Why Android’s “factory reset” isn’t really secure

One day soon you may want to trade in your smartphone for a newer, better model. And before you do, you’ll want to delete all your photos, e-mails, app accounts, and other personal data—anything you wouldn’t want to get into a stranger’s hands.

The standard advice is to do a factory data reset, which you can access in the phone’s Settings menu. The name implies that hitting reset will take your phone back to the clean, data-free state it was in when it left the factory. But that’s not quite true, at least on an Android phone. Hitting the reset button is like clicking “empty trash” on a desktop computer. The data may still be there, but there’s no longer a file name pointing to it, and the space it is occupying is now free for the next bit of data that comes along looking for a home.

For that reason, a skilled technician often can recover data from an Android phone that has gone through a factory reset. Steve Hruska, a hardware R&D engineer at a data-recovery service called Kroll Ontrack, does this for a living. He rescues files from devices that would otherwise have been lost to floods, fires, even fits of rage. (It’s an expensive service—Kroll Ontrack’s fees start at $500.) This is good if you’ve broken your device, but bad if you’re trying to sell it.

There are three steps you can take to make your data harder to recover.

The simplest method is to encrypt your phone. Newer Apple phones and Blackberries encrypt their data by default, which boosts security throughout the life of the device. If you’ve got an Android phone, go to Settings, then tap Security, then Screen Lock or Encrypt Device. Create a PIN or password, if you haven’t done that already. Then, encrypt the device. Just remember to plug in your phone to its charger first, as the process can take more than an hour, depending on your hardware. Ideally, you’d encrypt your phone the day you bring it home from the store, in case it’s ever lost or stolen. But if you want to safely sell your phone, encrypt it before doing a factory reset.

Surprisingly, this step may not make your phone as secure as you’d like, according to Hruska. “Even on an encrypted Android phone, a factory data reset performed via the OS can leave behind the encryption keys that would allow someone to recover files,” he says. The details vary depending on the specific Android device you own—and, by the way, there’s some inconsistency in Apple devices, as well. On some of Apple’s devices, a factory reset will delete the encryption keys necessary to read the data, while on other devices the data will be overwritten with dummy data. 

The second step you can take is to Google “hard reset” and the name of your Android phone, and follow the directions. (The procedure varies by manufacturer and model.) You’ll probably end up holding down the power and volume buttons, selecting an option like “reboot” or “factory reset” from a rudimentary menu, and restarting your phone several times. (You may also have to stand on one foot while humming La Marseillaise.) 

One site I like, www.resethard.com, provides both written and video-based step-by-step instructions for hard resetting a large number of old and new Android phones.

This should securely kill the encryption keys and make data recovery much more difficult.

The third step you can take—and this should be considered mandatory—is to remove the memory card, if that’s possible with your phone model. You can save it for your next phone, or smash it with a hammer. 

Here’s how you’ll find it. If your phone has a removable back cover, pry it open open and look for the card (about the size of a thumbnail) under or next to the battery and SIM card (also about the size of a thumbnail). If your phone’s cover doesn’t come off, look for a pinhole along the sides of the phone, and stick a pin or an opened paper clip into it. That should pop out a tray with the memory card. Sometimes the SIM card will be next to it, which you may need if your next phone will be with the same carrier. Don’t poke anything into the holes near the top or bottom of the phone because they’re likely there for a speaker or microphone.

As a final note, even these steps may not make it absolutely impossible to recover data off your phone. But the reality is, there are easier ways to steal someone’s data, from phishing scams to bogus apps that trick you into typing in your user IDs and passwords. Unless you’re a high-profile CEO, government official, or sexy celebrity, it’s highly unlikely anyone will devote enough effort and skill to hack into your old Galaxy S4 in order to retrieve your Facebook ID. Take reasonable steps to erase your phone’s data, and you should be fine.