With the right tools, it is still possible to access old data once an Android device has been factory reset. Researchers have put this to the test and discovered that many users mistakenly believe that their files are deleted once a reset is performed but unfortunately this is not the case.
What actually happens is that file information is not overwritten it still exists but the file path to the data is gone. The phone no longer considers this as data that is taking up space on the device, creating the illusion of deletion. So when the new user comes along they can just overwrite it. Until then it is still very much recoverable.
For those using their phone to access sensitive business data, this recoverable data can present a real problem as when the time comes to upgrade many users will naturally want to give away or sell their device. Wherever the device ends up the original owner needs to be sure all trace of their usage is gone, or at the very least completely inaccessible. So what can they do?
The following steps will help ensure that anyone using the device in the future will be barred from accessing any recoverable data left over from the factory reset:
By far the most trustable option is the encrypt feature. This means you are scrambling your old data and locking it away with a special key code, this code can be entered to descramble the data putting the device owner in control. Be aware without the key the data is almost entirely unrecoverable.
Most of the devices running Android 6.0 Marshmallow even have a mandatory encryption for maximum security, the exception are some lower end devices. Android devices running Android 5.0 Lollipop or lower can turn on encryption, and it is highly recommended to do so before a factory reset. Do this by navigating to Settings > Security and selecting Encrypt phone - the location of this setting may vary by device.
After this step, if the phone gets into the wrong hands then the data will be almost unrecoverable.
Overwrite the Encrypted Data with Junk Data
By this point, your data should not be recoverable but this step will truly obscure your data in the event of it falling into the hands of a clever cyber criminal who can bypass your encryption.
The idea with this step is to refill the phone with throwaway data, a particularly long video filmed at the highest of setting could get the job done quickly. This is to be done once the phone has been encrypted and factory reset and once the phone is full with this new data factory reset once more. The trick with this step is to not sign in to any accounts or treat the device like it is a personal device so any saved data from this step could be recoverable.
If you’re still concerned about device safety then go ahead and repeat the process. Before this point, if both steps have been completed then the data would already be worthless. After this step, there is virtually no chance it could ever be recovered.