Selling Your iPhone? Here Is What Factory Reset Leaves Behind

TL;DR

Factory reset on an iPhone marks storage blocks as available but does not overwrite them. Deleted photos, messages, and files remain recoverable from NAND flash until the controller reclaims those blocks — a process forensic tools can trigger. iCloud Photos keeps a full copy on Apple's servers even after you erase the device. AppVault's File Shredder overwrites vault files with multiple write passes before deletion, and the pre-sale checklist below covers every step before you hand the phone to a buyer, a trade-in program, or a family member.

What Factory Reset Actually Does

Tap “Erase All Content and Settings” and iOS does two things: it destroys the file system encryption keys and it marks every storage block as available for reuse. The data itself — the ciphertext sitting in NAND flash — stays put until the storage controller writes new data over it.

On iOS 15 and later, Apple redesigned the key hierarchy so that destroying the file system key renders the ciphertext practically unrecoverable without that key. This is a meaningful improvement. But “practically unrecoverable” is not “physically gone.” The blocks still hold the old data. A forensic tool with raw NAND access — the kind used by law enforcement and data recovery labs — can read those blocks directly, bypassing the file system entirely.

On iOS 14 and earlier, the situation is worse. The encryption key hierarchy was less granular, and discarding the file system key left more of the underlying data accessible. Devices that shipped with or ran iOS 14 at any point in their lifecycle may have residual data in blocks that were never re-encrypted under the newer scheme.

The takeaway: factory reset is a logical erase, not a physical one. It tells the operating system the blocks are empty. It does not write zeros or random data over the old content.

What Survives in the Recently Deleted Album

The Photos app does not delete images when you tap the trash icon. It moves them to the Recently Deleted album, where they sit for 30 days. During that window, the files are fully intact — same resolution, same metadata, same location tags. The user can recover them with one tap.

Factory reset does not clear this album. The 30-day timer is tied to the file system metadata, and when the reset destroys the keys, the album’s contents become inaccessible to the Photos app — but the underlying data remains in NAND blocks. If the device ran iOS 14 or earlier, that data is recoverable with forensic tools.

Before selling or trading in an iPhone, empty the Recently Deleted album manually. Open Photos, go to Albums, tap Recently Deleted, select all, and delete. Then proceed with the rest of the checklist below.

iCloud Photos Lives on Apple’s Servers

Erasing an iPhone removes the local copy of every photo. It does nothing to the iCloud Photos library. That library lives on Apple’s servers, tied to the Apple ID, and it will sync to any new device signed into the same account.

This creates two problems for someone selling an iPhone.

First, if the seller forgets to sign out of iCloud before erasing, Activation Lock stays active. The new owner cannot set up the phone. The seller has to go to appleid.apple.com, sign in, and manually remove the device from the account. This is a support headache, not a data leak — but it delays the sale.

Second, if the seller wants the iCloud Photos library gone, that is a separate action. Signing out of iCloud stops the sync. Deleting the library requires visiting iCloud.com or another device signed into the same Apple ID and removing the photos there. The erase-all step on the iPhone does neither of these things.

NAND Flash and Forensic Recovery

Every iPhone stores data on NAND flash chips. NAND flash works in pages (typically 4 KB) and blocks (typically 256 pages). Writes happen at the page level. Erases happen at the block level. When iOS deletes a file, it marks the pages as invalid but does not erase the block. The block stays dirty — full of old data — until the flash controller’s garbage collection process reclaims it.

Forensic tools exploit this. Chip-off forensics involves desoldering the NAND chip and reading it directly with a programmer. This bypasses the iOS file system entirely. The tool reads every block, valid or not, and reconstructs files from the raw data. This technique works on any iPhone regardless of iOS version, as long as the blocks have not been overwritten.

Logical extraction tools like Cellebrite UFED and GrayKey operate at a higher level — they communicate with the iOS file system through the device’s debug interface. On iOS 14 and earlier, these tools can recover deleted photos, messages, and app data from unused blocks. On iOS 15 and later, the redesigned key hierarchy makes this harder, but not impossible if the device is unlocked or the tool can exploit a vulnerability.

The only defense against both chip-off and logical extraction is physical overwrite. Write new data over the old blocks so that the original content is gone at the hardware level.

What AppVault’s File Shredder Does

AppVault’s File Shredder overwrites vault files with multiple write passes before deleting them. The process targets the encrypted ciphertext stored in the app’s sandbox — the AES-256-GCM encrypted files that AppVault stores on behalf of the user.

Here is the sequence. The user selects files for shredding. AppVault opens each file and writes random data over its full length, repeating the write across multiple passes. Then it deletes the file through the standard iOS file system call. The result: the NAND blocks that held the original ciphertext now hold random data. Even if a forensic tool reads those blocks, it finds the overwrite passes, not the original encrypted content.

This does not protect files outside the app’s sandbox. Photos in the Camera Roll, messages in the Messages app, data in other apps — those are outside AppVault’s control. The File Shredder is designed for the vault’s own files: the photos and documents the user imported into AppVault for encrypted storage.

For a full-device overwrite, the user still needs to perform the factory reset. The File Shredder closes the gap for the specific files that matter most — the ones the user moved into the vault precisely because they did not want them recoverable.

The Pre-Sale Checklist

Follow this checklist in order before handing the iPhone to a buyer, a trade-in program, or a family member.

1. Empty the Recently Deleted album. Open Photos, go to Albums, tap Recently Deleted, select all, delete. This removes the 30-day recoverable window for photos in the Camera Roll.

2. Sign out of iCloud. Settings → [your name] → Sign Out. Enter the Apple ID password, choose to keep or remove local data (it does not matter — you are about to erase everything). This deactivates Activation Lock.

3. Sign out of iMessage. Settings → Messages → Send & Receive → tap the Apple ID → Sign Out. This prevents the new owner from receiving messages addressed to your phone number.

4. Remove the device from your Apple ID. Visit appleid.apple.com, sign in, go to Devices, select the iPhone, and remove it. This is a backup step in case the on-device sign-out did not complete.

5. Run AppVault’s File Shredder. Open AppVault, select all vault files, run the File Shredder. This overwrites the encrypted vault data with random bytes before deletion. If you use the Decoy Vault, shred the decoy files as well — the decoy vault is mathematically independent, and its files occupy separate blocks.

6. Erase all content and settings. Settings → General → Transfer or Reset iPhone → Erase All Content and Settings. Enter the passcode, confirm the erase. iOS will destroy the file system keys and reboot to the setup screen.

7. Verify the setup screen. After the erase, the iPhone should display the “Hello” setup screen in multiple language options. If it asks for an Apple ID and password, Activation Lock is still active — go back to step 2.

8. Remove the SIM card. If the iPhone uses a physical SIM, eject it. If it uses eSIM, the erase process should remove the eSIM profile, but verify in Settings → Cellular that no plans remain.

What This Does Not Protect Against

AppVault’s File Shredder overwrites files inside the app’s sandbox. It does not overwrite the Camera Roll, the Messages database, the Mail cache, or data from other apps. For those, the factory reset is the only tool — and as explained above, factory reset is a logical erase, not a physical one.

If the iPhone ran iOS 14 or earlier, residual data from the Camera Roll and Messages may survive in NAND blocks even after the erase. The risk is highest on devices that were never updated to iOS 15, or that spent significant time on iOS 14 before upgrading.

iCloud data is a separate threat model. If the seller’s photos synced to iCloud, those photos exist on Apple’s servers regardless of what happens to the device. The seller must delete the iCloud Photos library separately, or the photos will persist in the cloud and sync to the next device signed into the same Apple ID.

AppVault does not make network calls by default. It has no cloud sync, no account, no telemetry. The zero-knowledge architecture means AppVault cannot see the user’s files, and it cannot leak them. But this also means AppVault cannot delete files from iCloud or from other apps on the device. The scope is the vault’s own sandbox.

How This Differs from the How-To Guide

The companion guide at /guides/wipe-photos-before-selling-iphone/ walks through the same steps as a linear tutorial — open this menu, tap that button, confirm the deletion. It is written for users who want instructions they can follow on the phone.

This page is written for users who want to understand the problem before they act. Why factory reset is insufficient. What NAND flash does with deleted data. What iCloud keeps on its servers. The checklist above is the same sequence, but the context here is the threat model, not the tap path.

If you are ready to act, the checklist is complete. If you want to understand why each step matters, the sections above explain the mechanism.

Why AppVault for This Use Case

AppVault stores files with AES-256-GCM encryption — unique 96-bit nonce per file, PBKDF2-SHA256 key derivation at 600,000 iterations, hardware-bound through the iPhone Secure Enclave. The vault catalog itself is encrypted, so an attacker with raw NAND access cannot even determine how many files exist.

The Calculator Launcher gives the app a fully functional iOS calculator interface with a long-press equals-key shortcut to the vault. The Decoy Vault provides a second 5×5 pattern that opens a separate, mathematically independent catalog. Both features are designed for the scenarios this page addresses: handing a device to someone who may scroll through the app library, or selling a phone to a buyer who may probe its contents.

The File Shredder is the feature that closes the gap factory reset leaves behind. Overwrite the vault files, then erase the device. The buyer gets a clean iPhone. The seller gets certainty that the vault’s contents are gone at the hardware level.

For a feature-by-feature comparison with other vault apps, see AppVault vs Keepsafe and AppVault vs Vaultaire.

Sources

• NIST SP 800-88 Rev. 1: Guidelines for Media Sanitization
• Apple Platform Security guide: Data protection overview
• Apple Support: What to do before you sell, give away, or trade in your iPhone
• NIST FIPS 197: Advanced Encryption Standard