​Android's phone wiping fails to delete personal data

Prepping an older phone for resale or as a donation? A study shows you'll need more than the default data wipe tools to eliminate personal data and those embarrassing selfies.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Seth Rosenblatt
2 min read

Avast discovered that Android's factory reset option leaves deleted data in a recoverable state. Jack Frog/Shutterstock

Was that naked selfie you took really deleted before you sold your phone on eBay?

A new study from security software vendor Avast calls into question the effectiveness of Android's factory reset option, which many people have relied upon to delete personal data from their old smartphones before reselling or making a charitable donation with the old device.

Avast -- known for its security software on Windows, Mac, and Android -- purchased 20 Android smartphones from eBay, which has around 80,000 used smartphones for sale at any given time. Among the data that Avast employees recovered from the phones were more than 40,000 photos -- including 250 nude male selfies -- along with 750 emails and text messages, 250 contacts, the identities of four phones' previous owners, and one completed loan application.

The problem, as Avast mobile division president Jude McColgan told CNET, is that people still aren't used to considering the implications of all the personal data stored on a smartphone.

"Users thought they were doing a clean wipe and factory reinstall," he said, but the factory reinstall is cleaning phones "only at the application layer."

Using off-the-shelf digital forensics tools, Avast was able to recover SMS and Facebook chats from Android phones. Avast

Smartphones can be a treasure trove of personal data, thanks to the central -- and often rather intimate -- role they've taken in people's everyday lives, through Facebook posts, Snapchat conversations, online banking, Amazon purchases, and much more. It's a new reality of personal technology recognized last month by no less a body than the US Supreme Court, which ruled that police must get a search warrant before delving into the contents of a person's cell phone.

"We have a very unique relationship with our mobile phones that we've never had to any other technological device," Bronson James, a lawyer involved in one of the cell phone cases decided by the Supreme Court, told CNET's Ben Fox Rubin. "In our brief we equated our mobile devices as the entryway into our virtual home."

Avast didn't have to resort to much digital jiu-jitsu to recover the data from the phones it acquired, McColgan said. His team used "fairly generic, publicly available," off-the-shelf digital forensics software such as FTK Imager, a drive-imaging program.

"Although at first glance the phones appeared thoroughly erased, we quickly retrieved a lot of private data. In most cases, we got to the low-level analysis, which helped us recover SMS and chat messages," Avast researchers Jaromir Horejsi and David Fiser wrote in the report.

Avast noted in the report that its own Android security app comes with a deletion tool that the company said does a better job of wiping personal data than the included reset option.

McColgan was not shy about pointing this out. There's a challenge, he said, in making people more aware of device security "when your whole PC and more is in your pocket."