Read This Before Selling Your Smartphone...

Category: Mobile

Before recycling, donating, or selling your smartphone, it’s a good idea to wipe it clean of all your contacts and other personal data. The easiest way to do that is the “factory reset” function; just tap it, confirm, and your phone is returned to the state it was in when it left the factory. All your personal data is gone. Or not. Read on to learn more...

Android Reset Vulnerability

The factory reset is supposed to scrub everything from your phone, and return it to "just out of the box" condition. Except your data isn’t gone completely, and much of it can be recovered by a tech-savvy snoop. Researchers at Cambridge University were able to recover passwords, contacts, photos, and other data that a factory-reset failed to erase from internal memory and external SD cards. Even full-disk encryption posed little hindrance to recovering "deleted" personal data.

The study, entitled Security Analysis of Android Factory Resets, included 21 smartphones from five manufacturers; the phones were running Android versions 2.3 to 4.3. (That means Android Gingerbread, Honeycomb, Ice Cream Sandwich, and Jelly Bean.) About 630 million such devices have been sold worldwide, and many have been re-sold or otherwise passed along.

Android Factory Reset Vulnerability

The researchers say they don’t know if more recent versions of Android have the same shortcomings. What??? They didn't test the two most recent versions of the operating system? (Android KitKat and Lollipop run on 50% of all Android devices.) That's just bizarre. But anyway, let's continue...

In 80% of the tested phones, researchers were able to recover the master token that Android uses to provide access to Google services such as Gmail, Calendar, etc. So when these phones were reset and rebooted, they immediately synced with Google services to recover all the data stored there: emails, appointments, contacts, even text messages and voicemails. Tokens for other apps, including Snapchat and Facebook, were also recoverable on a majority of tested phones.

In case that's not clear, it means that in addition to recovering the data left on your phone, a determined hacker could gain ongoing access to your online accounts. So by all means change your passwords if you lose or sell a phone.

Why is it So Hard to Wipe a Phone?

iPhone users can wipe that smug look off their faces… The Cambridge researchers didn't test to see if iPhones and iPads are similarly vulnerable. AND... It's just been found that a specially crafted text message, sent from another phone, can shut down your iPhone. Fortunately, there's a way to protect your iPhone, until a better fix is released by Apple.

Part of the problem is that some manufacturers do not include with their phones the software drivers needed to wipe non-volatile external storage devices, such as SD cards. But the main problem is internal flash memory, which is notoriously difficult to “wipe” completely.

Surprisingly, the researchers found that the “crypto footer” file which stores the decryption key of a fully encrypted flash drive is not erased during a factory-reset. This key is generated by the combination of a semi-random system-generated “cryptographic salt” value and a user-defined PIN or password. Since users tend to choose weak PINs and passwords, the crypto footer is easily cracked in less than a day, according to Kenn White, a North Carolina computer scientist.

The Cambridge study’s findings put Android users in a predicament when they want to dispose of a used phone, or when a phone is lost and a remote wipe is advisable. If full-disk encryption is available, it’s best to use it and choose a strong password: one that incorporates alphabetical, numeric, and special characters, and is more than 11 characters long. But given how often people need to unlock their phones and the challenges of smartphone keyboards, strong passwords are not likely to be used by many.

As for third-party remote-wiping apps, the same researchers also published a study entitled, Security Analysis of Consumer-Grade Anti-Theft Solutions Provided by Android Mobile Anti-Virus Apps. It found significant wiping flaws in 10 Android apps that have been downloaded hundreds of millions of times.

The bottom line: Encrypting your phone with a complex password before you do a factory reset will make it much harder (but not impossible) for a determined person to recover your data. The only way to ensure that your data doesn’t fall into the wrong hands is to destroy a used phone instead of reselling or donating it. That’s little comfort for people who lose phones. If you've sold or lost an Android-powered phone, the best you can hope is that it doesn't end up in the hands of a tech-savvy snoop.

Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 28 May 2015

For Fun: Buy Bob a Snickers.

Prev Article:
Geekly Update - 27 May 2015

The Top Twenty
Next Article:
Boost Your WiFi Signal: Ten Tips and Tricks

Most recent comments on "Read This Before Selling Your Smartphone..."

Posted by:

28 May 2015

iPhones use the same flash memory that Androids use, so I'm sure they're equally difficult to erase fully. This hazard also applies to Solid-State Drives in desktop computers.

Posted by:

28 May 2015

Yet another reason to be glad I have a Windows phone. Since the market for these is so small,so far nobody seems to have put any great effort into hacking them....or trying to snoop when they are recycled, donated or sold.

Posted by:

Breck Androff
28 May 2015

Great point on smart phones and and the non inform users. Android operating systems for tables seem to be a less seamless than windows. Is it me or is the operating system the problem or both???

Posted by:

Ruth J
28 May 2015

Interesting article. What about iphones?

Posted by:

28 May 2015

"Encrypting your phone with a complex password"- What do you suggest to use to encrypt a cellphone or how do I encrypt it before I factory reset it? Thanks

EDITOR'S NOTE: Encryption is a built-in feature. See

Posted by:

28 May 2015

What if you sell the phone to your provider (ie: verizon)? Would they not want to clean it completely or do they just dispose of them?? How do they dispose of them?

EDITOR'S NOTE: My guess is that they just use the Factory Reset, like everyone else.

Posted by:

28 May 2015

Maybe it's a silly solution, but what about creating a new empty Google account, load it on the phone, encrypt it and then erase it from the phone??? This will probably overwrites the previous data, right??? And you could create a Google account just for this single purpose.

EDITOR'S NOTE: Not sure that would work, because you can have multiple Google accounts on a single device.

Posted by:

28 May 2015

I was told if you go to settings and erase all including setting it will be safe to sell or dispose of.Is this true?

Posted by:

29 May 2015

How do you get rid of info on a flip phone - non smartphone? Thanks

Posted by:

Bob Deloyd
29 May 2015

"Since users tend to choose weak PINs"
How do you create a difficult PIN to creak when you are only given 4 places to use?

EDITOR'S NOTE: Both PINs and passwords can be 4-16 characters.

Posted by:

29 May 2015

What if I use a password manager like sticky passwords. Can the master password be hacked?

EDITOR'S NOTE: Perhaps not, but more at issue is your Google account, and the login token.

Posted by:

29 May 2015

I no longer have cell phone service. My old phones are just sitting around collecting dust. It would be nice if I could sell them. From your article, I'm still trying to figure out how to erase old phone numbers and etc?

Posted by:

29 May 2015

I don't know how much longer I could hold out not owning a smartphone but such issues are foreign to me at the current time. Additionally, although I have a Google (gMail, gVoice, etc) account or two, I tend to NOT use google for any of my personal email communications and data. I use Mozilla Thundebird to fetch my gMail data from Google servers to my desktop and leave nothing behind in the server. But my mate loves her HTC M8 phone and I am going to be her hero when/if time comes that she has to part with it. Thank you for this information!

Posted by:

30 May 2015

My phone fell in the water & never started again. So I can't reset it. Is it vulnerable to hackers? It's a Galaxy S4.

EDITOR'S NOTE: Assuming that the phone is sitting in a drawer in your home, no.

Posted by:

01 Jun 2015

Am I still at risk of having my personal data compromised if I don't save any passwords on my iPhone or iPad, and I don't use iCloud? Also, how do I completely clear a non-smartphone? Thanks.

Posted by:

06 Jun 2015

I'm sorry, I guess I wasn't clear with my question about my Galaxy S4 phone that was rendered dead when it fell in the water. I want to sell it & need to know if any of my data can be retrieved by a hacker (who's hands it may end up in).

EDITOR'S NOTE: The best answer I can give is "maybe." You might get $14 for a water-damaged S4. Is it worth it?

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- Read This Before Selling Your Smartphone... (Posted: 28 May 2015)
Copyright © 2005 - Bob Rankin - All Rights Reserved