This website uses cookies to ensure you get the best experience on our website. OK
4 min read 828 Shares 22 comments

Factory resetting doesn’t wipe all your data: here's how you can

There are various good reasons to perform a factory rest: fixing bugs following an Android update, general housekeeping for maintaining Android performance and completely wiping data from your phone. The problem is that Google’s built-in factory reset option can expose your data even after a reset. Here’s why a factory reset doesn’t wipe all your data, and what you can do about it.

The factory reset problem was uncovered by some Cambridge University researchers in the first major study of this taken-for-granted Android security feature. The factory reset, we’ve always been told, will delete all data, accounts, passwords and content from your Android device. The problem is, this is only partially true.

AndroidPIT HTC One Hard Reset
Even after a factory reset there's still work to do to protect your data. / © ANDROIDPIT

Why doesn't a factory reset work?

The researchers tested a range of second-hand Android devices running Android versions from Android 2.3 to Android 4.3 and found that in all cases they were able to recover account tokens – which are used to authenticate you once a password is entered the first time – from service providers such as Google, Facebook and WhatsApp. In a staggering 80 percent of cases, they were able to recover the master token.

The master token is essentially the key to the front door, the equivalent of installing a top-notch security system and then hiding the key under the doormat. Once a master token is recovered, the user’s credential file can be restored and all your data re-synced to the device: that means emails, cloud-stored photos, contacts and calendars.

20141111 IMGL8966
How can such a critical weakness be built into Android? / © ANDROIDPIT

How could this happen?

There are a few reasons. Part of the blame is with the manufacturers who simply don’t provide the software required to fully wipe flash storage. Likewise, flash storage is notoriously hard to wipe, and of course, Google is to blame for not providing a more fail-safe option for users.

The researchers went on to note that while security and antivirus companies may use these findings to promote their own tools and services that the only real solution was likely to come from the vendors themselves.

Unfortunately, even devices with built-in encryption are not safe from these weakness. The decryption key is also left intact on a device once it has been factory reset. While that key is itself encrypted, gaining access to it would be a few days’ worth of work for most hackers, according to the researchers.

AndroidPIT Galaxy S5 Lollipop KitKat
Even Android phones running KitKat and Lollipop may be affected. / © ANDROIDPIT

What can I do about it?

It must be noted that devices running Android 4.4 and above were not tested, so it is not clear whether devices running Android KitKat and Lollipop are also affected, although the researchers were quick to point out that it’s plausible that they could be.

The main things one can do to protect themselves is to encrypt their phone and use a strong, randomly-generated password that contains a mixture of upper- and lower-case letters, numbers and symbols and is at least 11 characters long. The issue with this is that it is sufficiently awkward to do on a regular basis that most users simply won’t do it.

Alternatively, once a phone has been factory reset, the flash storage can be refilled with useless data to overwrite the tokens and crypto keys left in flash storage. Of course, the app used to fill the phone would need to be installed outside of Google Play to avoid a Google token being registered on the device once again. The only other solution the researchers came up with was to destroy the device.

This solution, however, raises issues for users that find themselves with a lost or stolen device, or for those devices that have been remotely wiped with Android Device Manager. Until a legitimate solution can be found, just be careful who you sell your second-hand phone to.

Have you sold a phone in the past? Did you think a factory reset would protect your data? Share your thoughts in the comments. 



Write new comment:
  • my 2nd gen Moto G crashed and did a factory reset today... does anyone know a way to recover all my stuff? it still says optimizing 153 apps when I restart it which is how many I had before the reset but they aren't there on the phone?? please help

  • The thing is your mobile device is like a pc (computer) harddrive. All data that has been put on it or saved is recoverable. The only way to make sure nobody can recover anything from it is to destroy it completely smash all the internals one by one with a hammer till there's only small pieces left. Else with the right software and rebuilding the device you can recover it. No software in the world can remove it unless it's software that cause the device to overheat and burst into flames and thus destroying it in such a manner.

  • Kris K. 7 months ago Link to comment

    Encryption of your device before factory resetting will leave the data jumbled and unable to be retrieved.

    • Proof? Source?

      Quote from article "Unfortunately, even devices with built-in encryption are not safe from these weakness. The decryption key is also left intact on a device once it has been factory reset. While that key is itself encrypted, gaining access to it would be a few days’ worth of work for most hackers, according to the researchers."

    • @Kris K: You should read the article again.

  • This is interesting for tmobile users who take part in the jump program. All those phones that get traded in for new ones still have user data on them even after being "reset".

  • I don't like that I had to read half the article for you to say the most recent phones may not be vulnerable to this and then there is no way to check.

  • Man, this is so true but let's face it: Unless you are some V.I.P or some kind of rock star, nobody will be interested in your social media accounts... And if you are one though, probably you won't sell your phone ... Anyway, this a very good article for raising awareness about Android OS weaknesses, still unsolved by Google...

  • Scary, I thought a factory reset would do it all!

  • 303tk4 7 months ago Link to comment

    Deleting data just means forgetting the "address" of the data in question, so the data themselves still exist on somewhere in the memory.... it's an old story of computer science.
    If that's the case, Android is not to blame for, same goes for Windows and iOS, AFAIK.

    For wiping entire data and making a clean break with old phones, some tech-people say that after factory-resetting the phone, we better leave the phone shooting a video with its camera until filling up rest of the storage, so as to overwrite entire memory with "stuffing" over your old data.
    Does that work??

  • Hmm? Thus might be a clue 2 a mystery I've been trying 2 solve ever since the Aug 1 security patch showed kernel in red & said software not recognized by AT&T. Plz turn off & bring 2 nearest att store. I was locked out. Bricked they (att) said. But I managed 2 get it back to working w/o losing anything. And the patch worked. BUT.. ever since my supposedly never used s5active now says "custom" at startup. Even tho every sign points 2 it having never been tampered with. Then I got fruit ninja & it said "welcome back hazel eyes" ? That's not me! This also happened when I 4got my FB pswd. I asked 2 use the phone number sign in option & it showed a number NOT belonging 2 me. Now I did get OTA marshmallow. W/o problems. But I was,sweating all the way thru! Also I now have auto security patch updates turned off 2 avoid being "bricked" 4 a 2ND time. Does ANYONE KNOW HOW I COULD DEFINITIVELY figure out what's causing my phone 2 say custom? I've tried a l I t of things. My knox isn't tripped. No root. I just need answers. Btw. DO NOT TRUST WE DEALS ON EBAY. They told me the phone was NEW.It did come in 99%perfect Condition. But this custom business us a mystery. Especially since I've updated 3 times OTA thru att. Any feedback will be greatly appreciated. I want the custom message/ghost software gone.
    P.s. I've done every type of reset I know of already also. THANKS!!

  • steve 7 months ago Link to comment

    So basically a factory reset isn't a factory reset, and sell your mobile at your own risk.

  • A couple of years ago my LG Gingerbread phone stopped booting after being dropped., I was delighted to learn that it supported a "hard reset" - see - supported by some but by no means all models. Above and beyond fixing the phone, the hard reset deleted almost all the bloatware that came preinstalled on it, substantially increasing the available internal storage. This is an OEM not Android functionality, and far better than "factory reset".

  • my tablet is constantly telling me I am offline, presently connected via wi-fi. It is coming on but cannot access anything, i trie to reset , thats why I am having more numerous problems than before.
    When open app all I am getting is Do you want to add an exixsting account or create a new one, I am fed up, any suggestions/

  • What if you manually log out of all accounts and using the account providers website on PC BAN usage on the device thats gonna get sold?

  • Mando Dec 30, 2015 Link to comment

    Yup, happened.

  • The awkward moment when you realise that the photos with you dancing naked wearing a chicken head mask can be retrieved...

  • Wow... had no idea. I'm on the Verizon Edge program, so I have to (and already have twice) return the phone to Verizon when I upgrade. Sold previous phones on eBay, too, after factory resets.

Show all comments

This website uses cookies to ensure you get the best experience on our website. More info

Got it!