If you’ve recently upgraded to a brand-new smartphone, or are in the process of figuring out which new model is best for you, then you’re probably starting to think about what you should do with your old smartphone. Selling your smartphone, or giving it to a friend or relative who needs an upgrade, too, is a great plan. But to protect yourself and your privacy, you have to make sure to get all of your data off of the phone before handing it over to someone else.
As Kaveh Waddell reports for The Atlantic, smartphones with poor security can be dangerous even after they part ways with their original owners. How dangerous? Researchers at software security company Avast found more than 2,000 personal photos, emails, and text messages on 20 phones they bought at pawn shops. And while the pawn shop owners said that these phones were reset to factory settings and wiped of previous owners’ data, Avast found that half of the phones that had been reset still suffered from a bug in an outdated version of Android, which left their data vulnerable to recovery even after being deleted.
However, Avast also found that in many cases, the presence of easily-recoverable data wasn’t the fault of the phone, but of its owner, since 12 of the 20 phones examined weren’t actually factory-reset. On some, owners tried to delete their files manually, but researchers were able to use free data recovery tools to find the deleted files. On other phones, the owners hadn’t even tried to delete files or perform a factory reset — which could be a testament to the fact that pawn shops often end up with lost and stolen devices. Ultimately, the researchers found 1,200 photos, 300 emails and texts, three invoices, one contract, 170 Google searches for porn, 200 explicit photos, and one adult video.
Further, Waddell reports that researchers at Cambridge University were able to extract passwords and encryption keys from phones that had been reset. As phones ship with stronger and stronger encryption, used phones are becoming less likely to leave previous owners’ information vulnerable. Current iPhones, for instance, use full-disk encryption that renders data useless without a passcode. And for context, Avast’s researchers ran a similar experiment last year and found 40,000 emails, texts, and photos — which means the amount of data that they were able to recover decreased by 95% in a single year.
However, not everyone can or wants to spend $600, $700, or $800 for the latest smartphones, with cutting-edge encryption. So someone selling an entry-level smartphone at a pawn shop may be putting himself at risk of credit fraud or identity theft. As Lexy Savvides reports for CNET, no method apart from physically destroying your phone, and its storage is 100% foolproof, and your data still may be recoverable with the right tools. (But destroying your old smartphone isn’t exactly an option when you’re hoping to sell it or pass it on to a friend or relative.) But if you want to reduce the risk of your data falling in to the wrong hands, there’s a right way to wipe your device.
Before you begin, and regardless of the operating system of your phone, Savvides recommends backing up all of your data, including your contacts. Then, remove the SIM card and any external storage, like a microSD card. (You should also perform a separate encryption and wipe of the microSD card if you don’t plan to use it in your new device by connecting your phone to your computer, removing the files, and then resetting the SD card.) Log out of services like email and social networks, and then clear the data from these apps. Finally, store the serial number of the phone for your records.
The simplest way to wipe an Android device is to perform a factory reset. But as the Avast researchers found, that’s not always sufficient. A factory reset generally only clears data at the application level, and information like SMS and chat messages can be recovered. To effectively wipe an Android device, you’ll need to complete a slightly longer process. CNET’s Dan Graziano recommends beginning by encrypting your device, and then performing a factory reset.
Without the encryption PIN, which will be overwritten in the factory rest, it will be almost impossible to decrypt your data. But if you want to add another layer of protection, you can then load a set of “dummy data,” including fake photos and contacts, and then perform another factory reset, which will make it even harder for someone to access the real data buried below the dummy data. After you’ve wiped the phone, you can revoke the device’s access to services like Gmail and Facebook via the Account settings on each service’s website.
iOS devices that support iOS 5 or later include hardware encryption when you set a passcode. If you properly wipe your iPhone, the encryption key will also be overwritten, which will make it very difficult for anyone to recover your data. Before you reset your phone, make sure to turn off Find My iPhone via the Settings apps. Then, sign out of iCloud, also via the Settings app; Savvides notes that if you delete all of your data manually without signing out of iCloud, that will also delete all of the content from iCloud, which is something you want to avoid.
Next, turn off and sign out of all the other services you use on your iPhone. Turn off iMessage, sign out of your Apple ID, and sign out of linked services like Facebook and Twitter. After that’s completed, you can begin the process of actually wiping your phone. Go to the “General” section of the Settings app, and then tap “Reset” and “Erase all Content and Settings.” If you’ve registered the iPhone with Apple by its serial number, remove it from your support profile by logging in with your Apple ID at supportprofile.apple.com.
CNET reports that Windows phones only offer encryption for business customers, so the best way to wipe a Windows Phone 7, 8 or 8.1 device is to perform a factory reset, and then load a set of dummy data to overwrite any traces of the original data. To do so, open the Settings app and find the option to reset your phone. Next, connect the phone to your PC or Mac. (If you’re using a Mac, download the Windows Phone app.) Find the phone and open it, and load dummy data onto it by dragging and dropping it from another folder.
When you’re loading dummy data, don’t use your personal photos or documents. Instead, use files that don’t have metadata that could be traced back to you, like videos or music files. Load the phone with as much dummy data as possible, and then reset the phone again. You can load the phone with dummy data and reset it a couple more times to make sure that your original data is overwritten, and then perform a final reset. Finally, log in to account.microsoft.com and remove the device from your account.