It would be convenient if you could just click a button and delete your old phone (maybe that’s next on Google’s plate), but for now it takes a little more effort to get rid of a real, tangible object.
Before you sell or give away your old Android smartphone, you’ll want to do a factory reset so that the next owner won’t have access to any of your sensitive data.
But how effective is that factory reset feature? Does it actually erase your data, or could a stranger still find a way to extract private information out of your used phone.
Researchers recently put that question to the test, and the results weren’t exactly promising.
The Verdict: Factory Reset is Fundamentally Flawed
Cambridge University professor Ross Anderson and researcher Laurent Simon bought 26 secondhand Android phones over eBay, sampling the operating systems Android 2.2 (Froyo) through Android 4.3 (Jellybean).
Every single phone of the 26 they tested retained at least some of the information that was in them before they were put them through a factory reset. This information included contact information, photos, videos, messages, third-party data, and more.
In 80% of cases, Anderson and Simon were able to recover Google authentication tokens and restore the previous user’s information for Gmail and other apps.
The operating systems tested are used by 50.5% of all Android users, meaning that over 500 million Android phones out there have this factory reset flaw.
What can you do about it?
Strong passwords (11+ characters with both upper and lower case letters and also numbers and symbols) can’t hurt. Activating full-disk encryption also helps.
One of the more technically-involved solutions is to overwrite all unallocated space with random-byte files, but this method requires some technical skill, as the partition has to be overwritten manually bit by bit to be properly sanitized.
Want to learn about what else you can do to ensure that your private data is kept private when you get rid of your old devices? Give us a call at (973) 638-2722 or send a message to firstname.lastname@example.org for information about our mobile device security services.