Skip to main content

A new report from a software security firm has highlighted an uncomfortable truth for smartphone users: Deleting personal information from an Android device doesn't mean it's gone forever.

Security researchers purchased several used phones on eBay and were able to recover thousands of photos (including a disturbing number of nudes) that belonged to the previous owners, not to mention e-mails, personal contacts and in one case a completed loan application.

The chief culprit appears the "factory reset" features on the world's most popular mobile operating system, which according to an interview in CNET only remove files at the "application layer." That suggests many people have inadvertently left behind a host of easily recoverable personal files and information you might hope to erase before selling or giving away your phone.

What do you mean "erase" doesn't delete "forever?"

So, you've taken a nude selfie and are feeling a little ashamed. Time to delete it, let's say from a popular Android-based device (maybe from Samsung, the largest maker of Android smartphones). You go to the camera roll, select DELETE, confirm and bang, done. Right? Sorry, that's not the end of the story.

As Globe and Mail technology reporter Omar El Akkad explained in his exhaustive guide to safer computing, deleting isn't a magic wand:

"Most of the time, when you delete a file (and even empty the recycle bin), it doesn't actually go away. Instead, the computer puts a "For Sale" sign on the part of the hard drive where the file is located. Over time, other files and programs may override the space, but they also may not. This means that, even after you delete a file, it can often be partially or fully retrieved by anyone who knows what they're doing."

To truly delete a file off local storage (a disc drive, sim card, thumb drive, SSD, whatever) you need to overwrite that old file info with something new (preferably a bunch of unimportant junk). On your PC there are programs like Eraser, for Android there are apps like SHREDroid that can help you do this. Barring that, you could always chuck your old phone in a wood chipper or melt your it down into slag (don't actually do either of those things, old gear should go to electronic waste management; these things are full of heavy metals and other chemicals that need safe disposal).

Who discovered this and what else did they find?

A Czech Republic-based security software company called Avast reported the problem, which they felt was somewhat urgent given the tens of thousands of older Android devices for sale on eBay and other reselling sites. But Avast didn't do this just for kicks, they make and sell software that is supposed to help you avoid these situations.

In addition to a lot of photographs, they found things like Facebook chats, records of Google searches, e-mails with password data and much more. This infographic is a peek into what they found, the full report for the technically inclined is here: Android Forensics, Part 1: How we recovered (supposedly) erased data. Perhaps the most disturbing part of the study is that most of the software tools Avast researchers used to crack open these old phones can be downloaded for free, by anyone, and are relatively easy to use.

And if you still aren't sure how big a deal this is, Android, made by Google, is everywhere and used by almost everyone: from Amazon to Samsung, LG to Xaomi (and maybe even Microsoft some day). Unless you have an iPhone or a BlackBerry smartphone, odds are quite good that your device runs on Android.