Are pre-owned smartphones safe?

The modern smartphone has become an indispensable piece of technology. These powerful, pocket-sized computers enable us to do everything from hailing cabs to consulting with our local doctor. But costs can be prohibitive. Unsurprisingly, second-hand and refurbished devices have become an increasingly popular option, providing access to premium technology at a fraction of the price and appealing to budget-conscious consumers or those seeking sustainability.

Smartphones are also often among the most desired gifts during the holiday season. The latest models may be out of reach for many due to their high price, so second-hand phones present a more affordable option for gift-givers.

Also, any people upgrade their smartphones during the holiday season, either as gifts to themselves or because they’ve received a new phone as a present. This creates a secondary market for pre-owned devices as they sell or trade in their old models.

The key problem is not knowing what condition these devices will arrive in. To avoid unwittingly exposing yourself to cyber-risk, take time out to consider the following tips.

What are the risks of pre-owned phones?

Thanks to persistently high interest rates and inflation across much of the Western world, second-hand phones are increasingly commonplace. In fact, sales generated over $13bn globally in the first quarter of 2023 alone, up 14% annually, according to one estimate. In a mature market like the UK, a quarter of all phones sold in 2023 were reportedly second-hand or refurbished.

Yet this comes with certain cybersecurity risks. These include:

Outdated software

Some devices may no longer be supported by the manufacturer, meaning the underlying operating system doesn’t receive software updates. That’s bad news from a security perspective, as it means that when vulnerabilities are found by researchers or threat actors, your device won’t get a security patch to fix it. It will effectively be exposed to attackers. One 2020 study in the UK found that nearly a third of models being resold were no longer supported with security updates.

Malware

In some cases, a previous owner may even have (unwittingly or not) installed malicious software on the phone. This may be designed to do a variety of things, from steal your personal information and passwords to snoop on your calls and messages. It may even flood the device with unwanted ads or subscribe you to premium-rate services. The end goal is usually to make money in some way off you, either by stealing personal and financial information for use in fraud or digital extortion.

No refurbishment checks

Some pre-owned phones may not have undergone the kind of checks that reputable second-hand sellers perform to ensure they are operational and running on a supported OS. This may expose you to some of the risks outlined above.

How to avoid cyber risks on second-hand devices

Mitigating these risks takes a multi-pronged approach, starting with due diligence during the buying process. That effectively means doing your research. Second-hand devices are available from a wide variety of sources, from manufacturers themselves to high-street retailers, telcos, and private sellers. Put the time in to make sure the seller has good reviews and their offer is legitimate. A warranty of at least a year should be a baseline requirement to ensure quality.

It's also best to avoid jailbroken or rooted devices, as these may have had security features disabled which make them more exposed to threats.

Also, only choose devices that are still supported by the manufacturer; usually, phone-makers will support a handset for at least 2-3 years after it is released.

To further mitigate security risks, consider the following after purchase:

• do a full factory reset, wiping any data that may have been left on the device by the previous owner, including contacts, photos, messages, browsing history, passwords and apps,
• update all the software on the device after purchasing to the latest, most secure version, and switch on automatic updates,
• keep an eye out for tell-tale signs that it might be compromised with malware, such as unwanted pop-ups or ads, apps appearing that you didn’t download, or sluggish performance and unusually high battery usage,
• install security software from a reputable provider and have it scan the device for threats.

Once your device is up and running, consider the following best practices to mitigate ongoing security risks:

• set up a screen lock and PIN, password, or biometric authentication (face recognition/fingerprint scan) for secure access
• backup your data and set to automatic backups to the cloud in case the device is lost or stolen
• delete any unused apps to minimize your attack surface
• switch on device encryption for an extra layer of security
• always use multi-factor authentication to access your device and any software/accounts on it
• turn Bluetooth, tethering or Wi-Fi off when not in use, to avoid eavesdroppers snooping around
• check your app permissions – if some apps are requesting access to more than is necessary, that should be a red flag
• only download apps from official app stores and from reputable developers
• be on the lookout for phishing messages and emails. If in doubt, never click on links or open attachments contained in these messages. Always contact the supposed sender separately first, or open the message on a more secure machine
• avoid using public Wi-Fi without a VPN.

If you’re still concerned about your pre-owned phone exposing you to security risks, don’t access any sensitive information or accounts when using it – such as mobile banking or syncing with your corporate accounts. In fact, if your employer allows BYOD handsets in the workplace, there may be an additional set of rules and policies you need to follow to ensure that your second-hand device can be used. The risks outlined above could be amplified if threat actors manage to use your handset as a stepping stone to reach corporate data and systems.

That said, there’s no reason why a pre-owned phone should cause undue stress and security risk, as long as you follow these best practices. And if you decide to hand it on to someone else, remember to perform a full backup, data erasure and factory reset.