Many people who would like to sell their old Android devices know enough to reset their phones before putting it up for sale. However, not many of them know that simply going through a factory reset won't delete their embarrassing selfies and the rest of their personal data permanently.
A new report released by security software seller Avast shows that Android's factory reset option does not remove all of a user's data but simply changes the index that points to a file instead of deleting the entire file itself.
"When a file is deleted, the operating system merely deletes the corresponding pointers in the file table and marks the space occupied by the file as free," explains Jaromir Horejsi, computer virus researcher and analyst at Avast. "The reality is that the file is not deleted and the data it contained still remains on the drive."
Avast purchased 20 second-hand Android smartphones from eBay and used FTK Imager, an off-the-shelf digital forensics application that is "fairly generic" and "publicly available" to recover data from the smartphones, each of which were described as completely "wiped" according to Android's factory reset settings. The result? Avast researchers recovered more than 40,000 personal photos, including 1,500 photos with children in them and 250 selfies of someone's "manhood," 750 texts and emails, 250 contacts, a loan application, a sexual harassment course, and the identities of the previous owners of four of the smartphones.
This, however, is no reason to panic. As Google pointed out in a statement, Avast's research covers smartphones running on older Android versions and, for the most part, does not include newer Android-based smartphones that have security features in place to prevent the easy recover of the smartphone owner's data.
"If you sell or dispose of your device, we recommend you enable encryption on your device and apply a factory reset beforehand; this has been available on Android for over three years," says Google.
Encrypting an Android phone is easy. Users can simply go to their phone's security settings and choose "Encrypt Phone" before hitting the factory reset button. Encrypting will not totally delete the files, but the standard factory reset will throw away the encryption key so that the phone has no way of decrypting the files, making it very hard for someone to recover them.
Of course, Avast also offers its own solution - a freemium app called Avast Anti-Theft that includes a deletion tool that Avast says "will not only erase, but also overwrite your data." For those who wouldn't want to receive notifications for in-app purchases, however, encrypting the phone before a factory reset should provide enough protection to prevent data-miners from getting access to their personal data.