It's Not Enough To Just Factory Reset An Android Phone Before Selling It
I'm by no means a conspiracy theorist, but data protection on smartphones has been a concern of mine for a long time. You can never be sure of data security and privacy, and there is no better source of information about a person's online (and offline) life than their smartphone.
Look, I'm not hiding state secrets and I'm not powerful enough to overthrow the government, but I don't like it when someone accesses my information without my knowledge. When I'm online, I follow all the usual security measures like using a VPN, ad and tracker blockers on Android and Chrome, and more. However, there is one piece of the puzzle that remains a wild card. Can someone access my phone? Or worse, what if someone takes the data from my phone and sells it after I factory reset it? Of course, Hollywood crime thrillers look pretty simple.
Problem: Factory resetting an Android phone is usually enough for security reasons, but is it enough to stop the craziest hackers or governments? Conspiracy theories aside, I assure you that I am not crazy. I knew that anyone who was tired of taking my phone into a multi-million dollar clean room would be out of luck. However, as a child of the 90s, safety hygiene was already ingrained in my mind. For example, I nail down discarded hard drives and dispose of old flash drives or SSDs before throwing them away.
You can never be too careful with your data, and these days I follow the same philosophy of securely wiping my phone data when I upgrade to a new Android phone or give it to a relative.
Is it possible to recover data after resetting Android phone to factory settings?
Edgar Cervantes / Android Authority
The short answer is no. A bit long answer? Probably not. While social engineering and keyloggers remain the most common methods to break into your phone, even after a factory reset it is impossible to access your device's data.
All modern phones already have encryption enabled. To significantly increase security, all you need to do is add a complex password to the lock screen. However, there is a common misconception that encryption and security protect against data theft. Even the most advanced security only deters until the resource required to break in is too high for most hackers. Think of it as a defensive wall around your house - you can build it high enough, but with stairs long enough for someone to climb.
Security is like a defensive wall around your house - you can build it high enough, but someone with a high enough ladder can climb it.
Modern Android phones use a type of encryption called file encryption. Introduced with Android 9.0, file-based encryption protects files separately in the user data partition and the system partition. Each file is independently encrypted with a unique key. In fact, all user data is protected by a lock created using hardware keys and user credentials such as a PIN or gesture unlock. Since the system partition is protected by a device lock, file-based encryption allows your phone to boot normally to the lock screen. This means you can answer calls or set alarms without logging in. Try this: If you restart your phone and don't enter your PIN, your contact information won't appear on incoming calls. File-based encryption protects your personal information.
Although it is secure, there is nothing completely secure in the computing world, and file encryption on Android has been broken in the past. While recovering a master key from RAM requires the operation of a smartphone, it is not out of the question for someone who is dedicated to it. There was also a successful attempt to crack the Samsung Protected Enclave chip to move the phone from the BFU stage (before the first unlock) to the AFU stage (after the first unlock), which unlocks the user's partition and allows for easy file extraction.
Data recovery from a reset Android device is technically possible but extremely difficult, making it impossible for the average user to fall victim.
Assuming you've already reset your phone, things get even more complicated. Because the encryption key is tied to your password, the phone automatically resets the key after a factory reset. A skilled hacker can still reset the phone's memory, perform data forensics, and extract files. However, these files are still encrypted and barely readable. In fact, Android uses the default AES-256 encryption, which remains unsolved to this day. So yes, your data is recoverable but not readable.
However, well-known tools like Cellebrite sold to security agencies and governments are known to have additional ways to compromise your phone and extract information. Celebrite claims that it can switch to BFU and AFU modes, decrypt third-party data, and even restore the phone's entire file system for further data analysis. Because Cellebrite can break BFU and AFU encryption, it is possible that Cellebrite can generate decryption keys for existing data.
However, as I mentioned earlier, if the government tries to hack your phone, you may have more serious issues to worry about. For most users, a standard system reset is enough.
How to completely wipe an Android phone before selling it
Dhruva Bhutani/Android Authority
If you've made it this far, you might be thinking that you no longer have to worry about your data being stolen after you factory reset your phone. While this statement is mostly true, it's not a bad idea to take extra measures to protect your data. Information security is preventative and ensuring your personal information is securely deleted is a simple and important step.
The old method of writing fuzzy binary data into memory is still the most efficient way to make your data unreadable.
As it turns out, the solution is pretty simple and the same one we've been using to protect our hard drives for decades. Clearing your phone's memory is a surefire way to screw it up, even if someone manages to get their hands on your phone's data. There are several apps in the Android Play Store that can handle this task, but with Secure Erase I had better luck with some processing operations when writing large amounts of binary data to NAND.
Although standard file deletion marks certain files as deleted, they typically remain on the hard drive until another file is written to replace them. Writing tens or hundreds of gigabytes of meaningless binary 0s and 1s into the phone's memory ensures that all personal data in the phone's memory is overwritten. If your phone has a lot of storage space, the process may take a few hours, but it ensures that your phone data is safely deleted and provides peace of mind. Of course, you still need to perform a factory reset after wiping your phone.
So, is it enough to factory reset your Android phone before selling it?
Edgar Cervantes / Android Authority
While it's unlikely that anyone reading this article will be a potential target of such an attack, it's still a good idea to take precautions to protect your data if someone decides to play games on your phone. Factory reset is very effective on modern Android phones to protect you from data theft. However, in my opinion, keeping your personal information private is a small price to pay if you are careful and perform a secure wipe for a few hours before handing over your phone for the latest Android phone update.
Yes, you can remotely wipe your Android phone using Find My Device. Go to android.com/find and sign in with your Google account. Select the lost device and select the “Erase Phone” option. This will permanently delete all data on the phone when connected to the internet
Factory resetting Android will disable Find My Device and you will no longer be able to find your phone.
Although you won't be able to restore photos from your phone after a factory reset, your photos will be safe in the cloud as long as you turn on Google Photos backup.
Yes, you can factory reset your Android phone from the recovery menu without a password. Press and hold the Power button and Volume Down button for ten seconds. This will restart your phone and enter recovery mode. Enter recovery mode using volume buttons and select “wipe data” option. This will reset your Android phone to factory settings.
