Using the "factory reset" option to wipe Android phones may leave behind valuable data, warn security experts.
The reset function may also fall short when used to remotely wipe a phone that has been lost or stolen, report Cambridge University researchers.
For their analysis the researchers bought used Android phones to see what sort of data remained on the handsets.
In some cases they retrieved key files that let them access a former owner's Gmail account.
The study of 21 phones, running Android versions 2.3 to 4.3, was carried out by Prof Ross Anderson and Laurent Simon from the University of Cambridge computer science department.
The flaws they found could mean that up to 500 million Android devices might be at risk of leaving data available to attackers after being reset, the researchers warned in a blogpost.