You likely already know that before you sell or recycle your phone you should reset it to factory settings so all of your personal information doesn't go along with the device. There's a problem with factory reset, however, in Android.
The core of the problem is flash memory, which limits how often a given block of memory can be overwritten. As a result, a factory reset will often designate data as logically deleted (that is, available to be overwritten) without actually overwriting it, so as to prolong the life of the hard drive. Using a variety of database recovery tools, two Cambridge researchers were able to scan the wiped phones for portions of the hard drive that had been designated as logically empty, recovering photos, passwords, and chat logs. In theory, the factory reset is supposed to wipe all that data, but thanks to the quirks of flash memory, it wasn't being wiped all the way.
Thankfully, the solution is easy: encrypt your phone before you do the factory reset. That way, any data that's left behind will be scrambled and inaccessible to the next user (unless they're able to crack your encryption key with brute force, but that's unlikely if you choose a long and complex encryption password). Head to Settings > Security > Encrypt Phone to encrypt your device--a good thing to do anyway in case your phone is ever lost or stolen.
[h/t The Verge]