When smartphone users upload files to cloud-based services, it does move to the specified storage area, but the catch is remnants of those files often remain on the handheld.
The consequence is hackers could potentially access files stored in the cloud, or get access to cloud accounts, using leftover data stored on your Android device, iPhone or other smartphone, researchers said.
“That smartphones can essentially remember deleted information poses a huge risk to organizations that issue smartphones to employees and to organizations that don’t explicitly disable the use of personal devices for work-related computing,” said Pravin Kothari, founder and chief executive of CipherCloud, a maker of cloud encryption software.
Researchers at the University of Glasgow ran a variety of tests to come to their conclusions (read the PDF of the report here). Phones tested included the HTC Desire, running Android 2.1, and an iPhone 3S running iOS 3, and cloud-based file storage systems tested included Box, Dropbox and SugarSync.
A hard reset of the phones tested occurred before creating 20 files on each of the devices, including images, documents, PDFs and music files. Researchers then “manipulated” the phones, by either powering them off, caching the applications or both. As a control, some of the phones continued in active state without any caching. Researchers then did a “data dump” of the phones by copying the memory onto a flash drive, which they then analyzed.
Researchers found a variety of metadata leftover after the files uploaded to the cloud services. Email addresses of users and transaction logs of which files ended up uploaded to the cloud were visible. Researchers said they were even able to piece together various metadata to get a URL address of where a file was in Box’s cloud. Researchers also found they were able to recover all files marked for “offline access” from the Android and iOS devices. Even some deleted files were still traceable on the SD card of the Android device.
They were able to recover files from the Android smartphone and its SD card, while they were able to grab data from the iOS device’s internal memory (the iPhone 3S does not use an SD card).
In most circumstances, the researchers found if the applications did cache, then recovering the files was more difficult, except for when using Box on the iOS device, in which case they were able to recover the same number of files even after caching.
“Smartphone devices which access cloud storage services can potentially contain a proxy view of the data stored in a cloud storage service,” the research said. Accessing the proxy data can lead to further exposed data, they said. Files not viewed on the smartphone, but were in the user’s cloud storage account, were not recoverable, although in some cases a thumbnail of a JPEG not viewed on the phone was visible.
Researchers said a variety of tools can extract data from a smartphone, including products from private company Cellebrite, which makes the Universal Forensics Extraction Device (UFED). Micro Systemation’s XRY makes another tool for forensic detection of data.
A spokesperson for Box pointed out researchers were using outdated versions of the company’s mobile application (Android Version 1.6.7 and iOS Version 2.7.1), which are both almost a year old. Since then, Box began encrypting all files saved for offline use. The current Android app has automatic encryption and the Apple version has a feature to enable encryption. Previews of files always end up encrypted, Box added.
Researchers said they would need to do further testing to determine how widespread of a vulnerability this is on newer devices, operating systems and cloud platforms.