What everyone should do
No matter what type of smartphone you use, there are a few basic things you should check outside of wiping your phone:
* Remove your sim card: While most of the data that you store is kept on your internal storage or microSD card, it's still possible for contacts or call logs to be kept on your sim card. The person you're selling it to has no need for this, so always be sure to remove it.
* Remove your microSD card: Similarly, if your phone has a microSD card, chances are you don't really want or need to give it away. To truly ensure that the data on your micro SD card is secure, keep it to yourself.
* Erase and format your SD card: If you absolutely have to include your microSD card with your phone, then you'll at least want to erase and format it. You can usually do this via the Settings app. You can also do it by connecting it to a PC, but if you format it with the wrong file system for your phone, it might not recognize the card. Again, though, the best way to secure your data is to keep your card.
Assuming you've taken care of all this, the only thing that's left should be your device's internal storage. iOS and Android have slightly different ways of handling this, but both are mostly straightforward.
How to securely wipe your phone
For the rest of this, we're going to talk about how to secure your internal storage, but first it's worth explaining a bit about how flash memory works. As you're probably aware with normal platter hard drives, data isn't really erased when you delete something. The internal flash memory in your smartphone isn't quite the same. Because it's not a magnetic storage medium, the methods used to recover data on an old hard drive won't be the same as tools to pull from your phone. Among other things, this means that while rewriting data seven times is a standard method for erasing magnetic media, it won't do much to make your data more secure.
That being said, for most of the average user's needs, your phone already has the tools built in to securely erase your phone's data. If you carry military secrets around on your unprotected Galaxy S4, well.. for starters, you probably shouldn't. But if you do, you should probably consult someone with a PhD in something before you lose your phone in a bar. Everyone else may continue.
iOS: Use the default erase setting
For iOS users, your job is pretty simple. The iPhone has built-in options that securely erase your phone. On old phones, it goes through a long secure erase process, but on the iPhone 3GS and iOS 3.0, Apple moved to hardware encryption on its phones. From that point on, all data you store on the internal storage (which, aside from anything on the sim card, is everything) is automatically encrypted. Your phone uses a device-specific key that's never stored anywhere but your handset.
When supported iOS devices wipe your phone, what's really happening is that the hardware-specific encryption key is securely wiped. Everything else on your phone is left an unintelligible mess, even if someone were to use a fancy forensics lab to physically examine the memory chips which 99% of you will probably never have to deal with.
So what do you need to do to securely erase your phone? Just head to Settings > General > Reset > Erase all Content and Settings.
That's it. On any iPhone including or following the iPhone 3GS (as well as all iPads and any iPod Touch 3rd generation and later), this will use the hardware encryption method described above. It will be very fast, yet still leave your data secure. For any older devices, the process will actually take a lot longer, as iOS will overwrite all of your data with random information to prevent it from being read later. Either way, though, this should be as secure of a wipe as you can get.
Android: Encrypt your phone, then erase
Android phones are set up a little differently from iPhones (shocker, I know), and they vary somewhat from manufacturer to manufacturer. However, in general the default options are mostly secure. We talked with Android security researcher and Elite Recognized Developer on XDA jcase and he gave us a few pointers in the right direction.
Unlike the iPhone, Android encryption is not done on a hardware level. For starters, this means if you want to have your phone encrypted, you'll need to enable it manually in Settings. This process will take a while and, from then on, you'll need to enter a PIN when you first boot your phone (not to be confused with your lock screen PIN). It can also cause some slight performance decreases, so keep that in mind. This process also can't be reversed without wiping your phone, so consider carefully before you commit.
Now, on Android, you have two options for wiping your phone: you can either do a factory reset (located in different places depending on your phone, but should be under something like "Backup & reset") which will wipe everything you've ever stored in any user-accessible area of storage. For most people, this will be enough to ensure that no one will be able to access data you've ever stored.
How effective a basic wipe is can depend on how well the manufacturer implemented its factory wipe. When we spoke to jcase, he said that some manufacturers' methods can still leave behind recoverable data. Additionally, if you root your phone and use a custom recovery, wiping via the recovery might not do everything properly.
While, ideally, you shouldn't have to overwrite your phone to erase data using a factory reset, if you're unsure or want to be extra safe, encrypting your phone (usually found in Settings under "Security") before wiping it can provide some reassurance. Just be aware that it may be redundant on certain phones. Still, better safe than sorry.
Of course, the last line of defense before you sell your phone is to vet your buyer. If you're using a CDMA device, be sure to deactivate your phone with your carrier before handing it off. And while you're at it, make sure you've taken care of your phone and are selling it for as much as possible.
Post a Comment