You’re about to hand your old phone to a buyer, a family member, or a recycling kiosk, and one nagging question stops you cold: does a factory reset delete everything, or is some stranger going to scroll through your photos next week? Here’s the honest answer that most listicles bury: on any modern, encrypted phone, a factory reset is genuinely a secure wipe — but “everything” is doing a lot of heavy lifting in that question. The reset nukes what’s stored on the device. It does not touch your cloud, it does not always release the digital handcuffs that lock the phone to your account, and it flat-out ignores anything on a memory card. That gap between “the phone is wiped” and “your data is safe” is exactly where people get burned.
- On a modern encrypted phone, a factory reset works by destroying the encryption key — so your leftover data becomes mathematically unreadable noise, not something a thief can just “undelete.”
- The “factory reset doesn’t really delete anything” scare is a leftover from pre-2015 unencrypted phones and old spinning-disk PCs; it does not describe the iPhone or Android in your pocket today.
- A reset does NOT sign you out of iCloud or Google, does NOT remove Activation Lock or Factory Reset Protection, and does NOT wipe a microSD card — those all survive and can brick the phone for a buyer or leave data behind.
- iPhones crypto-erase instantly and reliably; older or budget Androids are the only devices where a reset might leave recoverable data, and only if encryption was never on.
- Before you sell, the order matters: back up, sign out of every account, pull the SIM and SD card, then reset — and confirm it boots to the setup screen.
- What a Factory Reset Actually Does Under the Hood
- What a Factory Reset Deletes and the Things It Quietly Leaves Behind
- Can Someone Recover Your Data After a Factory Reset?
- iPhone vs Android and Whether They Wipe the Same Way
- Should You Factory Reset Your Phone Before Selling It? A Security-First Checklist
- The Bottom Line on Factory Resets and Your Data
- Frequently Asked Questions
What a Factory Reset Actually Does Under the Hood
Most people picture a factory reset as a tiny robot arm scrubbing every bit of storage clean, one by one. That’s not what happens, and understanding the real mechanism is the whole ballgame here.
Every iPhone since 2014 and effectively every mainstream Android since 2015 encrypts your data by default. The moment a photo or text hits the storage chip, it’s already scrambled with a hardware-bound AES key you never see. When you tap “Erase All Content and Settings,” the phone doesn’t laboriously overwrite 128 gigabytes of files — it throws away that one encryption key. This is called crypto-erase, or cryptographic erasure, and it’s the reason a reset finishes in seconds instead of hours. Kill the key, and the billions of encrypted bits still sitting on the chip turn into useless static. There is no “undelete” for data you can’t decrypt.
This isn’t a marketing shortcut, either. The U.S. National Institute of Standards and Technology (NIST) formally recognizes cryptographic erasure as a legitimate media-sanitization method in Special Publication 800-88, the government’s own guideline for securely retiring storage. When the standard that federal agencies use to decommission drives says “destroying the key counts as erasing the data,” you can stop worrying that a corner store phone-flipper is going to resurrect your bank app.
What a Factory Reset Deletes and the Things It Quietly Leaves Behind

So the on-device wipe is solid. The trouble is that people assume a factory reset resets your entire digital life, and it absolutely does not. It’s a local operation with a very specific blast radius. Here’s what slips right past it — and each of these has bitten real sellers.
Your Cloud Accounts and Their Backups
Wiping the handset does nothing to the copies living on Apple’s or Google’s servers. Your photos, contacts, and messages are still sitting in iCloud or Google One, fully intact, tied to an account you’re still logged into. That’s usually a good thing — it’s how your stuff reappears on your next phone. But if you’re offloading a device because you’re worried about privacy, remember the reset only cleared the local mirror. The master copy in the cloud is untouched and stays exactly where it was.
Activation Lock and Factory Reset Protection
This is the one that turns a resale into a nightmare. Both Apple’s Activation Lock and Android’s Factory Reset Protection (FRP) are anti-theft features that survive a factory reset on purpose. If you wipe the phone without first signing out of your account, the device boots back up and demands your Apple ID or Google password before anyone can set it up. You’ve handed the buyer an expensive paperweight, and you’re now fielding angry messages to remote-unlock it.
microSD Cards and External Storage
A factory reset wipes the phone’s internal storage. It does not, in the standard configuration, wipe a microSD card, and on most Androids that card was never encrypted in the first place. Photos, downloads, and app data written to removable storage sit there in plain, recoverable form after the reset finishes.
Your SIM, eSIM, and Carrier Details
The physical SIM card is its own little storage chip — on many phones it still holds contacts and can carry SMS data, and it identifies your line to the carrier. A factory reset doesn’t eject it. If your phone uses an eSIM instead of a physical SIM, the digital profile can linger after a reset too, which is why carriers ask you to delete or transfer the eSIM before you pass the device on.
Logged-In Apps and Security Tokens
Here’s a subtle one. The reset clears app data locally, but the sessions and secrets those apps represent live elsewhere. Your two-factor authenticator seeds, if not backed up, are simply gone (locking you out of your own accounts). Meanwhile streaming, banking, and social apps may still count that device as “trusted” on the server side until you actively deauthorize it. A wipe is not the same as logging out everywhere.
Can Someone Recover Your Data After a Factory Reset?
Now for the question that launched a thousand panicky Reddit threads. The short version: on an encrypted device, no — and that’s not optimism, it’s cryptography. Recovering crypto-erased data means recovering the deleted key, and the key is gone from the secure hardware that held it. Forensic recovery tools can pull “deleted” files off storage all day long, but every one of those files is still encrypted with a key that no longer exists.
So where did the myth come from? It’s real history, just outdated. Back in 2014, security firm Avast bought 20 used Android phones off eBay and recovered more than 40,000 photos, along with emails and texts, from devices their previous owners believed were wiped. A year later, University of Cambridge researchers Laurent Simon and Ross Anderson showed that the factory reset on older Android versions (roughly 2.3 through 4.3) failed to fully sanitize storage on an estimated 500 million devices. Those findings were legitimate and alarming — but they describe phones from the pre-encryption era, where “reset” meant deleting file pointers rather than destroying a key. That’s the origin of the fear, and it’s precisely the flaw that default encryption closed.
For anyone genuinely curious about how investigators pull data off devices in the lab, our deep dive on mobile device forensics walks through the tools and their very real limits against modern encryption.
iPhone vs Android and Whether They Wipe the Same Way
They land in the same place, but they don’t get there identically, and the differences matter if you own both.
On iPhone, hardware encryption has been standard since the iPhone 3GS in 2009, and since the Secure Enclave arrived with the iPhone 5S in 2013 those encryption keys have lived in dedicated, tamper-resistant hardware. “Erase All Content and Settings” tells the Secure Enclave to obliterate the key stored in dedicated “effaceable storage,” which is why an iPhone wipe is both instant and, frankly, bulletproof. Apple documents this behavior openly in its Platform Security guide. There is essentially no consumer scenario where a properly erased modern iPhone gives up its data.
Android gets to the same crypto-erase outcome, but the road is bumpier because Android is not one device — it’s thousands. Google made full-device encryption the default in Android 6 (2015) and moved to more granular file-based encryption in Android 10. On a Pixel, Samsung, or any recent mainstream handset, a factory reset crypto-erases exactly like an iPhone. The asterisk is the long tail: ancient budget handsets, obscure off-brand tablets, or devices where someone disabled encryption are the only places the old “recoverable after reset” problem can still theoretically live. For 99% of phones sold in the last several years, the answer is the same on both platforms — the data is gone.
Should You Factory Reset Your Phone Before Selling It? A Security-First Checklist
Yes — but a bare reset isn’t the finish line, it’s step five. Do these in order and you close every gap we’ve covered: the local wipe, the account handcuffs, and the physical media a reset ignores.
Step 1 — Back Up Everything You Want to Keep
Before you erase, make a full backup to iCloud, Google, or a computer, and confirm it actually completed. Crypto-erase is permanent — there’s no “oops” recovery afterward. If you’re moving to a new device, this is also the moment to transfer your data cleanly so nothing important rides off with the old phone.
Step 2 — Sign Out of Every Account and Kill the Activation Lock
This is the step that saves you from bricking the phone for the next owner. On iPhone, turn off Find My iPhone and sign out of your Apple ID. On Android, remove your Google account so Factory Reset Protection doesn’t lock the buyer out. Do this before the reset, not after.
Step 3 — Remove the SIM and the microSD Card
Physically eject the SIM (or delete the eSIM profile through your carrier) and pull any memory card. Remember, the reset never touches these, and the card is very likely unencrypted. Two seconds with a paperclip closes a real data leak.
Step 4 — Deauthorize Your Sensitive Apps
Log out of banking, streaming, and social accounts, and move your two-factor authenticator seeds to your new device first. This unlinks the phone from services that still trust it server-side and prevents you from locking yourself out of your own 2FA.
Step 5 — Run the Factory Reset and Verify It
Now erase the device. When it reboots, it should land straight on the language/”Hello” setup screen with no request for your old account credentials.
While you’re locking down your privacy, it’s also worth removing yourself from data broker sites, because the phone was never the only place your personal information lived.
The Bottom Line on Factory Resets and Your Data
Strip away the scare-tactic headlines and the answer is refreshingly clear. On the phone you actually own today, a factory reset does delete everything that matters locally, and it does so with cryptography strong enough to satisfy federal sanitization standards. The reset isn’t the weak link. You are — or rather, the accounts, locks, and memory cards you forget to handle are. Treat the reset as the last step in a short checklist rather than a magic “make my data disappear” button, and you can sell, gift, or recycle any device with total confidence.
Frequently Asked Questions
Does a factory reset delete everything on my phone permanently?
On any modern encrypted phone, yes — the on-device data is permanently and irreversibly gone, because the reset destroys the encryption key that made your files readable. What it does not delete is anything stored outside the phone: your iCloud or Google cloud backups, and any files on a microSD card. Those survive the reset completely.
Can data be recovered after a factory reset?
Not from an encrypted device, which is every mainstream phone made in roughly the last decade. Recovery would require the deleted encryption key, and that key is wiped from secure hardware. Data recovery is only realistic on very old, unencrypted phones or storage where encryption was manually turned off — the exact scenario behind those “recovered 40,000 photos” news stories from 2014.
Does a factory reset remove the Google account or Apple ID?
No, and this trips people up constantly. A factory reset does not sign you out of your Google or Apple account, and it does not remove Factory Reset Protection or Activation Lock. If you don’t manually sign out before wiping, the phone will demand your old password on setup and be unusable for the buyer. Always remove the account first.
Should I factory reset my phone before selling it?
Yes, but do it as the final step after backing up, signing out of all accounts, removing the SIM and SD card, and deauthorizing sensitive apps. A reset alone leaves your cloud accounts logged in and can lock the device to you via anti-theft features. The full checklist — not just the reset — is what makes a resale safe.
Does a factory reset delete everything on an SD card too?
Usually no. A standard factory reset wipes only the phone’s internal storage and ignores a removable microSD card, which on most Androids isn’t even encrypted. The only exception is Android’s “adoptable storage” mode, where the card is treated as encrypted internal storage. Unless you deliberately set that up, physically remove the card before parting with the phone.