The downside of allowing staff and partners to use their own Android devices on an organization’s network isn’t just the wide range of vulnerabilities they bring in. There’s also the problem of what to do when device owners want to get rid of older handsets or tablets.

Resetting or wiping the device is usually the strategy, either by the owner or the organization if the device is linked to a mobile management platform. But two University of Cambridge  researchers have released a pair of papers warning a factory reset may not be enough to sanitize a device.

In one test, Laurent Simon and Ross Anderson bought 21 used handsets running versions of Android up to 4.3  from U.K. phone recyclers and on eBay and found they could recover Google credentials on all devices, meaning they could have logged on to the previous owner’s Gmail account. “Conversations” (SMSes, emails, and/or chats from messaging apps) in all devices were recovered. In addition, the internal memory where data is stored wasn’t entirely cleaned.

The other test involved 10 anti-virus solutions that promise remote locking and wiping. Unfortunately, they found third party remote locks may be unreliable due to poor implementation practices, Android API limitations and vendor customizations. Nor do they improve on factory resets.

Android 4.0 and up devices include full disk encryption, but it has to be enabled before first use. Not all devices support encryption on the data portion of the internal memory. And to make it worthwhile users have to enable stronger passwords than six numbers. Overwriting the entire partition “bit-by-bit” once did provide logical sanitisation for all devices and all partitions they studied, but it requires privileged (root) access and will be beyond most users.

The researchers have a number of recommendations, but they are aimed at vendors. One is that factory resets should erase the entire internal memory partition, not only the part explicitly used by the file system. This reduces the chance of unfortunate surprises due to internal memory wear-levelling block management and deletion implementation problems.

Meanwhile, what should CISOs and device owners do? Seems to me that in the absence of a fool-proof solution when disposing of any device owners should change passwords to sensitive sites it has accessed, such as email, banking, corporate and social media. That way gaining the credentials won’t lead to access. Never used the handset to access a bank, Facebook or LinkedIn? Don’t worry about it.

As for sensitive images, none of us uses a smart phone to take those, do we?