If you're selling an old Android smartphone on an online auction site, you could be giving away rather more than you intend to, according to a recent investigation by anti-malware company Avast.
Going through phones that had supposedly been "factory reset," the company's researchers were able to view photos taken by the phone's original owners. In addition to the usual harmless photos of the family cat were naked selfies that the original owners would never have wanted anyone to see.
What's more, the researchers were able to do this simply by using a range of free smartphone forensic tools that are easy to use by technical enthusiasts as well as professional forensics experts.
HOW IT WORKS
Electronic data, stored either on a solid state drive or a traditional hard disk, persist even when we think we have wiped the storage device. Many readers will naturally assume that when you delete a file, it has been removed from your phone or computer.
The way it actually works is that the link (or reference) to the file is deleted, but the original file is still there - so that inappropriate selfie is still in your phone's storage even if you can no longer see it in the photo browser. What's worse is that, unless the file is fully overwritten, you may find that the dodgy pictures remain for some considerable time.
The issue spotted by Avast is that the "factory settings" feature of some older Android phones does not overwrite every "bit" of data; instead, it simply removes the file references.
WHICH PHONES ARE AFFECTED?
Based on their research, it is only Android devices that are affected. iPhones encrypt their storage, which adds a layer of strong security. So even if you could see that the data existed, you couldn't see what it was as you won't have access to the original security keys.
It would seem that Windows and Blackberry phones are not affected either. Researchers may yet discover issues, but as it stands there are no concerns.
HOW TO PROTECT YOUR DATA
The best advice I can give if you intend to sell your Android phone is to first consider carefully how you may have used the device. If there are - or were - any pictures or data on the phone that you do not want to fall into the hands of others, then keep the phone, and do not sell or give it away.
There are also ways that you can encrypt your Android, and this is a technique worth considering.
But the only truly secure way to destroy the data is to smash the phone into little pieces, then throw it into a fire.
Personally, I prefer to store only impersonal and chaste data on my phone. Best not to take pictures of your cat unless you really want others to see your kitty.
Smith is a lecturer in networking at The Open University.