Naked selfies: why factory reset won't erase your phone

Jul 14, 2014

If you don't want your pictures and data recovered, destroy your old phone, says security expert

Michael Zorn/Getty Images for Mount Airy Casino Resort

Naked photos have been retrieved from a batch of second-hand phones whose owners thought had been completely erased.

Security firm Avast studied a batch of Android phones and found that using "standard forensic security tools" they could retrieve pictures, phone numbers and other sensitive information even after the phones had been given a "factory reset".

Researchers were able to recover more than 40,000 photos from the 20 handsets, including 750 pictures of women "in various stages of undress" and 250 revealing photos of men, The Guardian reports. 

Researchers were also able to retrieve texts and e-mails. And four of the phones had stored details of the previous owners' identities.

A Google spokesperson told Ars Technica that the problem affected older phones only, and not handsets that run the company's more recent operating systems.

"This research looks to be based on older devices and versions and does not reflect the security protections in Android versions that are used by 85 per cent of users," Google said. "If you sell or dispose of your device, we recommend you enable encryption on your device and apply a factory reset beforehand; this has been available on Android for over three years."

Apple says that its iPhones and iPads encrypt data in such a way that when a user opts to "erase all content and settings" it cannot be decoded.

However, Alan Calder, founder of cyber-security and risk management firm IT Governance, told the BBC that it is possible to retrieve even encrypted data.

"Google's recommended routine for protecting the data only makes it harder for someone to recover the data," he said. "It does not make it impossible."

"If you don't want your data recovered, destroy the phone – and that has been standard security advice, in relation to telephones and computer drives, for a number of years. Any other 'solution' simply postpones the point at which someone is able to access your confidential data."

Sign up for our daily newsletter

Read more: