Of course you're going to factory reset your phone before you give it away or sell it. You don't want all your data sitting on there, right? Unfortunately a new study shows even a full factory reset will leave data behind on an Android phone, and very very important data at that.

We've known for a while that just factory resetting an Android phone won't get rid of all its data. Last year, security developer Avast dug into what can be left behind, and the remnants include photos, email addresses, emails, texts, selfies, downstairs selfies, and more. But a new study out of the University of Cambridge shows that it's even worse than that; people could actually use this data to log into your accounts.

Even a full factory reset will leave data behind on an Android phone

The flaw with factory resets has to do with the way data is deleted on computers. When you delete something off a hard drive, your phone or computer doesn't just go an wipe it away. Instead it marks the place where it is stored as OK to overwrite. It's easy to think of this space as "empty" but it's really not; it's full of garbage data that's been marked for deletion but that isn't necessarily deleted until the computer has new data that it needs to set down in an "empty" space. And Android's factory recent doesn't go out of its way to wipe all that "empty" space that really isn't empty, so there's still data there to find.

As the study points out, this gets really dangerous when combined with tokens, the way your smartphone logs you into apps. When you put your password into Facebook for the first time, the app checks your password and generates a special-use token. Until you log out, that token is stored on your phone and authenticates you behind the scenes so you don't have to always be typing in your password. You can probably see where this is going.

If bad guys get their hands on a phone that still has tokens floating around in the memory that's marked as empty but actually isn't, they can extract those and basically use them as passwords to your accounts. Bad, bad news.

The good news is that there's a way to avoid all of this: Encrypt your phone before you wipe it. When you encrypt a phone, you are forcing a change to every chunk of memory available, and basically scramble everything. It's a fine solution, you just have to know about it.

The researchers say they're working with Google to help close the whole in the future, perhaps by enabling encryption by default, like the iPhone does. That takes a lot of processing power though, and while the iPhone has a dedicated co-processor to help with that, Android phones don't and you can take a performance hit.

So for now just remember that if you're going to sell or give away an Android phone, encrypt it before you wipe. Encrypt it anyways! Encryption is good.

Source: The Verge