We use cookies on our websites. Information about cookies and how you can object to the use of cookies at any time or end their use can be found in our privacy policy.
Selling your smartphone? A factory reset alone won't protect your data
Google 4 min read 43 comments

Selling your smartphone? A factory reset alone won't protect your data

Google’s built-in factory reset option can leave your data exposed even after a reset. Here’s why a factory reset doesn’t wipe all your data, and what you can do about it before you sell your smartphone.

There are various good reasons to perform a factory reset: fixing bugs following an Android update, general housekeeping for maintaining Android performance, and supposedly wiping all data from your phone.

The factory reset, we’ve always been told, will delete all data, accounts, passwords and content from your Android device. The problem is, this is only partially true.

For example, the security firm Avast bought 20 used cell phones off eBay and used readily available recovery software to recover incredible amounts of personal data from the devices, including 40,000 photos, 1,000 Google searches, hundreds of emails, and even a loan application. It's scary to imagine what others might find on your phone after you sell it.

Reset to factory settings: why doesn't it work?

The factory reset problem was uncovered by some Cambridge University researchers in the first major study of this taken-for-granted Android security feature. The researchers tested a range of second-hand Android devices running several different Android versions and found that in all cases they were able to recover account tokens – which are used to authenticate you once a password is entered the first time – from service providers such as Google, Facebook and WhatsApp. In a staggering 80 percent of cases, they were able to recover the master token.

The master token is essentially the key to the front door, the equivalent of installing a top-notch security system and then hiding the key under the doormat. Once a master token is recovered, the user’s credential file can be restored and all your data re-synced to the device: that means emails, cloud-stored photos, contacts and calendars.

AndroidPIT encrypted secure security lock locked locks 1
Factory resetting alone isn't enough to keep your Android phone safe. / © jijomathaidesigners/Shutterstock - Montage: AndroidPIT

Why is private data recoverable even after a factory reset?

There are a few reasons. Part of the blame is with the manufacturers who simply don’t provide the software required to fully wipe flash storage. Likewise, flash storage is notoriously hard to wipe, and of course, Google is to blame for not providing a more fail-safe option for users.

The researchers went on to note that while security and antivirus companies may use these findings to promote their own tools and services that the only real solution was likely to come from the vendors themselves.

Unfortunately, even devices with built-in encryption are not safe from these weaknesses. The decryption key is also left intact on a device once it has been factory reset. While that key is itself encrypted, gaining access to it would be a few days’ worth of work for most hackers, according to the researchers.

AndroidPIT android pie 0090
Even those with the newest Android phones running Pie should take extra precautions. / © AndroidPIT by Irina Efremova

How to factory reset properly, removing all your data

The main things you can do to protect yourself is to encrypt your phone. The option to encrypt your phone will be located in different places in your device's settings depending on the manufacturer, but in general, it can be found in Settings > Security > Encrypt phone. If your phone comes with Android 6.0 or above, it may already be encrypted by default.

When you encrypt your device, use a strong, randomly-generated password that contains a mixture of upper- and lower-case letters, numbers and symbols and which is at least 11 characters long. The issue with this is that it so awkward to type on a regular basis that most users simply won’t do it.

Alternatively, once a phone has been factory reset, the flash storage can be refilled with useless data to overwrite the tokens and cryptographic keys left in flash storage. This could be done in a rudimentary way with a few large video files, or with an app made for this purpose. There are several highly-rated apps available on the Play Store, like Secure Erase with iShredder 6. (Of course, if you want to be extra safe while using an app to fill the phone with dummy data, it would need to be installed outside of Google Play to avoid a Google token being registered on the device once again.)

This solution, however, raises issues for users that find themselves with a lost or stolen device, or for those devices that have been remotely wiped with Android Device Manager. Until a legitimate solution can be found, just be careful who you sell your second-hand phone to.

Have you sold a phone in the past? Did you think a factory reset would protect your data? Share your thoughts in the comments. 

43 comments

Write new comment:
All changes will be saved. No drafts are saved when editing

  • Has this problem been solved?


  • I suppose (which was already mentioned) Secure Erase from Google Play and then Factory Reset (and then hope that does the job?)

    I have donated my old phone's to charity (military personnel), without being hacked ... so I consider myself lucky.


  • You can use "Secure Eraser" from Play Store


  • I don't sell my old phones, I'd rather make a phone tech museum(shows me how my phone habit, and knowledge has advanced over the years, hey ya gotta have a mini hobby). From my first phone, a tracfone, that I used as a red cross worker for the Katrina flood, to today, most of my phones are in very good shape(never cracked a screen, busted a sim tray, etc..) No one will ever get my data, that way.


  • No matter how many times I do a factory reset I am still being asked for a password? does anyone have a solution for this?


  • Okay I've done factory reset and my phone is still frozen. Can someone please tell me what is wrong with my phone because it was fine before?


  • So assuming someone has deleted images from their phone (obviously I know they aren't totally gone), then ran a factory reset about 15 times, what are the chances of these deleted images being found during a routine repair/system flash?

    I guess I'm asking whether these just pop back up on the phone straight a way, or whether someone has to set out to specifically look for them, and, if so, how hard do they have to look, would this would form part of a normal repair?

    I sent my smart platinum 7 off to Vodafone for repair (running android 6. something) and am now having a mild panic attack that pictures of a "personal" nature :) are going to show up,. I ran an off the shelf photo recovery app before I sent it and nothing showed up (the same app found them before I did the re-set), am I likely to be okay or are my pics going to go viral???

    Thanks


  • At last I'm finally getting a better understanding of the problem I'm having with my smartphone and Android 6! Unfortunately, the article doesn't help me in my current situation: I don't remember the google account details I used to be able to use my phone! I had to do a hard reset but I now can't resync the phone. Can anyone tell me how to totally wipe the google account information from the phone when I'm not in normal use situation? I've been going round in circles on google sites with no success.


  • If I sell the phone, I do factory reset and play the whole sowtware via ODIN
    Then restore the settings again.
    Otherwise, it is not bad, once every three months to restore data, the phone clears and runs better.


  • My1 Jun 7, 2017 Link to comment

    judging the comments this seems like it was warmed up at least 2 times, way to go (/s)

    but on a more serious note, why cant they even clear out a key for encryption properly? especially since it's so much easier than wiping everything which takes ages and wears off the memory.


    • kgbme Jul 21, 2017 Link to comment

      Heh, why. Is it because dimwits worked on that particular implementation, because the supervisor said "it's good enough", or because it's a design flaw of the (operating) system - the bottom line is that it seems that Google just doesn't care.

      They couldn't care less, right? Otherwise, this and a myriad of other "facepalm" issues would've been dealt with.


  • how about messages in apps like whatsapp and telegram ? they store the messages in server and not internal memory right ? so the messages cannot be retrieved this way right ?


    • My1 Jun 7, 2017 Link to comment

      actually whatsapp solely stores on client for telegram you have at the very least a cache which stores stuff for when you are offline and telegram secret messages are also client only.


    • kgbme Jul 21, 2017 Link to comment

      All stored locally, when displayed on screen. It depends on the application, how they scrub deleted items and whether that particular memory allocation has been written over, once freed.


  • If there's a problem with the device encrypting flash storage data, that would be due to the Android OS and not google. This is a major security flaw on Android's part because if you're someone who saves all of your passwords via an app or text document, you're security is seriously compromised!

    Let's say you sell your phone on Kijiji and it just so happens that a notorious hacker buys it. They could hack it, recover all of your data and web browsing history. Even after you delete files there is always metadata left. It's like smashing them into hundreds of tiny basic pieces. Recovering it puts these pieces back together and restores the files/data.

    If you had a password to your bank account saved on your phone, they could recover that and all of your browsing history. They would know which bank you signed into and (with a good VPN and security) they could log in and be untraceable. Then they could remotely transfer your money to a bitcoin account and would never get caught. It's very hard to do, but some people out there can. Less experienced hackers will even sell stolen accounts to more experienced hackers.

    The reason that Android does this is to protect stolen phones from completely getting wiped by people who steal them. This is called Factory Reset Protection (FRP), and while it is good for protecting yoursef against thieves, it doesn't protect you against hackers. Though there is an extremely smaller chance of this happening, it still would be far more detrimental than a stolen phone.

    Bottom line - I think Android should offer an inexpensive service that wipes all data on your device. It's a scary world in technology these days and no one's information is uncompromisable.


    • kgbme Jul 21, 2017 Link to comment

      Ofc. 100% privacy must be a priority, but not when you have an agenda; and by "you", I mean them.


  • my 2nd gen Moto G crashed and did a factory reset today... does anyone know a way to recover all my stuff? it still says optimizing 153 apps when I restart it which is how many I had before the reset but they aren't there on the phone?? please help


    • kgbme Jul 21, 2017 Link to comment

      I've had apps show up in permissions, after a factory data reset, even though they're not on the phone. A safe mode reset, or two (or, something) later and they've disappeared "on their own".

      This is a brand new, stock, unmodified, Lenovo C2 and it's ghosting me left-right-and-center.

      For example, the newest issue is that whenever Location is turned on it goes to High accuracy with no way to set the default back to the factory (!) GPS only option.

      So, who knows. We're now in the mouth of madness. The twilight zone.


  •   24
    Deactivated Account Jan 26, 2017 Link to comment

    The thing is your mobile device is like a pc (computer) harddrive. All data that has been put on it or saved is recoverable. The only way to make sure nobody can recover anything from it is to destroy it completely smash all the internals one by one with a hammer till there's only small pieces left. Else with the right software and rebuilding the device you can recover it. No software in the world can remove it unless it's software that cause the device to overheat and burst into flames and thus destroying it in such a manner.


  • Encryption of your device before factory resetting will leave the data jumbled and unable to be retrieved.


    • Proof? Source?

      Quote from article "Unfortunately, even devices with built-in encryption are not safe from these weakness. The decryption key is also left intact on a device once it has been factory reset. While that key is itself encrypted, gaining access to it would be a few days’ worth of work for most hackers, according to the researchers."


    • @Kris K: You should read the article again.


  • This is interesting for tmobile users who take part in the jump program. All those phones that get traded in for new ones still have user data on them even after being "reset".


  • I don't like that I had to read half the article for you to say the most recent phones may not be vulnerable to this and then there is no way to check.


  • Man, this is so true but let's face it: Unless you are some V.I.P or some kind of rock star, nobody will be interested in your social media accounts... And if you are one though, probably you won't sell your phone ... Anyway, this a very good article for raising awareness about Android OS weaknesses, still unsolved by Google...


  • Scary, I thought a factory reset would do it all!


  • Deleting data just means forgetting the "address" of the data in question, so the data themselves still exist on somewhere in the memory.... it's an old story of computer science.
    If that's the case, Android is not to blame for, same goes for Windows and iOS, AFAIK.

    For wiping entire data and making a clean break with old phones, some tech-people say that after factory-resetting the phone, we better leave the phone shooting a video with its camera until filling up rest of the storage, so as to overwrite entire memory with "stuffing" over your old data.
    Does that work??


  • Hmm? Thus might be a clue 2 a mystery I've been trying 2 solve ever since the Aug 1 security patch showed kernel in red & said software not recognized by AT&T. Plz turn off & bring 2 nearest att store. I was locked out. Bricked they (att) said. But I managed 2 get it back to working w/o losing anything. And the patch worked. BUT.. ever since my supposedly never used s5active now says "custom" at startup. Even tho every sign points 2 it having never been tampered with. Then I got fruit ninja & it said "welcome back hazel eyes" ? That's not me! This also happened when I 4got my FB pswd. I asked 2 use the phone number sign in option & it showed a number NOT belonging 2 me. Now I did get OTA marshmallow. W/o problems. But I was,sweating all the way thru! Also I now have auto security patch updates turned off 2 avoid being "bricked" 4 a 2ND time. Does ANYONE KNOW HOW I COULD DEFINITIVELY figure out what's causing my phone 2 say custom? I've tried a l I t of things. My knox isn't tripped. No root. I just need answers. Btw. DO NOT TRUST WE DEALS ON EBAY. They told me the phone was NEW.It did come in 99%perfect Condition. But this custom business us a mystery. Especially since I've updated 3 times OTA thru att. Any feedback will be greatly appreciated. I want the custom message/ghost software gone.
    P.s. I've done every type of reset I know of already also. THANKS!!


  • steve Sep 3, 2016 Link to comment

    So basically a factory reset isn't a factory reset, and sell your mobile at your own risk.


  • A couple of years ago my LG Gingerbread phone stopped booting after being dropped., I was delighted to learn that it supported a "hard reset" - see hard-reset.com - supported by some but by no means all models. Above and beyond fixing the phone, the hard reset deleted almost all the bloatware that came preinstalled on it, substantially increasing the available internal storage. This is an OEM not Android functionality, and far better than "factory reset".


  • my tablet is constantly telling me I am offline, presently connected via wi-fi. It is coming on but cannot access anything, i trie to reset , thats why I am having more numerous problems than before.
    When open app all I am getting is Do you want to add an exixsting account or create a new one, I am fed up, any suggestions/


  • What if you manually log out of all accounts and using the account providers website on PC BAN usage on the device thats gonna get sold?


  • Mando Dec 30, 2015 Link to comment

    Yup, happened.


  • The awkward moment when you realise that the photos with you dancing naked wearing a chicken head mask can be retrieved...


  • Wow... had no idea. I'm on the Verizon Edge program, so I have to (and already have twice) return the phone to Verizon when I upgrade. Sold previous phones on eBay, too, after factory resets.


  •   24
    Deactivated Account Aug 29, 2015 Link to comment

    Me too have all my own phones dating back to my nokia 5110, stored in a cupboard. As Mak S. above said it's the same with pc harddrives and I have had the suspicion that it might be the same with mobile phones.


  •   11
    Deactivated Account May 27, 2015 Link to comment

    Saw this on Yahoo also. That is the reason I still have every phone I've bought back to the Nokia N95 any banking info credit card and everything else you did is still there. Just the link to is gone, like on your computer hard drive. If the information isn't over written then it still there and can be recovered. If I have a hard dive fail it gets introduced to my 16Lbs sledge hammer before it's recycled. That is what going to happen to about 6 phones soon.