https://threatpost.com/shoddy-android-factory-reset-exposes-private-data-encryption-keys/112979
Best to just melt it down yourself. If you have a friend that cooks meth, you can go to his cook site to dispose of the toxic waste resulting from your personal Android device decomming.
But seriously folks, this is a big deal. This is why I do NOT have my banking or other money handling apps memorize my passwords. Or at least I *try* to remember to not have them memorize my passwords. Not gonna turn in my phone, ever, until this factory reset thing gets good and fixed, which it SHOULD be in 5.0, which I'm running, but, well... now I'm more paranoid than usual.
Maybe I should put a GPS tracker on my Android when I turn it in so that if the guy that gets my phone compromises my information, I can put a geolocator block on his access and then get a buddy at a carrier to re-route his traffic to NULL and, uh... um... or I could just change all my passwords when I get a new phone and hope that I didn't miss any. :doh:
I never did trade in's before and I am definitely not doing it now lol.
I use lastpass and that seems to be fairly good so far, your encrypted (so owners of the system can't see them) passwords are stored online, I have a secondary authentication setup so even if my password gets out I should still be good, and I can see everywhere I have a password, my passwords become much more complex, and they are diffrent for every site
I've sold every single android phone I've ever had when I upgrade... good thing my buyers are all just normal users, not malicious identity harvesters lol.
Still, at the price of a used phone, its probably economics that hasn't turned this into a major attack vector. (you can probably buy thousands of credit card numbers etc. off the darknet instead of a single lousy phone for the same price)
I have separate passwords for dropbox, gmail, banking, shares and paypass, none of them are written down. dropbox, gmail and banking have 2 factor on top.
My only vulnerability I think is if they can retrieve tokens they may be able to log back into google without invoking the 2 factor.
The state of security is in a perpetual sorry state when I can't even get 2 factors authentication for my banks.