Say you have an Android phone that you’re selling or donating to someone. Your first thought would be to delete any and all personal data that you might have. One can do that individually for every document, file, picture and video or one can simply use the factory reset option in the settings menu to wipe the device. That’s what most users do but according to well known security software company Avast, the factory reset option in Android doesn’t completely wipe off data, rather it leaves the data in a recoverable state.
Avast conducted a test to support their theory. It picked up 20 used Android smartphones from eBay which is one of the most widely used online sources for selling smartphones. Avast’s employees were able to recover more than 40,000 photos, 750 emails and text messages, 250 contacts, one filled out loan application, IDs of four phones’ previous owners and even 250 nude selfies, all from phones that had been wiped clean.
The company’s mobile division president Jude McColgan tells CNET that the factory reset option only cleans phones “at the application layer.” This means that the data is there for the taking even if you wipe it. Avast used a fairly generic digital forensics software to prove its theory and while at first glance the phones seemed to have been completely wiped, the researchers were able to conduct low-level analysis and recover data.
Granted that these were trained professionals who knew what they were looking for, its unlikely that everybody who buys a used smartphone off eBay has this much expertise with digital forensics. But it is a genuine concern nonetheless. Avast wastes no time in pointing out in its report that its Android security app has a much better wipe option that does a better job that the default option.