Up until a couple of days ago I never knew that we were going to need to protect our resold phones from Avast (an antivirus/antimalware company), but after its most recent publicity stunt, we know that even though you thought you deleted all the data on your Android phone, most likely it really isn’t all gone and companies like Avast can recover it and call you a pervert.
It also became pretty apparent when I started working on a piece on wiping phones that with the wide variety of storage control methods that are used to keep the media fresh and longest lived, that this was going to be hard to ensure 100% erasure.
The best way I can find only works for root users, and that’s factory reset, then wipe /data, /cache (if it’s not contained under the data partition), and then completely fill up the free space in those partitions at least twice with garbage data (several copies of a movie, copying a Windows install disk over and over, etc.).
With that method, you’ve got a pretty good chance than even with SD controller sector-remapping logic there’s very little chance that your contact list, plain text password list, or OAUTH tokens managed to survive without being written over at least once.
They suggest encrypting your phone (settings, security, encryption), doing a factory reset, then loading dummy data (such as a few movies) to completely fill the phone up. Repeat for however paranoid you feel. One time is probably enough to guarantee your device is toast, twice should require the full skills of <insert evil data recovery business here>.
If you’re running an HTC ROM, the phone storage encryption option is located in settings, storage, phone storage encryption. You’ll require a PIN set for an unlock code in order to activate it according to the M8 support article on this.
At one wipe and fill up with garbage data (make sure it’s random data, all zeros or all ones are theoretically easier to lift) you’re probably reasonably secure. Two wipes and fill ups should even account for weird internal SD controller remapping that might be shuffling around some sectors to maximize SD life.
Alternately, after round one of encrypt and factory reset, if you want to install a program like SHREDdroid you’ll probably be fine.
Unfortunately you’ll need to come up with some way to save the APK as you won’t be able to download it from Google Play unless you’re logged in, which means all your contact lists and such are flowing back to your device you want to sell.
As a best practice, you probably want to be running with encrypted storage to begin with if you’re worried about your data. That way if your phone is lost or stolen it will be a pain to do anything other than factory reset from the bootloader and sell it.
If you’re still paranoid that your data could be used after wiping, don’t sell the device. There’s probably a way to recover your overwritten data, but it involves both lifting overwritten data and then cracking the encryption, so chances are at that point unless you’re the CEO of a multibillion dollar company it’s just not worth it.