Exchange Server connection on Android can delete ALL data

September 18, 2012

When I was on vacation in Bali last week, my phone did some weird things, notably unlocked the screen and randomly started entering letters and numbers for the PIN when there was no-one near it. I still have no idea why it did this and that may remain a mystery forever. The first time it did it, I caught it after 9 attempts (i.e. before the ’10 incorrect attempts will cause all the data to be deleted’ message came into play).

But the second time it happened, I couldn’t catch it quick enough and in front of my eyes, my phone deleted ALL its data and reset itself to the factory settings. That’s right — ALL my contacts (900+), mail, calendar appointments, all my downloaded apps, all my photos, all my audio books and ebooks, WiFi settings for various locations, all other settings and customizations (e.g. ring tones, display brightness, etc.), EVERYTHING!

That was very scary and made me very angry. I swore loudly at Android, HTC, and Telstra as I (incorrectly) assumed that one of them was the culprit.

But it wasn’t until I got back home and was setting up my Exchange Server sync settings again that I realized that the culprit was Exchange Server! When I set it up, I could connect to Exchange Server, but the emails etc. wouldn’t sync with my phone. I got a synchronization error message. However, you can’t deal with that message on the Exchange Server sync page — you have to go to the Notifications panel and click the link there to go to the permissions page for Exchange Server.

Well, my Exchange Server was probably set up with the defaults, which meant that it REQUIRED a PIN to unlock my phone, and the permissions screen also told me that activating the permissions meant that all data (I incorrectly assumed only Exchange Server data) could be wiped after 10 incorrect login attempts, etc. After I agreed to those draconian conditions, I could get my mail etc.

But as I’m the only person who has a phone linked to my Exchange Server, I called my PC Guru guys to see if they could change the settings so that a PIN wasn’t required when I unlocked the screen, plus a few other settings like the display time before the screen locked after a period of inactivity (mine was 5 minutes — it’s now 15 minutes).

So now my phone has no PIN for the SIM card and no PIN required for Exchange Server, which means that if it does weird stuff again, it won’t wipe ALL my data! Sure, this will make my phone vulnerable if I lose it, but I’m prepared to take that risk and not lose my phone. Losing all your data is no fun…

Fortunately, I had uploaded my Bali photos earlier in the day that the deletion occurred, and fortunately I had Exchange Server so all my contacts and calendar info was stored centrally. However, I still have to download all my apps again and reset my settings and customizations, and reconnect with several services like DropBox, TweetDeck, Facebook etc.

There goes another heap of hours…. (update: I plugged my phone into my PC and checked the hard drive on it — it looks like the photos and ebooks and audio books are still there [SD card?] but I can’t see the apps, so I still have to re-download them. Further update: Yay! When I’m logged in to Google, Google Play has a list of all the apps I previously downloaded and what’s currently on my phone [https://play.google.com/apps], so it’s pretty easy to download them again. Thank you, Google!)

There’s more info here:

[Links last checked September 2012]


  1. The idea behind this ability is security. For businesses than may have important and confidential data, if the phone is lost or compromised, exchange can erase ALL data.

    It seems to me that attempts were being made to access your your phone remotely.



  2. I would like to decide myself if the phone should return to factory settings – or disable the camera or whatnot – not sharepoint. Microsoft shows quite a queer state of mind by claiming they know better. My day ruined.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: