In the old days of FAT the file deletion was implemented as a replacement of the first byte in the file name by 0xE5 and marking the storage as free, as a result, it was simple to undo the deletion (undelete was part of DOS). In the modern days, recovering a deleted file is much more complicated and thus UI usually implements some kind of recycle bin to help the user think twice before deleting some important information.

While in most cases users sorry that they have mistakenly deleted something and cannot recover it, for professional paranoids it is much more important that what is deleted, cannot be recovered by an adversary.

Secure deletion may seem simple: just overwrite the information in the file with junk data. This strategy works for simple file systems (e.g., FAT), but the more advanced ones try to increase file integrity by creating a new version of the file data instead of overwriting the previous data (log-structured file systems). Even for FAT, the underlying “disk” may be a flash that relocates position of “disk sectors” for wear-leveling.

Smartphones contain a lot of confidential information and thus the new research is worth reading (PDF):

We address the problem of secure data deletion on log-structured file systems. We focus on the YAFFS file system, widely used on Android smartphones. We show that these systems provide no temporal guarantees on data deletion and that deleted data still persists for nearly 44 hours with average phone use and indefinitely if the phone is not used after the deletion. Furthermore, we show that file overwriting and encryption, methods commonly used for secure deletion on block-structured file systems, do not ensure data deletion in log-structured file systems.

We propose three mechanisms for secure deletion on log-structured file systems. Purging is a user-level mechanism that guarantees secure deletion at the cost of negligible device wear. Ballooning is a user-level mechanism that runs continuously and gives probabilistic improvements to secure deletion. Zero overwriting is a kernel-level mechanism that guarantees immediate secure deletion without device wear. We implement these mechanisms on Nexus One smartphones and show that they succeed in secure deletion and neither prohibitively reduce the longevity of the flash memory nor noticeably reduce the device’s battery lifetime. These techniques provide mobile phone users more confidence that data they delete from their phones are indeed deleted.

On the other hand, an ounce of prevention is worth a pound of cure: instead of trying to delete the confidential information, it may be wiser to not store the plain-text (i.e., non-encrypted) data at all. If all your data is encrypted, then to securely delete it, it is enough to forget the key.

These trends are disrupting the traditional relationships existing between subscribers and service providers. This so-called disintermediation is being felt in the market, with cable operators offering video services to mobile subscribers and mobile operators offering video-on-demand to TV subscribers. Content owners and studios are also modifying their approach by offering services directly to consumers, circumventing the incumbent service providers.

These changes in the market have created new content service providers who must now “prove” their ability to securely deploy premium content in order to gain the approval of the major studios. Content protection – or Digital Rights Management (DRM) as it is more commonly known – is most effective when deployed in conjunction with hardware-based security elements. Principally, the objective of the hardware assets is to hinder scalable attacks, i.e., attacks that allow distribution in the form of exploit code, allowing the service provider to achieve a level of security similar to STBs.

In particular, the hardware-based embedded security is used to protect key elements in the DRM, as follows:

Permanent key material and other permanent sensitive data, including group private keys, device keys, security management keys, metering data
This type of data can be classified as long-term, sensitive data that must be stored permanently in the device. The solution takes the form of an encrypted, integrity-protected secure storage facility. A hardware-based secure storage mechanism is based on an embedded root key that is unique per each device. In order to obtain the Root Key and access the sensitive data, the attacker must physically probe the main processor chip which often results in its destruction. In addition, any information obtained by the attacker is relevant only for that specific device. Physical probing must be repeated to access the sensitive data of another device. This endeavor is both expensive and impractical, and certainly not scalable.

Title related and short term keys (content keys, session keys)
Mobile devices are open systems that run applications from many sources, some of them untrustworthy. The main processor in a mobile device must be deemed part of the threat model since it may be executing malicious code – malware – and attempting to access the content and session keys during run time. This threat is mitigated by running the security critical code that handles these keys in a secure execution environment – a secure subsystem that is inaccessible to the main processor. This hardware-based subsystem cannot be compromised by software-based attacks.

Compressed content (plaintext content before decoding)
Compressed content is output by the DRM client that runs in a secure execution environment and is sent to a codec for decoding and rendering on the output display and audio devices. As noted above, the main processor is deemed part of the threat model, so the compressed content cannot simply be copied from the secure execution environment to the main memory to the codec. In order to secure this interface, the DRM client must be tightly integrated with the codec. The hardware-based solution is to send the compressed content in an encrypted form to the codec. The codec decrypts and then decodes the content.

Thus the combination of hardware-based security working in tandem with a software client creates a robust and effective content protection solution.

Just looking at the sheer volume of second hand books available for sale on Amazon.com, my guess is that any eBook pricing model that does not allow the owner to resell the content is not likely to succeed. Moreover, the business model for eBook needs to correctly reflect the way people consume and acquire books. For example support an electronic book library or so-called subscription based models is an important requirement. The ability to share a book with friends and family, typical of books clubs all over the world is another model that must be supported. Text books also pose a serious challenge to the monolithic download-to-own model. This is to say nothing of the different types of devices, with either fixed or removal storage and a multitude of operating systems (e.g. Android, Symbian).

What is clear is that a one-size-fits-all approach (download-to-own) will not allow the eBook market to reach its full potential. Any viable content protection technology for the eBook market needs to support the full range of business models.

OMA DRM 2.1 is such a scheme, providing an ideal solution for eBook market. As an open DRM scheme it enjoys the support of content owners and service provides alike. The scheme is very robust and widely deployed. Moreover the scheme supports all the enhanced business models required by the eBook market.

FIRA de BARCELONA, SUITE 4.7HS22 / BARCELONA, SPAIN — (February 15, 2010) — Discretix, the leading global provider of embedded Windows Mobile and Android security DRM, today announced that Sony Ericsson has chosen Discretix’ Multi-Scheme DRM Client to protect distribution and consumption of multimedia content on select mobile phones and for its PlayNow services.

Discretix’ Multi-Scheme DRM Client has been deployed on select Sony Ericsson mobile phones based on the Windows Mobile and Android operating systems.  The embedded technology enables a wide variety of business models including subscription-based music and video services for the consumer market.

For more information: http://www.discretix.com/corporate/pr050110.html

http://www.discretix.com/corporate/pr071209.html

Limiting subscribers to downloading applications from approved app stores, certainly mitigates some of the risk. However there are several well known and freely available cracks online that will effectively bypass almost any restrictions and protection mechanisms.

Just in case the simple man on the street felt he had nothing to lose, vulnerabilities of the operating system pose other threats, placing the end-user at risk. Viruses and the trojan horse can reveal and/or modify personal information. These viruses can grab personal payment information such as credit card numbers, illegally obtain contact information from our private phone book stored on the mobile phone, and access our home network using a mobile device’s WiFi capabilities.

As smartphones become more prevalent and entrenched in our work and home lives, their security requirements increase as well. Without such safeguards in place, people will never feel safe using smartphones, thereby preventing these powerful innovations from ever reaching their full potential.