Why Android's 'factory reset' isn't really secure

Want to wipe the files on your smartphone? It's harder to do than you might think.

Published: June 07, 2015 06:00 AM

One day soon you may want to trade in your smartphone for a newer, better model. And before you do, you'll want to delete all your photos, e-mails, app accounts, and other personal data—anything you wouldn't want to get into a stranger's hands.

The standard advice is to do a factory data reset, which you can access in the phone's Settings menu. The name implies that hitting reset will take your phone back to the clean, data-free state it was in when it left the factory. But that's not quite true, at least on an Android phone. Hitting the reset button is like clicking "empty trash" on a desktop computer. The data may still be there, but there's no longer a file name pointing to it, and the space it is occupying is now free for the next bit of data that comes along looking for a home.

For that reason, a skilled technician often can recover data from an Android phone that has gone through a factory reset. Steve Hruska, a hardware R&D engineer at a data-recovery service called Kroll Ontrack, does this for a living. He rescues files from devices that would otherwise have been lost to floods, fires, even fits of rage. (It's an expensive service—Kroll Ontrack's fees start at $500.) This is good if you've broken your device, but bad if you're trying to sell it.

There are three steps you can take to make your data harder to recover.

Step 1: Encrypt your phone

The simplest method is to encrypt your phone. Newer Apple phones and Blackberries encrypt their data by default, which boosts security throughout the life of the device. If you've got an Android phone, go to Settings, then tap Security, then Screen Lock or Encrypt Device. Create a PIN or password, if you haven't done that already. Then, encrypt the device. Just remember to plug in your phone to its charger first, as the process can take more than an hour, depending on your hardware. Ideally, you'd encrypt your phone the day you bring it home from the store, in case it's ever lost or stolen. But if you want to safely sell your phone, encrypt it before doing a factory reset.

Surprisingly, this step may not make your phone as secure as you'd like, according to Hruska. "Even on an encrypted Android phone, a factory data reset performed via the OS can leave behind the encryption keys that would allow someone to recover files," he says. The details vary depending on the specific Android device you own—and, by the way, there's some inconsistency in Apple devices, as well. On some of Apple's devices, a factory reset will delete the encryption keys necessary to read the data, while on other devices the data will be overwritten with dummy data.

Shopping for a new smartphone? Learn about key features in our cell phone buying guide.

Step 2: Do a hard reset

The second step you can take is to do a Google search for "hard reset" and the name of your Android phone. You should get results from the phone manufacturer and your cell phone company, among others.

The procedure varies by manufacturer and model, but you'll probably end up holding down the power and volume buttons, selecting an option such as "reboot" or "factory reset" from a rudimentary menu, and restarting your phone several times. (You might also have to stand on one foot while humming "La Marseillaise.")

One site I like,, provides written and video-based step-by-step instructions for hard resetting many old and new Android phones.

This step should securely kill the encryption keys and make data recovery much more difficult.

Step 3: Remove the memory card

The third step you can take—and this should be considered mandatory—is to remove the memory card, if that's possible with your phone model. You can save it for your next phone, or smash it with a hammer.

Here's how you'll find out if the card is removable:

  • If your phone has a removable back cover, pry it open open and look for the card (about the size of a thumbnail) under or next to the battery and SIM card (also about the size of a thumbnail).
  • If your phone's cover doesn't come off, stick a pin or the tip of a paper clip into the pinhole along one side of the phone. That should pop out a tray with the memory card. Sometimes the SIM card will be next to it, which you might need if your next phone will be with the same carrier.
  • Don't poke anything into the holes near the top or bottom of the phone because they're likely there for a speaker or microphone.

As a final note, even these steps might not make it absolutely impossible to recover data off your phone. But the reality is, there are easier ways to steal someone's data, from phishing scams to bogus apps that trick you into typing in your user IDs and passwords.

Unless you're a high-profile CEO, government official, or sexy celebrity, it's highly unlikely anyone will devote enough effort and skill to hack into your old Samsung Galaxy S4 just to retrieve your Facebook ID.

Take reasonable steps to erase your phone's data, and you should be fine.

 —Mike Gikas

E-mail Newsletters

FREE e-mail Newsletters! Choose from cars, safety, health, and more!
Already signed-up?
Manage your newsletters here too.

More From Consumer Reports

The Best Matching Washers and Dryers These washer-dryer pairs cleaned up in Consumer Reports' tests.
Best 4K TVs to Buy Right Now The top picks from the hundreds of 4K TVs we've tested.
Best New Car Deals Save money on the cars that Consumer Reports recommends.
How to Pick the Right Size Generator for Your House Add up the items you need to power before making your choice.


Cars Build & Buy Car Buying Service
Save thousands off MSRP with upfront dealer pricing information and a transparent car buying experience.

See your savings


Mobile Get Ratings on the go and compare
while you shop

Learn more