Avast bought 20 Android smartphones on eBay in the US to see if its staff could recover data from "wiped" smartphones, including those reset to factory condition.
It turns out that they could.
The security company recovered more than 40,000 photos, 750 emails and texts, 250 names and addresses, the identities of four previous owners, and a completed loan application, among other things.
The photos included "more than 750 photos of women in various stages of undress" and "more than 250 selfies of what appear to be the previous owner's manhood", according to Avast's president of mobile, Jude McColgan.
"Images, emails, and other documents deleted from phones can be exploited for identity theft, blackmail, or for even stalking purposes," McColgan said in a press release. "Selling your used phone is a good way to make a little extra money, but it’s potentially a bad way to protect your privacy."
With large numbers of Android phones now used by businesses, it's also a threat to company data. Nowadays, this may well include banking data.
There were many similar exercises in a previous century, where companies recovered data from PCs that had been scrapped but not properly wiped. Many or perhaps most businesses are now aware that deleted files on PCs are not securely deleted and that it's necessary to overwrite hard drives to make data very difficult if not impossible to recover. The same thing now applies to Android phones.
At the moment, relatively few people are familiar with the sort of forensic software that can recover data from reset phones. Examples include the Oxygen Forensic Suite and AccessData's Forensic Toolkit (FTK). However, this is likely to change as more users need to recover data that they have deleted by accident.
Avast has a vested interest in the topic, because its portfolio of security software includes programs for Android phones. However, in this case, Avast's suggested solution — its Anti-Theft app — is free on Google Play.
Avast advises users to install its Anti-Theft app "and then use the thorough wipe feature to permanently delete and overwrite all files on the device, thus making personal data irretrievable". This stealth app also enables users to remotely lock or wipe a stolen phone, but you need the paid-for version ($1.99 a month or $14.99 a year) to retrieve personal data before wiping it.
In an earlier experiment, in 2012, McAfee's Robert Siciliano bought 30 devices on Craigslist and found that BlackBerry and Apple iOS devices deleted data effectively when users followed the manufacturer's directions to restore the factory settings. He recommended not reselling Android smartphones and PCs running Windows XP.
"Put it in the back of a closet, or put it in a vice and drill holes in the hard drive, or if you live in Texas take it out into a field and shoot it," he told the LA Times. "You don't want to sell your identity for 50 bucks."