Are you planning to upgrade your smartphone, to sell your old device, or to give it to a child or friend?
Were you planning to “factory reset” your device to clean out all your data?
Unfortunately, in many cases, “factory resetting” a device does not stop later users from accessing your data.
Here is why — and what you have to do to securely wipe your phone.
Factory resetting a device may make your files, photos, and other materials disappear from being seen by normal users, but it does not necessarily remove the files’ actual contents from the device’s storage; the material that you want to prevent from being seen may remain accessible. In many cases, deleting causes the locations in storage utilized by files to be marked as unused, so that other items may be stored there, but leaves files resident in the former locations. Until the data is actually overwritten, anyone who has your device after you, and who subsequently downloads a readily available tool, can obtain your information.
So, how can you best make sure that your data cannot be retrieved by a subsequent user of your device? Doing so is a 5-step process:
5-Step Process to Secure Factory Resetting
1. Remove any mobile expansion cards (e.g., Micro-SD cards)
2. Encrypt the entire device before wiping
3. Copy files to the device to fill up the device’s memory
4. Log out of Apple/Google and all auto-log in apps
5. Factory reset and wipe the device
If you are using Android version 6.0 or later, your device is encrypted by default, but the SD card is not. So, be sure to remove the SD card. (You could also encrypt the SD card – but removing it is better, and you probably do not want to give the next user your card anyway.) If you are not sure what version of Android you are running, go into the Settings app and select “About Phone.”
If you are using an Android version earlier than 6.0, there is a setting on your device – normally found in the Security section of the Settings app (on my Samsung Galaxy phone it is called “Lock screen and security”) – that allows you to encrypt the phone. It may already be enabled; if not, turn it on. Android will then encrypt all data on the device, and enable encryption for data added to the device in the future. (Please note: This process may take some time to run and uses significant power – especially if you have a lot of data already on the device – so make sure that your battery is fully charged or your device is plugged into an outlet when you turn on encryption.)
Once your data is encrypted, copy large files to the device to fill up the device’s memory – you want to ensure that “empty” areas of memory that may not have been encrypted yet do not hold residual elements of sensitive materials. Shooting or downloading a video and then making multiple copies of it is one easy way to quickly fill up the device.
Ideally, before wiping your device, log out of your Google account and all other accounts on the device (e.g., auto-logged in Facebook app, etc.). Wiping the device should block anyone who uses the device after you from auto-logging in as you to an app that he or she reinstalls, but logging out provides extra protection. Doing so also informs the provider of your disassociation from the device.
Then, factory reset (i.e., wipe) the device. (The option is found in the Setting App, Under “Backup and reset”).
For more information, please see the article, How To Wipe An Android Smartphone Or Tablet Before Selling It Or Trading It In.
Enable encryption, and then follow the steps that Apple recommends to take before selling or giving away your iPhone. If your device is running iOS 4-iOS 7, and you have a password set for the device, your device should already be encrypted. So, if you have not done so already, create a password by going to “General settings,” and choosing Passcode (or, in some cases, “iTouch & Passcode”). On devices running iOS 8 or later, Go to the “Passcode” (or “Touch ID & Passcode”) section of the Settings app. After you create the passcode, or if you had one already and are checking to make sure that encryption is enabled, you should see a message that says “Data protection enabled” on your Passcode setting page – indicating that device encryption is enabled.
The follow Apple’s recommended steps (the following is quoted from several iterations of Apple’s article What to do before selling or giving away your iPhone, iPad, or iPod touch):
1. If you paired an Apple Watch with your iPhone, unpair your Apple Watch.
2. Back up your iOS device.
3. If you are running iOS 7 or earlier, Tap Settings > iCloud. Tap Delete Account.
4. If you are running iOS 8 – 10.2 Tap Settings > iCloud. Scroll down, and Tap Sign Out. Tap Sign Out again, then Tap Delete from My iPhone and enter your password.
5. If you are running iOS 10.3 or later, Tap Settings > [your name]. Scroll down and Tap Sign Out. Enter your Apple ID password and Tap Turn Off.
6. Go back to Settings and tap General > Reset > Erase All Content and Settings. If you turned on Find My iPhone, you might need to enter your Apple ID and password.
7. If asked for your device passcode or Restrictions passcode, enter it. Then Tap Erase [device].
8. Contact your carrier for help transferring service to a new owner. If you aren’t using a SIM card with your device, you can contact them to get help transferring service to the new owner.
And For Even Better Security…
You may wish to copy large, non-sensitive files and fill up the device’s memory after factory resetting it, or consider using a third-party tool that wipes with better techniques than simply deleting the encrypted files; there are several such offerings on the market including ProtectStar’s iShredder for both Android and iOS, and Pinellas Codeworks for Android. These products can overwrite the encrypted files multiple times — instead of just deleting the files — thereby, reducing the ability of anyone to extract overwritten data by analyzing the memory. Keep in mind, however, that recovering files that have been overwritten even once is much more complex than recovering deleted files that have never been overwritten even a single time. For most people, the approach described above should suffice.
Furthermore, it is important to understand that if you want the best protection, do not give anyone else your device. Erasing data, encrypting data, etc. may be powerful ways to protect information – and should be done when decommissioning a device – but information security is still better assured if, even after cleaning the device, you retain it and do not give it to others. Note that destroying a device with a hammer — an approach made famous by revelations that Hillary Clinton’s staff did precisely that in order to prevent others from seeing the contents of her decommissioned mobile devices — does not protect data from being extracted by sophisticated parties with moderate budgets.