A researcher has discovered that even if you hit Factory Reset on an Android phone, your personal data may not be permanently deleted.
Robert Siciliano, an identity theft expert from McAfee performed the experiment, where he purchased 30 used devices (mostly smartphones and laptops) from random users on Craigslist. His goal was to see how smart people were about removing their personal information from phones, but as it turns out, even though a majority of owners did correctly Factory Reset their Android devices, he was still able to retrieve vital data like “Social Security numbers, child support documents, credit card account log-ins, and a host of other personal data.” This finding is all the more disturbing since he could find no problems with the way iPhones, iPads, or BlackBerry devices delete their data. The only other weak link was Windows XP, which is so old it’s almost expected.
We’ve reached out to Google’s Android team to try and learn more about this potential vulnerability, but have not heard back as of publication. We’ll update this article if and when we get some answers.
Until we learn more, we don’t recommend that you don’t sell your used Android devices to anyone that you don’t know or trust. It’s quite possible that personal information could be leaked from it.