We have discovered that the "wipe" function on Android does not reliably
delete data on all devices. On a Nexus S running Android 2.3.6, we were
able to recover user data after running a "wipe" both using the "factory
data reset" from the menu and by wiping the device from recovery.

To recover data, the device must be rooted. This can be done after the
wipe by using e.g. the zergRush root exploit. (Note that the official
way which includes unlocking the bootloader must not be used - that one
does securely wipe the memory).

After rooting the device, the memory can be dumped using
   cat /dev/block/platform/s3c-sdhci.0/by-name/userdata
Move the dump to a PC by piping the cat output into nc, then recover
using any common recovery software.

This means that if a locked device affected by this is lost/stolen, it
is possible to access the data by first wiping the device (to remove the
screen lock), then rooting and recovering.

Note that we do not know the full range of affected devices.
Manufacturers may have made customizations that fix this, and Android
3.x and 4.x (Honeycomb/ICS, about 5% of devices) seem to have fixes
according to the code.

The Android security team has been notified.

Further details can be found in our blog post:
https://www.hatforce.com/blog/android/wipe

Kind regards,
Jan, from the Hatforce team

Hatforce (https://www.hatforce.com) is the first crowd-sourced security
testing startup world-wide. The services comprise web- and mobile
application pentests. Since its launch, Hatforce got extensive positive
feedback, especially from the Forbes magazine: "This service is stroke
of genius! [...] This is a great business concept and one that could
make a huge difference in how safe your application, and brand, is."