It’s not enough to just factory reset an Android phone before selling it

I’m not a tinfoil conspiracy theorist by any means, but smartphone data privacy has been on my mind for quite some time. You can never be safe enough when it comes to data security and privacy, and there is no better single source of information about someone’s online (and to some extent offline) life than their smartphone.

Look, I don’t carry state secrets, nor am I powerful enough to overthrow governments, but I don’t like the idea of ​​someone having access to my data without my knowledge. While online, I follow all the usual security measures like using a VPN, ad and tracking blockers on Android and Chrome, and more. However, there is one element of the puzzle that remains a wild card. What if someone had access to my phone? Or worse, what if someone could delete the data from my phone after I factory reset it and sold it? Hollywood crime thrillers certainly make it seem easy enough.

Here’s the thing: performing a factory reset on your Android phone is usually enough security for most people, but is it enough to thwart the most dogged hackers, or umm… governments? Okay, conspiracy theories aside, I promise you I’m not paranoid. I know the chances of anyone bothering to take my phone to a million dollar clean room facility are slim to none. But as a child of the 90s, safety hygiene has been drilled into my head. For example, I run a nail gun through a discarded hard drive and zero out old flash drives or SSDs before throwing them out.

You can never be too careful when it comes to your data and lately I’ve been following the same philosophy to safely erase the data on my phone when I upgrade to a new Android phone or send it to a relative.

The short answer to that is no. The slightly longer answer? Probably not. While social engineering and keyloggers are still the most common way to get into your phone, it’s not impossible to extract data from your device – even after a factory reset.

All modern phones come with encryption enabled right out of the box, and adding a complex password to the lock screen is all it takes to add a serious amount of security. However, it is a popular misconception that encryption and security are a guarantee against data theft. Even the most advanced security is really only a deterrent to the point that the amount of resources required to break through is too high for most hackers to deploy. Think of it like a fortified wall around your home – you can build it high enough, but someone with a tall enough ladder can still climb over it.

Modern Android phones use a type of encryption called file-based encryption. Rolled out from Android 9.0, file-based encryption protects files in the user data partition and the system partition separately. Each file is independently encrypted with a unique key. In fact, all user data is protected by keys generated using a combination of hardware-specific keys and user credentials such as a pin or gesture-based unlocking. Meanwhile, since the system partition is secured with device-specific keys, file-based encryption will let your phone boot, as usual, all the way to the lock screen. This means you can receive phone calls or activate alarms even without logging in. Give it a try: If you restart your phone and don’t enter your PIN, all incoming phone calls won’t show the associated contact details. It is file-based encryption that plays and keeps your personal data safe.

But as secure as it is, there’s no such thing as completely secure in the computing world, and file-based encryption on Android has been broken in the past. Although restoring the master key from RAM requires literal operation on a smartphone, it is not beyond the capabilities of a sufficiently dedicated person and has been achieved. There have also been successful attempts to hack into Samsung’s secure enclave chip to take the phone from BFU (Before First Unlock) to AFU (After First Unlock), which decrypts the user partition and makes it easy to dump files.

Assuming you’ve already reset your phone, it gets more complicated. Since the encryption key is linked to your password, the phone automatically resets the key after a factory reset. A savvy hacker can still dump the phone’s storage, perform data forensics on it and extract files. However, these files would still be encrypted, and it is almost impossible to read them. In fact, Android uses AES-256 standard encryption, which as of today remains unbroken. So, yes, your data can be recovered, but it would be unreadable.

But established tools like Cellebrite, marketed to security agencies and governments, are known to have additional exploits to breach your phone’s security and extract information. Cellebrite advertises that it can access both BFU and AFU modes, decrypt third-party data, and even extract a phone’s complete file system for further data analysis. Given that Cellebrite can break through BFU and AFU encryption, it’s not out of the question that it can also generate decryption keys for existing data.

That said, as I mentioned earlier, you probably have more significant issues to worry about if the government is trying to hack your phone. For most users, a standard system restore should be sufficient.

If you’ve made it this far, you might be thinking that there’s absolutely no need to worry about your data being stolen once you’ve factory reset your phone. While that statement is largely true, it’s never a bad idea to take additional steps to secure your data. Information security is preventative in nature, and ensuring that your private data has been securely deleted is a simple and important step to ensure that.

As it turns out, the solution is pretty simple and the same one we’ve used for decades to secure hard drives. Wiping your phone’s storage to zero is a surefire way to guarantee that even if someone manages to extract data from your phone, it would be a hoax. The Android Play Store has several apps that can accomplish the task, but I’ve had luck with the Secure Wipe Out app to perform multiple runs of writing large-scale binary data to NAND.

While a standard file deletion only marks a particular file as deleted, it usually remains on the disk until another file overwrites it. Writing tens or hundreds of gigabytes of non-sense zero and one binary data to the phone’s storage guarantees that all remaining personal data on the phone’s storage is overwritten. The process may take a few hours if you have a significant amount of storage on your phone, but it ensures that your phone has been safely erased and is worth it for the peace of mind it offers. Of course, you should still factory reset your phone after wiping it clean.

While it’s unlikely that almost anyone reading this article would be a potential target of such an attack, it’s always a good idea to take precautions to protect your data in the event that someone decides to go rogue with your phone. A factory reset on a modern Android phone is very effective in protecting you from data theft. However, I think it’s a small price to pay to ensure that your personal data remains private to be careful and run a secure eraser for a few hours before handing your phone in for an upgrade to a hot upcoming Android phone.