If you plan on selling or donating your smartphone, make sure you do more than just factory reset through the phone’s operating system. Security researchers picked up several phones “wiped” this way, and found loads of data.
Photo by Carlos Varela
On its blog, Security software developer Avast! highlighted the ridiculous amount information it gathered from just 20 used – and supposedly “wiped” – smartphones. A good deal of the information was personal, and all of it was easily retrieved.
Each of the phones had been reset using the built-in factory reset option, which their users thought wiped their data off of the device. Here’s what could be retrieved regardless:
- More than 40,000 photos, including: over 1500 family photos of children, 750 photos of women in various stages of undress, and 250 selfies of the previous owner’s “manhood”.
- More than 1000 Google searches.
- More than 750 emails and text messages.
- More than 250 contact names and email addresses.
- Four previous owners’ identities.
- One completed loan application.
If you’re going to sell your old smartphone, make sure you remove your personal data manually and then enact a factory reset. Your phone is a treasure trove of information about you, and often includes photos, downloaded documents, app passwords and more. It’s worth the time to make sure it’s completely blank before you sell or give it away.
Tens of thousands of Americans sell themselves online every day [Avast! Blog]
This story has been updated since its original publication.
Comments
2 responses to “Reminder: A Factory Reset Won’t Wipe Your Android Completely”
Agree. I bought a reset 2nd hand phone and found images of the previous owners nose job.
This is the same for pretty much every single device using a hard drive.
Factory resets, or even formats, just mark the used sections of the hard drive as writable. Unless you write over it, the data is still there. This is why ‘secure’ wipes are a thing. They mark everything as writable, write over it with zeroes and repeat an arbitrary amount of time.
What you’ve described is true when you delete a file from a computer (or phone, etc), but the factory reset is actually much worse than this. I factory reset my old Samsung phone, then plugged into the computer by USB to check and my files were all still there. Factory reset doesn’t even change the file table, it just removes apps (and accounts, I think)
Of course if this were true of iPhones, there would already be at least ten people slamming Apple on here.
I certainly don’t feel comfortable “wiping” my personal data from my iPhone by trusting Apple to do it for me (via factory reset). I wouldn’t place that much trust in anyone, considering the sort of information one could potentially glean from my phone.
Same goes for ANY device that can store information about me.
A few things to note here:
– Later Android (8+) does a good job here; Enforced device encryption, with strong protection of the key makes it very hard to actually access the content (key gone after a reset – content gone, disc is scrambled)
– Some earlier Android (7 and earlier?) didn’t do a good job here
– It takes a very determined hacker to get past this, it’s not a casual accidental discovery of files by the next owner, particularly if device encryption was used (default since 7)
– Deleting is no help. If a hacker can recover an encryption key, undeleting is a breeze in comparison
For the really paranoid, factory reset, then run a tool that causes all the blocks on the disk to be over-written multiple times, then reset again