that information up.

          • Răzvan Balica

            As long as the ROM doesn’t contain any integrated copyright protected software by your carrier it’s OK to distribute the ROM. I’m pretty sure of that!

  • Răzvan Balica

    Hello, the ROM is stored in a different partition than the data partition where you have your personal information. In the backup just include the recovery and system partition. If it gets into your backup (the data partition) you can delete it manually from your backup using an archive manager like WinRar.

  • SirahManzoor

    And the word is that Amazon has plans to put out regular software updates to address the issue of fragmentation. And by the looks of the advertising graphic below, the Blaze looks to be made available on AT&T and Verizon. on a serious note Amazon really has to concentrate on their patents, Android got full marks there..