Mobile Security: Think Twice Before You Throw Out That Mobile Device

We tend to focus on protecting mobile devices while we are actively using them, but we often forget what to do with them at the end of their lifecycle. Before you throw out your old mobile device there are a few steps you should to take ensure good housekeeping. Others are necessary under many compliance schemes and corporate security policies.

First things first, do you own the device?

This may seem obvious, but devices are often leased as part of a service agreement. If the device is leased you will want to find out what limitations there are, if any, to the steps you can take to decommission the device. In some cases leased devices are attached to Mobile Device Management (MDM) servers, or have special applications installed, that may limit your abilities or may be contractually required to remain on the device.

Is the device still functional?

If the device you need to dispose of is not functioning, you will want to securely dispose of it. Contact a local data disposal company that can securely destroy the device to protect any data left behind. The same providers that offer paper shredding and secure data storage often also offer secure data destruction services. These providers can show secure chain of custody and certificates of destruction that auditors can use as third-party verification that the data has been destroyed. Some corporate security schemes may require secure data destruction under all circumstances, so make sure you follow through on every step required.

If the device is functioning properly, you will want to collect the following critical information:

  • For iOS devices, you will need the iCloud account credentials. You may also need a restrictions passcode if the device is connected to a corporate MDM system.
  • For Android, you will need the Google account username and password. Once you have collected your credentials you can get started.

Make sure you have good backup of your device.

  • If you are using iOS you can follow the instructions here to setup your device to backup to iCloud or iTunes.
  • For Android devices, you will want to follow the instructions here.

A good backup is important if you need to gain access to something that was on the device before it was wiped. If the device was used to take pictures, you may want to use a separate application to backup your photos.

Encrypt the device if it is not encrypted already.

Many compliance schemes and corporate security policies require mobile devices to be encrypted at all times. However, very often this step is missed. Encrypting the device will add another layer of protection when the device is wiped and will make it extremely difficult for an unauthorized party to recover data from the device.

For iOS devices, any device running iOS 8 or later with a passcode is already encrypted.

To verify:

  1. Launch the settings app.
  2. Tap on “Touch ID & Passcode” or “Face ID & Passcode.”
  3. You will be prompted to enter in your passcode.
  4. After entering in your passcode, scroll to the bottom and look for the phrase “Data protection is enabled.” That indicates your device is encrypted.

For Android devices:

  1. Make sure that you have enabled a screen lock PIN or password.
  2. In Settings, choose Security > Encrypt Device. (On some devices, you’ll need to choose Storage > Storage encryption or Storage > Lock screen and security > Other security settings to find the "Encrypt" option).
  3. Follow the prompts to encrypt your device, which may restart several times.

After ensuring the device is encrypted, disable access for that device to any service that is authorized on a per-device basis. Streaming services often limit the number of authorized devices per account. This is typically easier to do from the device itself and makes it easier to activate your new device and prevents unauthorized access.

Uninstall licensed applications from the mobile device.

For example, if you are using a licensed mPOS application, you will want to follow the vendor’s instructions for decommissioning the device and releasing the license to be used on a new device. Many mPOS applications do not store data on the mobile device or have limits on the number of devices, and you can simply uninstall the app.

For iOS devices, the last step you want to take is sign out from iCloud, iTunes & App Store and erase all content:

  • Apple has an easy to follow article for you to use. This will remove the device from Find My iPhone and clear the activation lock.
  • If you paired an Apple Watch, you will want to unpair that as well.
  • If you are switching to a new Android device, you will want to deregister iMessage as well to make sure your SMS messages are routed properly from other iOS devices.
  • If the device is registered to a corporate iCloud account, you may need a special restrictions passcode from your IT department.
  • Your IT department may also be able to perform this step remotely for you.

For Android devices, the last step is a factory reset of the device:

  • Google has an easy to follow article for you to use.
  • It’s recommended that you plug in your device during the reset as some device resets can take up to an hour to complete. Some devices are customized by the manufacturer and require different steps to factory reset.
  • If you have questions, contact your supplier or IT department for help.
  • If the mobile device you are decommissioning has a SIM card, you will also want to remove that and destroy it if you will not be using it in the new device. Most new mobile devices will come with a new SIM card to simplify activation. You can drop a SIM card into any paper shredder that is also capable of shredding credit cards.

Now that you have taken these steps to backup, encrypt, remove critical applications, deauthorize from iTunes/Google Play, and wipe the device, it is now ready for disposal. The device when turned on should act as a brand-new device that prompts the user to begin setup. Mobile devices contain rechargeable batteries, heavy metals, and other components that should be recycled instead of dumped into landfills. Apple provides a nationwide recycling program for old devices that you can read more about here. For Android devices, many local retailers offer device drop-off locations where you can take old devices to either be resold or recycled. If the device is still in proper working order, you may be able to trade it in for a new device or sell it to companies that buy old devices. So maybe don’t not throw out that mobile device. Just make sure you do it the right way!


Written by Jon Marler

Jon Marler is a Product Manager at SecureTrust with a true passion for information security and more than a decade of experience in information security, payment processing, risk management, software development, and telephony. Jon spent eight years working with some of the largest acquirers in the world, helping them build online payment gateways and risk management platforms before joining SecureTrust. Aside from his primary role with SecureTrust, Jon also sits on the EC-Council ANSI Scheme committee as a trusted advisor, has participated in the PCI SSC SIG focused on addressing cloud computing, and is a member of the ETA committee for mobile payments. As a result of his long-standing commitment to open source software, Jon has offered his expertise as a package manager for the Debian GNU/Linux OS distribution since 1998.