Our smartphones are privy to some of our most important secrets. Sensitive business emails, financial details, contact information, and perhaps even a risqué photo are not things you want falling into the wrong hands. Performing a factory reset is always a good idea, but it might not always be enough. When the security firm Avast bought 20 Android smartphones from eBay, for example, it was able to recover photos, Google searches, emails, text messages, and contact details. We’re going to show you how to make sure that can’t happen to you.
How does a factory reset work?
When you do a factory reset on your Android smartphone, it’s supposed to wipe it clean, but it doesn’t. It deletes the addresses of all of your data, so it no longer knows where it’s stored, but it doesn’t actually overwrite the data. That being the case, it’s possible for someone to employ off-the-shelf recovery software and get some of that data back. Let’s look at how to wipe your Android smartphone properly.
Encrypt your data
The first step is to encrypt your data. This option is built in to Android, and requires you to enter a PIN or password every time you turn your phone on. It means that anyone attempting to recover data from your phone after you will need a special key to decrypt it, and they won’t have the key.
- Fully charge your phone or keep it plugged in to the charger while this process is running, because it can take several hours depending on how much data you have.
- The exact method for navigating this next step will differ slightly from phone to phone. It will generally be Settings > Security > Encrypt phone. But on a Samsung Galaxy, for example, you want to go to Settings > Lock screen & security > Protect encrypted data. You have the option to encrypt the SD card as well, but if you’re passing the phone on, we would recommend removing it instead.
If your phone came with Android 6.0 Marshmallow or above, it will be encrypted by default, and you can skip to the next section. If you’re unsure about which version of Android your phone is running, then take a look in Settings > About device/phone > Software info. Keep in mind that it will only be encrypted by default if Android 6.0 Marshmallow was installed out of the box.
Factory Reset Protection
Google introduced Factory Reset Protection (FRP) in Android 5.0 Lollipop as an extra layer of security. It’s designed to prevent thieves from being able to steal your phone, wipe it, and then use it or sell it.
When you factory reset a phone with FRP enabled and try to set it up as a new device, you’ll be prompted to enter the user name and password for the last Google account that was registered on the device. If you don’t have those details, then the phone will remain locked and you can’t gain access. Obviously, this is no good if you’re trying to sell it or give it away.
Here’s how to disable it:
- This step will differ slightly depending on your phone. On a Samsung Galaxy, go to Settings > Lock screen and security > Screen lock type and choose None. On an LG G5, go to Settings > Security > Lock screen > Select screen lock and choose None.
- The next thing you must do is remove your Google account. On a Samsung Galaxy, go to Settings > Accounts and tap on Google, then More > Remove account. On an LG G5, go to Settings > Accounts & sync > Google and tap the three vertical dots in the upper right, then tap Remove account. If you have more than one Google account registered with your phone, then make sure you remove all of them.
- If you have a Samsung Galaxy, then you should remove your Samsung account, too. To do this, go to Settings > Lock screen and security > Find My Mobile. Then, enter your password, tap on your account at the top, and select More > Remove account.
Once your Google and Samsung accounts have been removed, you can go proceed with the factory reset.
Factory reset the phone
Make sure that you have anything you want to keep backed up before you do this because it will wipe everything.
- Go to Settings > Backup & reset > Factory data reset and then tap Reset phone or Reset device.
When the process is done, your phone will be wiped and any data that could be recovered will be encrypted and should be impossible to decrypt. It’s now safe to sell your Android smartphone, or pass it along to someone else.
Overwriting with junk data
If you want to be absolutely certain, you can overwrite the encrypted data with junk data and then perform another factory reset — then it would be genuinely impossible to recover any of your old data. This is probably overkill. If you want to do it, however, then simply load a bunch of dummy data onto your phone until the storage is full — a few large videos should do the trick — and then perform another factory reset.
You can also get an app to do it for you. There are a few options in the Play Store, such as Secure Erase with iShredder 3.
There you have it. That’s how you completely wipe your Android phone. Let us know if you have a better technique.
This article was originally published on July 25, 2014, and updated on May 5, 2016, by Simon Hill to include updated instructions for encryption and a section on Factory Reset Protection.