Android Figure -Andrew Bell, Huck Gee, Scott Tolleson, Google

Security researchers from Avast found that Android’s factory reset doesn’t completely delete your stuff. In fact, after purchasing 20 Android devices through eBay—devices that users said were completely wiped—researchers were still able to extract stuff like photos, emails, texts, contacts and even identities of the phones’ previous owners. That doesn’t bode well for anyone looking to sell their device before upgrading.

Smartphones have become an extension of our person, often containing valuable and intimate data, so the news is definitely troubling. The worst part is that Avast researchers didn’t have to do too much in order to access the data; Avast’s mobile division president Jude McColgan said his team used “fairly generic, publicly available” tools. With a little know-how and patience, the person you just sold your S4 to through Craigslist could potentially see your pictures, or even your contacts.

“Although at first glance the phones appeared throughly erased, we quickly retrieved a lot of private data,” Avast wrote in a report. “In most cases, we got to the low-level analysis, which helped us recover SMS and chat messages.

There’s actually an encryption feature built into Android, which makes it significantly harder for hackers to access sensitive information. Encrypting your device will essentially lock up your data and then throw away the key. You can encrypt your Android device by going into Settings, Security and then selecting Encrypt Phone.

If you do decide to sell your Android phone in the future, wiping it normally should do the trick for most users. But for the extra level of security, you might want to consider encrypting your device, and then wiping it before you hand it off to a complete stranger.