TL;DR
- A factory reset alone may not permanently erase data on older or unencrypted devices; encryption is the critical additional safeguard.
- Modern iPhones (with Secure Enclave) and Android phones running Android 6.0+ (with file-based encryption enabled) are significantly harder to recover data from after a correct wipe.
- Always remove the SIM card and any microSD card before recycling — these are not cleared by a device reset.
- Sign out of all accounts (Apple ID, Google account, banking apps) and remove the device from your account list before wiping.
- The ICO recommends encryption before disposal as part of data security obligations for organisations, and the same principle applies to individuals protecting personal data.
What data is at risk on a recycled phone
A smartphone in daily use accumulates a substantial quantity of sensitive material. Beyond obvious items such as photos and messages, the device typically holds cached banking app credentials, saved passwords in browsers, session tokens for email and social media accounts, health data from fitness apps, two-factor authentication records, and contact details for employers, family members, and financial institutions. Many of these categories attract protection under UK GDPR and the Data Protection Act 2018, not only when held by organisations but as a matter of practical personal safety.
The risk is not merely theoretical. Consumer electronics refurbishment businesses and academic researchers have repeatedly demonstrated that improperly wiped handsets can yield recoverable data — particularly on older Android devices where full-disk encryption was optional or disabled by default. A phone handed to a recycler or sold on a second-hand platform without proper preparation can expose its former owner to identity theft, account compromise, or exposure of private communications.
What a factory reset does and does not do
A factory reset instructs the operating system to erase user data partitions and restore default settings. On a device that uses full-disk or file-based encryption — which covers all iPhones since the 3GS and all Android devices meeting Google's mandatory encryption requirements (enforced from Android 6.0 Marshmallow for new devices, with wider rollout from Android 10) — the reset discards the encryption keys, making the underlying data cryptographically unreadable even if the flash storage chips are later read directly.
On older Android devices where encryption was never enabled, a factory reset may overwrite the file system index but leave the underlying data blocks physically intact. Specialist recovery tools — forensic software of the type used in law enforcement — can reconstruct files from such blocks. This is the core reason why enabling encryption before a reset matters, particularly on devices manufactured before 2018.
How to securely wipe an iPhone before recycling
Apple's recommended procedure for iPhones running iOS 15 or later combines two critical steps. First, disable Find My iPhone via Settings > [your name] > Find My, which deactivates Activation Lock and enables the next owner to set up the device. Second, go to Settings > General > Transfer or Reset iPhone > Erase All Content and Settings. On modern iPhones with a Secure Enclave processor (iPhone 5s and later), this operation destroys the device's unique encryption keys, rendering all stored data cryptographically inaccessible. There is no additional encryption step required on these models because hardware encryption is always on.
Before running the erase, sign out of Apple ID, iCloud, iMessage, and FaceTime. Remove any Apple Pay cards via Wallet settings. If you use a third-party password manager app, revoke the device's access from within the app's account settings online. Remove physical SIM cards and check whether the device uses an eSIM that needs to be separately deleted via Settings > Mobile Data > [your plan] > Delete eSIM.
How to securely wipe an Android phone before recycling
The Android procedure varies slightly by manufacturer skin (Samsung One UI, Pixel's stock Android, etc.) but the underlying steps are consistent. On Android 9 and above, file-based encryption is always enabled, so a factory reset via Settings > General Management (or System) > Reset > Factory Data Reset is sufficient to destroy the encryption keys and render data unrecoverable under normal circumstances. For devices running Android 5 or 6 where encryption may not have been enabled, navigate to Settings > Security > Encrypt Device and run a full encryption pass before the reset.
Before resetting, sign out of your Google account under Settings > Accounts, revoke the device in your Google account security page (myaccount.google.com > Security > Your Devices), and remove it from any Samsung, Xiaomi, or manufacturer account as applicable. Revoke access for banking apps, as many retain device-level trust tokens that persist in the app's remote account record until manually removed. Physically remove the SIM and any microSD card.
| Step | iPhone | Android (6.0+) | Why it matters |
|---|---|---|---|
| Remove SIM / microSD | Remove physical SIM; delete eSIM in Settings if present | Remove physical SIM and microSD card | Not cleared by factory reset |
| Sign out of accounts | Sign out of Apple ID, iCloud, iMessage, FaceTime | Remove Google account; sign out of manufacturer account | Prevents Activation/FRP lock; removes device from account |
| Revoke banking apps | Remove device trust in each banking app's online settings | Remove device trust in each banking app's online settings | Prevents residual access tokens |
| Encrypt device (older Android only) | N/A — hardware encryption always active | Settings > Security > Encrypt Device (Android 5–6 only) | Makes post-reset recovery cryptographically impossible |
| Factory reset | Settings > General > Transfer or Reset iPhone > Erase All | Settings > System > Reset > Factory Data Reset | Destroys encryption keys; wipes partitions |
| Verify Find My / FRP disabled | Confirm Activation Lock off at appleid.apple.com | Confirm Factory Reset Protection cleared via Google account | Allows new owner to set up device |
The role of device encryption
Encryption converts stored data into ciphertext using a key derived partly from the user's passcode and partly from hardware-unique identifiers. On Apple devices, the Secure Enclave processor manages this key material in hardware isolation; it cannot be extracted by software and is destroyed on a valid erase command. On Android, file-based encryption (FBE), standard since Android 10 and mandatory for all Treble-compliant devices, operates on a per-file key system, making selective recovery significantly harder than older full-disk encryption methods.
The practical implication is that a correctly wiped modern smartphone — manufactured from roughly 2018 onwards on either platform — provides a high level of assurance that personal data cannot be recovered through commonly available tools. For pre-2016 Android devices, encryption should be treated as a mandatory prerequisite to disposal, not an optional step. The ICO's guidance on secure disposal of IT equipment recommends encryption as a control measure for all portable devices holding personal data, aligning with the requirements of UK GDPR Article 5(1)(f) on integrity and confidentiality.
What this means in practice
James, a freelance accountant in Manchester, decides to trade in his four-year-old Samsung Galaxy for a newer model. He backs up photos to Google Photos, then goes to Settings > Accounts and removes his Google account. He visits myaccount.google.com on a laptop, confirms the device is removed from his account, then revokes device access in his bank's mobile app settings online. He removes the physical SIM and microSD card. Because the handset runs Android 10 with file-based encryption always on, he proceeds directly to Settings > General Management > Reset > Factory Data Reset and confirms the wipe. The phone powers off, restores to factory state, and the trade-in proceeds. Had he simply boxed the phone and posted it, the incoming engineer could have potentially accessed his files, banking session, and contact list.
Related Guides
How we verified this
This article draws on ICO guidance on secure disposal of IT equipment and UK GDPR Article 5(1)(f), Apple's published support documentation on erasing iPhone, Google's Android security documentation on file-based encryption and Factory Reset Protection, and Ofcom consumer guidance on recycling and reselling mobile phones. No manufacturer-specific marketing claims are reproduced.
Disclaimer: Kaeltripton.com is an independent UK editorial publisher. We are not regulated by Ofcom or the FCA and we do not sell or arrange mobile services, insurance, or financial products. This content is for general information only and is not legal, financial, or technical advice. Rules, prices, and operator policies change. Verify the current position with Ofcom, GOV.UK, the ICO, or your provider before acting. ICO registered ZC135439. Last reviewed: 2026-06-05.
Frequently Asked Questions
Is a factory reset enough before recycling a phone?
On a modern smartphone with hardware or file-based encryption always active — iPhones from 2013 onwards and Android devices from Android 6.0 onwards where encryption was enforced — a factory reset destroys the encryption keys, making data cryptographically unrecoverable. On older Android devices where encryption was not enabled, a reset alone is insufficient; encrypt the device first, then reset.
How do I securely wipe an iPhone before recycling?
Sign out of Apple ID via Settings > [your name] > Sign Out, which disables Find My iPhone and Activation Lock. Then go to Settings > General > Transfer or Reset iPhone > Erase All Content and Settings. Remove the physical SIM card and delete any eSIM under Mobile Data settings. Confirm the device no longer appears at appleid.apple.com before handing it over.
How do I securely wipe an Android phone before recycling?
Remove your Google account under Settings > Accounts, then revoke the device in myaccount.google.com > Security > Your Devices. Remove the SIM and microSD card. On Android 10+ with file-based encryption, proceed to Settings > System > Reset > Factory Data Reset. On Android 5 or 6, go to Settings > Security > Encrypt Device first, then run the factory reset.
What data can someone recover from a recycled phone?
On an unencrypted or improperly wiped older Android device, forensic tools can potentially recover photos, messages, cached credentials, and contact data from flash storage. On a correctly wiped modern encrypted device, recovery of meaningful data is not practically achievable with commercially available tools, because the encryption keys have been destroyed and the ciphertext is computationally useless without them.
Should I remove the SIM and SD card before recycling?
Yes, always. A factory reset does not clear the SIM card or microSD card — these must be physically removed before the device is recycled or resold. Your SIM contains your phone number and may hold contacts; your microSD card can hold photos, documents, and cached data. Remove both, keep the SIM for use in a new device, and securely dispose of or reformat the memory card separately.
