Is it safe to send your Android phone out for repair?

Fairphone 4 Dissassembly
Fairphone 4 Dissassembly (Image credit: Jerry Hildenbrand / Android Central)

Best answer: If you're able to factory reset your device before sending it in, as well as remove or wipe your eSIM card, then yes. However, if the phone is too damaged to turn on, there is a risk of someone accessing data even if you remote-wipe it. Because of this, you need to take steps if a hard reset isn't possible.

Why you need to be careful

In late 2020, game designer Jane McGonigal alleged that after she sent her Pixel 5a in for repairs, someone hacked into her phone and accessed her "Gmail, Drive, photos, backup email account, Dropbox" and other files while redirecting any emailed security alerts to her spam folder. According to McGonigal's interview with The Verge in December 2021, she described remotely erasing her phone, so it would wipe as soon as it connected to the internet. Yet someone still managed to bypass this failsafe.

This disturbing privacy leak made plenty of people question if it's safe to send their Android phone out for repair.

A Google spokesperson later announced that "After a thorough investigation, we can say with confidence that the issue impacting the user was not related to the device RMA," or Return Merchandise Authorization.

So, in theory, it is still safe to send your phone to the manufacturer or an official third-party vendor for repair. Still, this incident emphasized the importance of factory resetting an Android phone before handing it off to a repair vendor when possible.

A bad actor can easily use a Faraday cage to block internet or cellular access, so they have time to break past your passcode and access your files before a remote wipe takes effect. From there, because they have your phone and inbox, they can usually bypass most 2FA blocks and get full access. Most repair employees wouldn't do such a thing. Nonetheless, you shouldn't take the risk.

How to prepare your broken or damaged Android phone for repair

Broken glass

Source: Daniel Bader / Android Central (Image credit: Source: Daniel Bader / Android Central)

Assuming the damage isn't catastrophic, and you can still access your phone, the steps to prepare your phone for repair are simple.

First, back up your Android phone. Sync your photos, back up your files to Drive or Dropbox, then back up your contacts, texts, apps, settings, and anything else you need to save.

Do you have an eSIM? A factory reset may or may not delete it, and you don't want a bad actor to access it. You'll want to delete your eSIM profile, either manually or during the reset process.

Now you need to factory reset your Android phone. If you have full access to your phone, this should take just a minute of navigating through your Settings to find the right menu. That guide has different steps based on which Android skin your phone uses.

Factory reset

Source: Android Central (Image credit: Source: Android Central)

Lastly, remove your SIM card before mailing it. That's easy to forget, but someone could hypothetically cause all sorts of mischief by putting it in another phone and using it to bypass two-factor SMS checks, even if the phone is wiped. Other online accounts could still be vulnerable.

Now, it's safe to send your Android phone out for repair. If you followed all of the steps, there shouldn't be any data for someone to steal. Starting with Android 7, the OS began using file-based encryption that is extremely difficult to crack. A factory reset should make recovering data all but impossible, even with an undeletion app.

One more quick note: Once your phone is returned, make sure to factory reset it again before beginning your set-up process. However unlikely, a repair person could have placed malware on the device before returning it to you, which a reset would remove.

What to do if your Android phone is too damaged to reset it

Recovery mode factory reset Samsung

Source: Harish Jonnalagadda / Android Central (Image credit: Source: Harish Jonnalagadda / Android Central)

If your touchscreen is too broken to navigate through menus, or if your phone won't turn on at all, it's much more difficult to protect your phone from bad actors. But you might have more options than you'd think.

Let's say your phone turns on, but you can't use the touchscreen. If you buy a USB-C hub, then connect a keyboard and mouse to your phone through the hub, you should be able to access all of your phone's settings and go through the backups and factory-resetting process above.

If you're having problems accessing your phone OS at all, you can try to factory reset it via recovery mode. First, turn your phone off. If you can't, for whatever reason, let it run out of battery, then plug it in, so it's powered but off. Then you'll need to use the specific button combo to enter recovery mode: press Power and Volume down buttons on Pixels or stock Android, or Power and Volume up buttons on a Samsung phone. You should then be able to navigate to a Wipe data/factory reset option using the volume buttons, then hit the power button to do so.

The above solution will delete your data and cause Factory Reset Protection to kick in. It's an anti-theft measure that prevents people from wiping and selling stolen phones without having access to the associated Google account. That means, even a legitimate repair person would need your Google account password to open and check the phone. That's fine if the damage is entirely physical, but it does limit their ability to check if the phone is working properly post-repair.

Find My Phone Erase Device

Source: Android Central (Image credit: Source: Android Central)

If the phone simply doesn't turn on no matter what, then you can't 100% guarantee that a malicious repair associate won't have a way to access your data. In that case, you should start by remote-wiping your phone. Go to https://www.google.com/android/find, select the broken phone, and choose Erase Device. This will ensure the phone is wiped as soon as it connects to the internet.

Unfortunately, as we saw with McGonigal's case, this doesn't always work. Before your phone breaks, you would hopefully have created a strong passcode that isn't easily broken in a few attempts. But once they're past that, they will have access to any Android password managers on your phone, plus your inbox for 2FA emails and any private photos or files.

At this point, it simply becomes a matter of trust. If you're sending your phone directly to Google, Samsung, or another OEM for repair, it's doubtful they would try to access your files because of the potential bad publicity. So a remote wipe would work.

Otherwise, you could try making an appointment with a reputable repair center and ask the associate to fix it in full view, so they don't have the chance to try anything surreptitious with you watching. Still, they may say the policy is to repair it in the back. And this option doesn't solve the problem for people who want or need to mail it in for repair instead.

Overall, if you're choosing between repairing a phone too badly damaged to wipe or just buying a new Android phone instead, you have to decide if it's worth the risk of sending it in or not. 99% of the time, no one will have the tools or inclination to prevent a remote wipe. You just can't guarantee it won't happen.

Michael L Hicks
Senior Editor, VR/AR and fitness

Michael spent years freelancing on every tech topic under the sun before settling down on the real exciting stuff: virtual reality, fitness wearables, gaming, and how tech intersects with our world. He's a semi-reformed Apple-to-Android user who loves running, D&D, and Star Wars. Find him on Twitter at @Michael_L_Hicks.