My device (Android 8.0) is encrypted with the default encryption (no startup password). As far as I know, when I have data on my phone and factory-reset the phone, the data is unrecoverable, since a new key for the encryption is being created and the old one is getting deleted. (Am I correct?)
Now, what happens when I delete data on that same phone AND THEN factory-reset the phone - can the deleted data be recovered?
The data can be recoverable.
The factory reset should delete all data, accounts, passwords and content from your Android device. The problem is, this is only partially true.
Cambridge University researchers tested a range of Android devices running Android and found that in all cases they were able to recover account tokens – which are used to authenticate the 1st time you enter a password (Google, Facebook and WhatsApp). In 80% of cases, they were able to recover the master token, which practically is the main key to the device. Once the master token is recovered, the user’s credential file can be restored and all your data re-synced to the device: that means e-mails, cloud-stored photos, contacts and calendars. So you just offered access to everything!
Devices with built-in encryption are not safe from such a problem because they don't provide the required software to fully correctly wipe flash storage.
Also, it is possible to create an image of your phone’s internal memory and the mount it and dig into it as long as you want.
What you can actually do:
encrypt your phone with a strong password that contains a mixture of upper/lower-case letters, numbers, symbols and is long enough
after reset, fill the device with useless data to overwrite anything sensitive like the tokens and crypto keys left in flash storage and you should do it without re-registering with Google. You can do this fill by copying something or just by recording a video for as long as you can, at the highest possible resolution, until all your available space is full.
finally, reset again
