Factory resetting your phone before selling it is not always enough to protect your private data — whether your data is truly gone depends on whether your phone's storage is encrypted and which OS version you're running. On a modern iPhone or a post-2016 Android device, a proper reset effectively destroys the encryption key, making remaining data unreadable. On older Android phones running version 5.x or below, unencrypted data may persist in raw storage sectors and could potentially be recovered with forensic tools.
Part 1. What a Factory Reset Actually Does
A factory reset does not overwrite every byte of your stored data. Instead, it removes the operating system's pointer to your files — the index that tells the system where your photos, messages, and documents live.
The underlying data often remains on the storage chip until new data overwrites those sectors. Think of it like deleting a chapter from a book's table of contents: the chapter text is still there, the index just no longer points to it.
On an encrypted device, this distinction matters less — because even if someone reads the raw storage sectors, the bytes are scrambled cipher text without the encryption key. On an unencrypted device, the raw data may be human-readable with the right software.
💡 Tip: The security of a factory reset is almost entirely determined by whether your phone encrypts data by default. Check your encryption status before you reset.
Part 2. iPhone Security Model — Why iOS Resets Are the Safest
Every iPhone since the iPhone 3GS uses hardware-level encryption via a dedicated chip called the Secure Enclave. Every file on your iPhone is encrypted with a unique key, and that key is itself wrapped by a device-level hardware key stored in the Secure Enclave.
When you perform a factory reset on an iPhone (Settings → General → Transfer or Reset iPhone → Erase All Content and Settings), iOS instructs the Secure Enclave to destroy the hardware key. Without that key, every encrypted file on the device becomes permanently unreadable cipher text — not just hidden, but mathematically irretrievable.
This makes the iPhone the safest consumer device for resale from a data privacy standpoint. iOS does not rely on the OS software to enforce the erase; the key destruction happens at the hardware level, independent of any software exploit.
🗣️ r/iphone user: "No chance. Because Apple data can't be recovered after a factory reset because iPhones encrypt everything by default, and when you reset the device, the encryption key is discarded."
Before resetting an iPhone, always complete these steps first:
- Sign out of your Apple ID (Settings → [Your Name] → Sign Out)
- Disable Find My iPhone
- Confirm Activation Lock is off before handing the device over
Part 3. Android Security Model — Why Version Number Is Everything
Android's encryption story is fragmented, and this is where most guides fail their readers. Android does not have a single uniform security posture — the level of protection you get from a factory reset depends directly on which Android version your device shipped with.
Here is the version breakdown:
| Android Version | Default Encryption | Factory Reset Safety |
|---|---|---|
| Android 5.x (Lollipop) and below | Off by default (opt-in only) | Low — raw data may be recoverable |
| Android 6.0–9.x (Marshmallow–Pie) | Full-disk encryption on most devices | High — key destroyed on reset |
| Android 10+ (Q and above) | File-based encryption (FBE) by default | Very high — per-file key destruction |
| Samsung devices (all modern) | Encrypted + optional Secure Erase | Very high — hardware-backed erase available |
If your Android device is running version 6.0 or later and was sold after mid-2016, it is very likely encrypted by default. When you factory reset such a device, the system discards the encryption master key, and any data remaining on the storage becomes unreadable scrambled bytes.
If your phone is running Android 5.x or was purchased before 2016, the device may not have enabled encryption automatically at setup. In that case, raw data on the internal storage could potentially be read by forensic tools after a standard factory reset.
🗣️ r/privacy user: "A factory reset clears out the key to unlock your data. All the data on your phone was encrypted with this key. Your data is functionally gone."
⚠️ Important: If you are selling an Android phone running version 5.x or below, a standard factory reset is NOT sufficient. You must encrypt the device first before resetting. See Part 4 for the full workflow.
Part 4. The Encrypt-First-Then-Reset Workflow for Older Android Phones
This is the key step that competitor guides consistently omit. If your Android phone predates automatic encryption (Android 5.x and below), manually enabling encryption before the reset is the critical extra step that makes your data unrecoverable.
Step-by-step workflow for older Android devices:
- Charge the battery to 80% or above — encryption can take 30–60 minutes and must not be interrupted
- Enable encryption: Go to Settings → Security → Encrypt Phone (or Encrypt Device)
- Wait for encryption to complete — the phone may restart during this process; do not interrupt it
- Remove your Google account: Settings → Accounts → Google → Remove Account
- Perform a factory reset: Settings → General Management → Reset → Factory Data Reset
- Confirm the reset — the device will wipe and reboot to the setup screen
Once the encryption step is complete, the factory reset destroys the master key. Any data fragments remaining in unallocated storage sectors are now encrypted without a valid key — effectively unreadable.
💡 Tip: After the reset completes, go through the new device setup wizard briefly. This causes the OS to write fresh data over some sectors, further reducing the theoretical (already very low) chance of recovery.
Part 5. Samsung-Specific — Secure Erase Option
Samsung devices running Android 9 and later include a dedicated Secure Erase feature that goes beyond a standard factory reset. This feature is accessible in Samsung's Settings and performs an additional low-level overwrite pass on the internal storage.
To access it on a Samsung device, go to Settings → Biometrics and Security → Secure Folder (or Settings → General Management → Reset → Secure Erase, depending on model and firmware version). The exact path varies across Samsung One UI versions, but the option is labeled "Secure Erase" or "Secure Factory Reset" on supported devices.
Using Samsung's Secure Erase is the recommended path for any Samsung device — it combines encryption key destruction with an additional write pass, giving a higher assurance level than a standard factory reset alone.
Part 6. The SD Card Blind Spot — This Is the Most Common Mistake
Factory reset does not wipe your SD card. This is the single most important and overlooked fact in this entire topic.
When you factory reset any Android phone, the reset process applies only to internal storage and the installed OS. The microSD card slot is left entirely untouched. Every photo, video, document, and WhatsApp media file stored on your SD card remains intact and fully accessible after the reset.
🗣️ r/privacy user: "MicroSD cards are not erased in a hard reset."
⚠️ Important: Always physically remove the SD card before performing a factory reset. Either keep it, or wipe it separately using a PC with dedicated software before including it in the sale.
To wipe an SD card separately:
- On Windows: right-click the card in File Explorer → Format → check "Quick Format" is unchecked for a full format (overwrites data)
- On Mac: use Disk Utility → Erase with the "Security Options" set to at least one-pass overwrite
- With dedicated software: use Eraser (Windows) or Secure Empty Trash equivalents on Mac for verified overwrite
💡 Tip: If you plan to sell the phone with the SD card included, wipe the card separately using a PC before putting it back in the device. Never rely on the phone's factory reset to handle the SD card.
Part 7. Factory Reset Security Summary by Device
| Device Type | Encrypted by Default | Factory Reset Safety | SD Card Wiped? | Recommended Extra Step |
|---|---|---|---|---|
| iPhone (any model) | Yes — hardware (Secure Enclave) | Very high | No | Remove/wipe SD if applicable; sign out of Apple ID |
| Android 10+ | Yes — file-based encryption | Very high | No | Remove SD card; remove Google account first |
| Android 6.0–9.x | Yes — full-disk encryption (most devices) | High | No | Remove SD card; verify encryption is on |
| Android 5.x and below | No — not enabled by default | Low | No | Encrypt first, then reset (see Part 4) |
| Any phone with microSD | n/a | n/a — SD not wiped | No | Wipe SD separately on a PC |
Part 8. Safe Selling Checklist — Complete Before Any Sale
Use this checklist before selling or trading in any smartphone. Work through it in order — the sequence matters.
| Step | iPhone | Android |
|---|---|---|
| 1. Back up your data | iCloud or iTunes backup | Google backup or manual backup |
| 2. Remove the SD card | n/a | Physically remove or wipe separately |
| 3. Deactivate payment apps | Remove cards from Apple Pay | Remove cards from Google Pay |
| 4. Sign out of accounts | Apple ID → Sign Out | Remove Google account from device |
| 5. Disable lock screen protection | Disable Find My | Disable Factory Reset Protection (FRP) |
| 6. Encrypt (if not already) | Always encrypted | Enable if Android 5.x or below |
| 7. Factory reset | Settings → General → Transfer or Reset iPhone → Erase All Content | Settings → General Management → Reset → Factory Data Reset |
| 8. Verify clean state | Confirm setup wizard appears | Confirm setup wizard appears, no accounts listed |
Part 9. How to Verify Your Phone Is Clean Before Handing It Over
After the reset completes and the device restarts to the setup wizard, run through these verification steps before the phone leaves your hands.
Do not sign into any account during the verification — just observe the initial state. Confirm the following: the device shows the language/region setup screen with no pre-filled account info; there are no apps beyond the factory defaults in the app drawer; no photos, contacts, or files appear in any default apps; and for Android, Settings → Accounts shows no accounts linked.
If any personal data appears after the reset, do not hand over the device. Repeat the reset process, and for Android 5.x devices, ensure you completed the encryption step first (Part 4).
💡 Tip: Take a screenshot of the blank setup screen before the new owner powers on the device. This gives you documentation that the device was in a clean factory state at handover.
Part 10. Recover Data from a Phone You Received — or from an SD Card
If you are on the other side of this scenario — you purchased a used device or found an old SD card and need to recover files that were not intentionally wiped — Ritridata can help with SD card recovery on Windows and Mac.
Ritridata is a PC and Mac data recovery tool designed for storage devices including SD cards, USB drives, external hard drives, and internal disks. If an SD card was removed from a device before the factory reset and contains files that were accidentally deleted or are no longer accessible, Ritridata can scan the card and recover those files.
Step 1 — Connect the SD card to your computer and select it as the scan location
Step 2 — Run a safe scan to detect recoverable files
Step 3 — Preview the results and recover files to a separate drive
Note that Ritridata operates on connected storage devices via a PC or Mac. It does not connect directly to a phone over USB for internal memory recovery — this is consistent with how most consumer data recovery software works due to mobile OS access restrictions.
FAQ
Q: Is a factory reset enough before selling my phone? On a modern iPhone or Android device running version 6.0 or later, a factory reset combined with signing out of your accounts is generally sufficient. On older Android devices (5.x and below) without encryption, a standard factory reset may leave raw data recoverable — you should encrypt the device first.
Q: Can someone recover my photos after I factory reset my phone? On an encrypted device (all modern iPhones and most Android phones from 2016 onward), this is extremely unlikely with consumer tools. On an unencrypted older Android device, photo data could in some cases be recovered with forensic software — which is why the encrypt-first workflow in Part 4 is important for those devices.
Q: Does factory reset delete everything on Android? Factory reset deletes all user data on internal storage and resets the OS to its initial state. It does not erase the microSD card, any data stored in linked cloud accounts (Google Drive, iCloud), or in some cases cached credentials on older unencrypted devices.
Q: Does factory reset wipe the SD card? No. Factory reset does not touch the microSD card under any circumstances. You must remove the SD card and wipe it separately on a PC if it contains personal data you do not want the new owner to access.
Q: How do I know if my Android phone is encrypted? On Android 6.0 and later, go to Settings → Security → Encryption & Credentials. If the device shows "Encrypted," your data is protected. On older devices, this option may show "Encrypt Phone" as an action button rather than a status — meaning encryption has not been enabled.
Q: Is iPhone safer than Android for resale? iPhones tend to offer more consistent data security on reset because all models use hardware-level encryption via the Secure Enclave, regardless of iOS version. Android's security depends on the device's age and whether encryption was enabled at setup, making iPhones generally more uniform in this regard.
Q: What about cloud data — does factory reset delete Google or iCloud backups? No. Factory reset only affects the local device storage. Your Google account backups, iCloud backups, Google Photos, and any synced data remain in your cloud accounts. You need to delete those separately through each service's account settings if you want to remove them.
Q: Should I remove my SIM card before selling my phone? Yes, always remove your SIM card before selling. Factory reset does not erase the SIM card, and it contains your phone number, carrier settings, and potentially stored contacts depending on the SIM type.
References
- Apple Support — Secure Enclave overview
- Android Authority — It's not enough to just factory reset an Android phone before selling it
- Google Issue Tracker — What Happens Internally During an Android Factory Reset
- Reddit r/privacy — After factory resetting a phone, do I need to data wipe it?
- Reddit r/privacy — Is hard reset safe to sell or buy smartphones?