How to wipe an Android phone: The paranoid edition

There are two types of people: those who have been hacked and those who haven't been hacked yet. If you want to postpone the inevitable, follow these instructions.

How to wipe an Android phone: The paranoid edition
Credit: Wikipedia

As a naturally paranoid person, I wiped the Moto G4 and G4 Plus that I recently tested before returning them to Motorola. This isn’t the first tutorial about how to wipe an Android phone, but it is the first one written by a paranoid person.

In this tutorial, one more step, critical to safely wiping an Android device has been added. There could be an evil entity extracting personal information from lost, stolen or discarded Android phones or those sold by the unwary on by Craig’s List and Ebay. Maybe not, but I don’t want to find out.  

These wipe instructions correct one flaw in most wipe procedures. Most people use a four-digit numerical PIN to lock their phones. The PIN is also the password used to encrypt the data on a phone. And that is not good enough, at least for paranoid people like me who change their passwords regularly and use two-factor authentication. Cracking a four digit password is easy. It takes just 10,000 guesses, assuming all have to be tried before finding the right one. This guessing exercise takes a half hour or less, depending on the computing resources applied to guessing the password.

Why a factory reset isn’t good enough, even with encrypted data

It will be easy to understand why your data is still vulnerable after a wipe by understanding the steps often recommended to wipe an Android phone:

A simple factory reset leaves data on the device that though erased, can be recovered using apps such as MobiKin Doctor and FonePaw. Security researchers and presumably criminals have proprietary apps that restore erased data easier, faster and more rigorously.

A factory reset of data encrypted with a four-digit pin is vulnerable to recovery because decrypting data takes such little time.

How the paranoid wipe their Android devices

android backup and reset Steven Max Patterson

The first thing you want to do is reset the device

First reset the device. Go to settings, select backup and reset. Confirm that you want to erase all your data.

After the Android device returns to the setup screen, used when the phone was first put into use, go through the setup process, eliminating unnecessary actions such as adding email accounts and recovering apps from Google’s backups to save time.

When the setup dialog asks to choose a screen lock, select the password option. This is the most important part of securely wiping the Android device. Use a site such Norton’s Identity Safe to generate a 16-character password. The password generated will look something like this Nc]Q)r%{+4sh9BER. Print the password so no mistake is made later in the process of wiping the device.

The reason for generating a long and complex password is it increases the amount of time to guess the four-digit PIN from less than a half-hour to over one hundred years.

android encrypt phone Steven Max Patterson

Use a long complex password for your lock screen

The password generated isn’t memorable like your significant other’s name and birth date. The numbers, special characters and uppercase and lowercase letters will have to be entered exactly the first time and exactly a second time to confirm that it has been entered correctly when setting the device’s password.

Next, make sure the device is plugged into a power source. Return to the settings menu. If your screen locked, carefully enter the password again. Select Security from the settings menu, then select encrypt phone, and enter the password again, carefully.  Select encrypt. This will re-encrypt the storage with the new, long hard-to-guess password. This can take up to an hour.

The last step is to return to the settings menu, select Backup & reset, then select Factory data reset, and for the last time, enter the long password.

Now the phone is ready to be returned to the manufacturer, discarded, sold or given away.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10