Does factory-resetting your smartphone delete all your embarrassing photos? Many people who resell or pass on their used smartphones use the built-in factory-reset feature to delete their personal info. But many studies, most recently by Prague-based security company Avast, have shown that a factory reset may not be enough.
In this study, Avast’s experts bought 20 Android smartphones on eBay, some rooted and some not, which on the surface appeared to have been wiped of data and restored to factory settings. But by using some simple digital forensics tools, the experts were able to unearth everything from anime porn to nude selfies to sensitive financial data on these supposedly clean phones.
None of the phones were entirely clean, Avast told Tom’s Guide. Among the 20 phones, the researchers collected 40,000 locally stored photos, including more than 1,500 photos of children, more than 750 photos of partially or entirely nude women and more than 250 photos of partially or entirely nude men.
The phones also contained records of more than 1,000 Google searches, more than 750 emails and text messages, more than 250 contact names and email addresses, and one completed loan application. Four of the 20 phones could be traced back to their original owner by name.
Avast noted that only one of the 20 phones had a security app installed on it (it didn’t specify which), but added that that phone gave up the most information.
The forensic tools Avast used in its study included FTK Imager (forensic toolkit imager), which can be downloaded for free online. They also gathered tips on individual phone models from the publicly accessible developer forum called XDA, on which programmers and experts trade information on mobile hardware.
Avast researchers also used a technique in which they were able to back up all of an Android’s data to a computer without unlocking or rooting the Android, by using a tool called Android Debug Bridge. From there, the researchers were able to convert the retrieved data to a readable format by using another tool called Android Backup Extractor.
So if performing a factory reset isn’t enough to deter a reasonably savvy snoop, what can you do to protect your old data?
The Avast study didn’t include iOS devices, but on the iPhone 3GS and later, running iOS 3.0 and later, selecting “Erase All Content and Settings” should be enough, because these devices have built-in hardware encryption. All you need to do to enable encryption on an iOS device is to set a passcode on your device.
When you select “Erase All Content and Settings,” you’re deleting the encryption key needed to read your data. Your photos, contacts and other information might still be on the phone but should all appear as incomprehensible jumbles of characters.
Android phones, however, don’t automatically enable encryption, so before you wipe your phone, you should encrypt your device. Read our guide for how to encrypt an Android phone or tablet to find out what to do. After that, a factory reset should delete that encryption key, also rendering your files unreadable. However, the quality of an Android phone’s factory reset varies from hardware maker to hardware maker.
There are a few third-party tools that will properly wipe your phone. Avast has one, accessible as a feature in its Avast Anti-Theft app. Lookout Mobile Security, an app for Android and iOS, also has a wipe feature as part of its paid version