A woman looks at second-hand smartphone devices in the window display of a store in the Mong Kok district of Hong Kong, China. Image Credit: Bloomberg

Barcelona: Consumers still lack awareness around how to protect their sensitive personal data on smartphones despite an improvement in technology.

Mobile security software maker — Avast — found that second-hand phones sold in the shops still had sensitive personal data on it.

“Many users forget to delete their data, and while 40 per cent of the phones purchased from pawn shops had been factory reset, user data continues to be accessible,” said Gagan Singh, president of mobile at Avast Software.

For the experiment, Avast purchased 20 used smartphones — five devices each in New York, Paris, Barcelona and Berlin — and used widely available free recovery software to detect the data found on the devices.

As a result, Avast retrieved more than 2,000 personal photos, emails, text messages, invoices and one video containing adult content from the phones that the prior owner assumed was deleted.

On two of the phones, he said that the previous owners had forgotten to log out of their Gmail accounts, risking having the new owners read or send emails in their name.

Avast performed a similar experiment two years ago with used phones that were sold by consumers online in the US and found more than 40,000 personal photos, emails and text messages.

While each shop owner assured the buyer that the phones had been factory reset and that all data from previous owners had been wiped clean, Avast found that it weren’t.

Anti-theft software

Of the phones that were factory reset, 50 per cent still contained personal data as they were running an outdated version of Android that had an improperly functioning factory reset feature.

“Some of the previous owners only deleted their files without doing a factory reset. However, this doesn’t mean that the files were removed completely — only the reference to the file was deleted. Other phone owners simply forgot to delete their data or do a factory reset,” he said.

Scenarios such as these highlight both the responsibility of shop owners to properly wipe and reset phones prior to sale, and also the need for phone owners to utilise “antitheft software” in the chance their phone is lost or stolen, in order to remotely wipe the data.

He said that phones running on new Android OS are pretty safe when it comes to the factory reset, but used phones with older Android versions that have a less thorough reset feature are still being sold.


“Through our research, we noticed that some people simply forget to delete their personal data and perform the factory reset before selling the device,” he said.

To ensure that all data is removed, Singh said a user needs to overwrite the phone’s files. Without this, a user’s personal data could easily end up in the hands of the next owner of the phone. In the end, users are responsible for cleaning all “sensitive and personal data” from their devices prior to sale, and they should never rely on a shop owner to remove remaining data prior to reselling the phones.

“If you sell your phone, make sure you don’t sell your identity and personal data in the same move. So, they should take the time to ensure their sensitive data is removed from their phones prior to selling them,” Singh added.