When selling your old Android phones, you don’t want any of your personal information to be recoverable. Now granted, most Android phones store data on flash chips, and if the kernel/firmware is set up properly then the data cells in the flash chip are discarded upon a delete command. But how do you know for sure?

I looked around for ways to securely wipe Android phones, and found conflicting answers. Some people said a factory reset through recovery is all that is required, while others said an encryption process was required before factory resetting, as the encryption process also encrypted free space, leaving no data to be recovered. Some people even said that’s not enough, and that a full overwrite of the data cells was required.

So, ordered in increasing levels of paranoia, here are all the ways of securely wiping your Android phone.

The DIY method

This is more of an anecdote so feel free to skip ahead, but I tried creating an Android app that would overwrite free space on the phone by creating lots of files with pseudorandom data.

The idea was OK, except for the fact that this would be an imperfect solution, because of how Android manages app data. I think by default, you can’t utilize more than a certain percentage of internal storage before the file APIs on Android return a no free space error. That meant a portion of the memory would not get wiped, though you would probably decide how important that is to you.

The app didn’t really work and was full of bugs. One of the reason the app was so terrible was because I tried using Kotlin. I haven’t used Kotlin a lot so I was not familiar with the syntax. Maybe in the future I’ll try re-writing the app with Java or learn more Kotlin. Anyways, there are better options below so I ended up scrapping this method.

Still, if you are an app developer I would love to see an app that automates the wiping process!

Method 1 - Just wipe

If you have a recent Android phone that is encrypted straight from the factory, just wipe!

If your phone shipped with Android 10, then it must support FBE (file-based encryption).

To see if your phone is encrypted with FBE, check for the following props: ro.crypto.state and ro.crypto.type set to file.

Method 2 - Encrypt and wipe

If you have a semi-recent Android phone that supports FDE (full-disk encryption) then encrypt and wipe.

To see if your phone is encrypted with FDE, check for the following props: ro.crypt.state.

Method 3 - dd

Original from this Reddit comment

Reading this comment I remembered most Android phones ship with a rudimentary version of Busybox, which includes the dd utility.

Thus, to quickly fill the phone with pseudorandom data, one would simply run:

adb shell
cat /dev/urandom > random_file

Or, if you’re just as paranoid as the above Redditor, you can run multiple passes:

for i in 0 1 2 3 4 5 6 7 8 9; do cat /dev/urandom > $i; rm $i; done

Personally, I don’t really see the benefits of running this multiple times, given that flash memory can wear out, and I haven’t seen any articles about data being recovered from wear-leveling cells.

Method 4 - Physical

If you really, really can’t afford to have any data leak (I don’t know, maybe you’re Edward Snowden?), one of my favorite scenes in Mr. Robot has Elliot rip the flash chips from his motherboard and toss them in the microwave. Bad fumes and ridiculousness aside (I mean, sensitive data in the BIOS EEPROM? Seriously…), this will probably make it so that nobody can ever access the data.

A sensible version would be to grab a drill and drill a hole in the flash chip. Refer to iFixit or teardown videos to see where those chips are located.

Alternatively, if you’re a pyromaniac, I heard thermite could be a great phone blaster. Just make sure it’s legal where you are. Remove the battery (burning lithium is very toxic) and go blow that phone.