How can I securily use a pre-owned smartphone?

Question

Is there a feasible way to safely use a pre-owned smartphone? For a PC/Laptop I would simply shred the contents of the hard disk drive before creating new partitions. If feeling paranoid, I might even flash the BIOS (see also this question). I'm considering to buy a used smartphone (for environmental purposes), but how would I make sure it is free from any irregular spyware (apart from the standard Google stuff)? Can I take the same approach as for a PC and still use it as a regular smartphone after? Rooting would give me "similar access to administrative (superuser) permissions as on Linux", although in reality I don't need root to shred a PC as long as I have physical access, although it may be harder to exploit physical access to a smartphone than for a PC. Naively, I would expect:

1. Shred the contents of any read/write-storage on the smartphone, either by mounting it on Linux (assuming I get access to all storage media that way), or by booting it into the right mode (assuming I can get into the bootloader — perhaps I can boot into a custom OS from an SD-card?);
2. Repartition the disk (remark above applies);
3. Install a version of Android on the disk, presumably with something equivalent to a distribution so I have a kernel and a minimum of software for it to function;
4. Reboot and use it as if it was new.

Are such or equivalent steps feasible for an ordinary user with moderate technical know-how? Or am I totally on the wrong track as far as making a pre-owned smartphone safe to use is concerned?

---

For the purposes of this question, assume a smartphone designed to run Android and released in 2015 or later.

Answer 1

Depends on the risks you are trying to mitigate. General rule of thumb is that once the evil maid has access to the end point, it's not a trusted platform.

• Free from irregular spyware and presumably no other untrusted devices on the handset. The risk is to the confidentiality of your data mainly I think. There is some risk to integrity and some to availability but I think mainly its confidentiality.
• Risk to your personal freedoms. There is a chance that the phone was used by a criminal or actor being investigated by an agency. Your phone will have the same IMEI and therefore there is a risk that an agency might want to speak with you and ask you to prove that you were not the original owner. Probably low impact to you, but no way of knowing who comes a-knocking.
• Risk to availability. Battery. Dead. No call.
• Risk of "I just can't get the damn thing out of Chinese/Russian/French/Yahoo mode".

If the phone you buy is rooted then, meh, game over. There is practically no way you can know what is on the phone or what has been installed.

If it has not been rooted then later versions of Android claim to factory reset everything. But there is some research link to suggest that this is not the case and there there is data remanence after a reset. You could flash from a known-good ROM but even then you can't know for sure if your specific hardware hasn't got something lurking.

So to answer your question, the answer is : Probably.

If you only use the phone for making calls on a PAYG contract then your maximum exposure is your remaining credit plus your call history. A factory reset is OK because low likelihood x low impact = low risk

If you use your phone for secret squirrel work then nope, you can't use it. That's why UK Government has Good Practice Guides on the re-use of devices and the sanitisation required between users or different threat levels. Low likelihood x very high impact = high risk, plus it's government so no choice.

If you use it for calling plus some interweb stuff then it's possible your phone has a backdoor but it's very unlikely. Not a probability of zero but close to it (happy to see some real peer reviewed data on the number of second-hand phones on sale with malware that has persisted over a factory reset though, as I could be wrong). Add in that you will only be buying a second hand late model with some of the later protections then the low probability x medium impact = low-medium risk offsets the currency.

(In my final analysis and IRL for me the battery life makes it almost uneconomic for me to bother with a second hand phone because a battery is typically rated for 10,000 cycles which is about two years after which you have to buy a new phone anyway.)

edit: see this SE question Cambridge University paper on Android factory reset still up to date?