Is It Safe to Share Your Android?

Private Property signPrivacy. It’s such a potent concept, provoking some level of discomfort when mentioned in just about any context. For many of us, the term is defined as a right for every citizen to have; for others the term is more negotiable, particularly as it relates to national security concerns. Within the context of personal computing, the right to privacy is a topic of continuous and often contentious debate; even a simple discussion about monitoring a teen’s activity on the Internet irritates as much as it informs.

I’m not particularly worried about someone monitoring my activity, but I do take some measures to ensure that my data is not freely disseminated throughout the Web. Lately I’ve found myself reluctant to place my Android phone into a stranger’s hands. You see, a little over a month ago I purchased my first Android device, a version of Samsung’s SCH-R720 smartphone branded “Vitality” for the prepaid cellular provider Cricket Wireless. The smartphone is a relatively unremarkable device, providing what many would consider an entry-level Android experience — and yet it’s still a capable little computer, allowing me to tap into and utilize many of the functions most computer users typically use. And use it I have, logging into and syncing my Google account, my two Facebook accounts, Twitter, and other social networks — and engaging in a variety of transactions that have required the insertion of my personal information into the device. Now, after a month of subscribing to a cellular data plan with Cricket, I’ve decided to turn my device into a portable media player. Here’s where my concerns about letting my device get into a stranger’s hands begin.

Since I’ll no longer be paying the wireless provider for its services, I’m seeking to do what many have done with their Android devices: flash the device’s ROM. (Flashing a ROM is “basically installing a custom Android version that a developer created.”) Once I flash the Vitality’s stock ROM for one of the customized ROMS available on the Internet, I’ll be able to utilize the device in a manner of ways I’m not currently able to, including overclocking its CPU and removing the software the cellular provider installed that I’m not interested in using. In order to perform the flashing procedure, however, I would like to first back up my device’s current ROM so that I’ll be able to return the device to its original state if I should ever desire (or need) to do so.

So I’ve set about learning everything there is to know about how to clone (that is, back up the device ROM of) my Vitality. Since this has been my first experience with a smartphone (or at least, my first experience with a modern-era smartphone, since I once owned a Symbian-based Nokia E62), I’ve discovered that there is a world of difference between creating an image of a PC (or a Mac) and an Android device. For one thing, the device is locked down — it is not simply a matter of using one of the plethora of applications available to produce an image of a hard drive (as is the case with PC and Mac imaging). With smartphones, a procedure known as rooting must be performed to grant me the administrative access I need to achieve my aims.

The rooting procedure is fairly commonplace, so that’s not a problem. The problem is, my privacy is at stake. I’ll explain.

In order for me to have fun with my device — that is, in order for me to flash the device’s ROM so that I’ll be able to use it in a way not expressly intended when it was distributed by Cricket Wireless — I need to first back up my phone’s stock ROM. (The ROM, by the way, is what needs to be imaged; there is no hard drive in an Android phone. Think of the ROM as the underlying code that runs your phone and retains all the data it needs to operate, much like a PC or Mac’s hard drive.) By backing up my phone’s stock ROM, I’ll have something to flash back to in case I find myself unhappy with one of the custom ROMs I experiment with.

I’m a cautious fellow — most of the time. This is due to my financial situation; I can’t afford to brick my Android and replace it with another, so I consider it a necessity for me to back up my stock ROM before experimenting with it. Now, with many Android devices, there are stock ROMs available to download so that you may flash your device back to its original state if you want to. Unfortunately, there is currently only one Vitality stock ROM available online, and it has been determined by some to be a faulty image. So I intend to back up my own ROM rather than find myself at some future point in need of one. Plus, I don’t like the idea of using someone else’s ROM. It just seems dirty. (I’ll try a custom ROM because I don’t know how to modify my device in the way that those developers do, but I’d prefer to use my own ROM if I have the choice.)

As I’ve been proceeding about this business, I’ve met other Vitality users who are less deterred about using someone else’s ROM. In fact, at least one other person wants mine. A few people have flashed their Vitality in order to enjoy the benefits of one of the two (as far as I know) custom ROMS available for our device, and in doing so they failed to back up their original ROM; now some of those users wish to revert back to the phone’s Cricket Wireless ROM in order to use the features that were originally available to them. For one reason or another, some Vitality owners wish to return or exchange their phones to Cricket (or to whatever vendor from which they purchased their device), and in order to do so they must have their device in its original state. Others have simply found the performance of whatever custom ROMs they’ve played with didn’t meet their expectations. Whatever their reasons, I’d like to be a good netizen and provide them with a backup of my stock ROM. Call me altruistic…

…or call me naïve. Should I be more cautious? My concern goes back to privacy. I’m willing to share my ROM with strangers, but I’m a bit wary of doing so before I thoroughly understand what I’m putting out there. Should I take it upon myself to distribute my stock ROM online — to potentially more than a few other Vitality users — how can I be certain the personal data I’ve entered into the device will not be discovered and then utilized for malicious purposes? Simply applying a factory reset to an Android phone does not necessarily remove all of the data one injects into their device; I’ve confirmed this by using a data recovery application with my own device. So how can I be assured that I’ll be distributing an absolutely “clean” ROM to strangers? How do developers who modify their own ROMs and distribute them ensure that their own personal data is not distributed along with the ROM?

Perhaps I am a bit more concerned with privacy than I thought.

Is it risky to share your Android phone with strangers? Some say that you simply need to remove the external memory (usually some type of SD card) from your device before selling or giving the device away, since the external memory is where some of your personal data resides. Yet I’m wary of this advice since my own personal experiments with recovery software seem to demonstrate that resetting an Android phone to its factory state does not, in fact, restore the device to a pristine state. Rather than go into all the details of my experimentation, though, I’ll simply ask those of you with more experience: What would you do to ensure that your personal data is completely removed from your Android before delivering it to a stranger? Are you at all concerned about your personal data being discovered and used for malicious intent?

CC licensed Flickr photo by Dru Bloomfield — At Home in Scottsdale