These issues impact many Android phones, unfortunately there is no single simple solution, though the authors suggest multiple mitigations.
Three security issues that caught my attention:
"In general, we found that devices in our sample logically sanitised all bytes requested through the ioctl command, except for one phone: the Google Nexus 4. This has an 6189744128Bdata partition, fully used by the file system. The last 16KB were not sanitised and fully recoverable about 20% of the time after a Factory Reset."
"We found emails in 80% of our sample devices, but generally only a few per device"
"We recovered Google tokens in all devices with flawed Factory Reset, and the master token 80% of the time."
The last one, with Google tokens would allow attacker to synchronize email or other accounts. Enabling access to the current account! Not limited to old (historical) data recovered on the Android device in attacker's possession.
I strongly recommend reading Security Analysis of Android Factory Resets.
- General audience article from Ars Technica http://arstechnica.com/security/2015/05/flawed-android-factory-reset-leaves-crypto-and-login-keys-ripe-for-picking/
- Research Paper (PDF) from Laurent Simon and Ross Anderson, University of Cambridge http://www.cl.cam.ac.uk/~rja14/Papers/fr_most15.pdf