All files need to be overwritten and made irretrievable before reselling the device.
Using built-in ‘factory reset’ and ‘delete-all’ facilities on Google’s Android powered smartphones is not enough to erase personal information, research has revealed.
A report from Czech Republic-based security firm Avast revealed that researchers were able to retrieve more than 40,000 pictures, including ‘naked selfies’ of female and even male anatomy from second-hand factory-wiped Android phones, which they purchased on eBay.
Despite consumers deleting their data, the Android vulnerability enabled Avast to even to extract emails, text messages and Google searches by making use of standard forensic security tools, which confirms that the factory reset function does not work, the report added.
Avast Mobile president Jude McColgan noted that deleting files from Android phones before selling them or giving them away is not enough.
"You need to overwrite your files, making them irretrievable," McColgan added.
In response to Avast’s findings, Google told Ars Technica that the latest research looks to be based on old devices and versions (pre-Android 3.0) and does not reflect the security protections in Android versions that are used by the vast majority of users.
"If you sell or dispose of your device, we recommend you enable encryption on your device and apply a factory reset beforehand; this has been available on Android for over three years," Google added.
Warning consumers to be aware of such vulnerabilities, McColgan added that along with phones, consumers may not realise they are selling their memories and their identities.
"Images, emails, and other documents deleted from phones can be exploited for identity theft, blackmail, or for even stalking purposes," McColgan said.
"Selling your used phone is a good way to make a little extra money, but it’s potentially a bad way to protect your privacy."