Before you sell your old Android phone, it's generally a good idea to encrypt and then wipe your phone. A new security report, however, has reiterated what we've said before: under certain circumstances, that data may still be recoverable. So be careful who you give your old phones to.
A report from the University of Cambridge examined the effectiveness of Android's factory reset functions on 21 different smartphone models, each ranging from Android 2.3.x to 4.3 (which, as of May 4, accounts for slightly more than half of the active Android devices that access the Play Store regularly). What they found was that in 80% of cases, they could still recover Google authentication tokens and retrieve data from the phones, even if they had been encrypted beforehand.
The reason for this vulnerability varies. In some cases, it's the fault of OEMs not including proper drivers to perform secure erases. In other cases, it's the fault of the Android OS. Of course, it's worth pointing out that even the built-in Android encryption tools have gotten better over the years, so it's unclear if newer devices will suffer the same fate.
While this study emphasises the point, it's also worth mentioning that this isn't entirely new information. When we talked to security researcher jcase back in 2013 (shortly before 4.4 came out), he said many of the same things: manufacturer implementation and older devices can lead to vulnerabilities. If you really want to protect your data, you can overwrite your entire phone or, more sensibly, just be careful who you sell it to. You could even just repurpose it yourself.