I recently read an article that proclaimed you should never sell or recycle an old cell phone. It was based on a security researcher who said it is incredibly easy to get personal information off of a phone, making identity theft and credit card fraud a snap. But when you can get upwards of $100 for an old smartphone, and the environmental impact of recycling is so positive, I wasn't so sure this was a security mantra that made sense. So I did a little experiment of my own.
The standard recommendation for getting rid of an old phone is to do a factory reset first. This restores all the original controls, deletes added apps, and supposedly wipes the phone clean of data. But is this good enough? To find out, I started with three old phones: my own iPhone 3GS, a used Droid, and a used Samsung feature phone. I did a factory reset on the Droid and the iPhone (you can find this option under Settings). The feature phone we used didn't offer that option, so instead I tried to manually delete as much info as I could.
At this point, I mailed the phones to forensic computer analyst Steve Burgess. He used a variety of programs to try and pull info off each phone — and the results were mixed.
On the iPhone, all the personal data was unrecoverable, Steve explained: "With an iPhone, when you do a factory reset, it removes all of the encryption keys, which is the same as wiping it, unless you have something like a supercomputer." Steve says he tried a number of programs to get around the encryption, but was unable to extract anything.
Blackberries also possess superior security features, and Steve says that once reset and left for 30 days, the data is definitively gone.
For the Droid phone, the data was much easier to access. Hitting the factory reset on phones running the Android operating system doesn't technically remove or write over data stored on the phone. It just masks the location of that data. Steve explained that with forensic software or some basic hacking skills, that data could be accessed. One other security issue is the SD card in many of these phones; the card is the most vulnerable point for information harvesting. These cards can be erased, but widely available software can easily pull up much of the 'erased' data. At a minimum, Steve recommends pulling the SD cards from any phones you sell or recycle.
For feature phones, the issues are a little more complex. To access deleted data, the phone has to be physically connected to a computer. As anyone who's tried to do this can tell you, many feature phones have proprietary cables, so finding the right one is the first complication. Sure, a thief could scour eBay to find the correct cable, but this extra hurdle may make it less likely for identity thieves to bother.
But if the new owner of your feature phone is successful connecting it to the computer, Steve tells us that extracting data with forensic software is usually possible. On the other hand, feature phones often hold much less data — just contacts, call duration, and texts. These are not the treasure troves of mobile banking info, passwords, and email that today's smartphones are.
Forensic Expert's Bottom Line
"If you've got a million dollar credit limit, and Homeland Security information, and naked pictures of your girlfriend or boyfriend, then you may not want to get rid of that phone." But for the rest of us… "I'd say if you do a factory reset on your phone and take out the SIM card and take out the SD card, that you're probably fine. The guy on the other end is probably not going to find much of anything. He's probably not going to be a forensics guy. And even if he is a forensics guy, it can be pretty tough to get stuff off of phones because there are such a variety of them."
Related: Is it Safe to Bank on Public Wi-Fi?