NEW YORK (May 22, 2015) — If you recently sold your old Android phone, chances are your text messages, emails, pictures and Facebook key are still in there, even if you wiped its memory clean.
A new study by computer researchers at the University of Cambridge shows that “factory reset” — at least on Android devices — doesn’t actually erase everything.
Sometimes it doesn’t even come close.
The used smartphone market is huge and about 630 million phones out there are susceptible to this problem, according to the study. Wall Street analysts expect the market will keep blowing up in size until at least 2018.
Researchers tested 21 phones made by Google, HTC, LG, Motorola and Samsung. In every case, they were able to recover text messages, Google account credentials and conversations on messaging apps. A few emails remained on the device 80% of the time.
Also, the special app “tokens” that let you access your Facebook and other social media accounts remained on the device.
And sometimes, devices don’t properly wipe the special part of your phone that stores all your pictures and videos — at all.
The devices affected by this include the HTC One, HTC Sensation XE, Motorola Razr I, Samsung Galaxy S, Samsung Galaxy S2, Samsung Galaxy S Plus and others.
Researchers said the Google Nexus 4 performed the best — but it still had issues.
Each phone had a different set of problems. For example, the HTC One didn’t wipe its internal SD card (where pictures are stored) by erasing it through the phone’s “settings” section, even though that’s what HTC says you should do. Instead, you have to go through the “recovery” section.
Part of the blame lies with Google, which makes the Android software that runs all these phones. But the phone makers are also at fault, because of bad design and terribly slow upgrades and software updates, researchers told CNNMoney.
If you’re determined to sell your old phone, there’s no way to be sure your data is completely gone.
Manually deleting every photo, message and app doesn’t actually work. Hitting “delete” doesn’t really destroy that file on your phone, because flash memory — the type these phones use — is notoriously difficult to erase.
Another approach is to encrypt everything on your phone with a passcode. But then how will you sell your phone?
“This can be desperately complicated,” said Ross Anderson, a Cambridge engineering professor who worked on the study.
Per Thorsheim, a cybersecurity expert in Norway, offered a different, more brutal approach.
“Don’t hand off your old phone. Smash it,” he advised.
Google didn’t respond to questions for this story. The company normally suggests trying a combination of things: remotely wiping the phone as if it were stolen, hitting “factory reset,” and updating to a new version of Android that allows for encryption with a passcode.
But even that’s not 100% reliable, researchers say.
Fortunately, Google does offer an option to protect your Google-related stuff (like Gmail, Drive documents and maps). You can open Gmail, head to the Google dashboard and “revoke” that device’s access to your Google account.