If you buy used Android phones in volume, a quiet change in Android is starting to show up in your intake trays. Google has rebuilt Factory Reset Protection (FRP) in Android 15 and tightened it again in Android 16 — and in 2026, those devices are arriving at wholesalers, refurbishers, and recyclers in real numbers. A phone that would have been easy to reset and resell two years ago can now be a locked brick if the previous owner's Google account was never removed properly.
This article explains what actually changed, why it matters for anyone who processes used phones, and what to adjust in your intake and wiping workflow before locked stock becomes a write-off problem.
What Factory Reset Protection does
FRP has been part of Android for years. When a phone with a Google account is factory-reset without first removing that account, the phone demands the previous owner's credentials before it can be set up again. The goal is anti-theft: a stolen phone should be worthless to the thief.
The problem, historically, was that FRP enforcement lived in the setup wizard — and setup-wizard tricks to skip it were widely known. For used-device businesses, that was a safety net: an FRP-locked phone in a purchased lot could often still be recovered and sold.
What changed in Android 15
In Android 15, Google moved FRP enforcement out of the setup wizard and into deeper system layers. In Google's own words, "FRP enforcement has been moved deep into the system, where it's much harder to overcome." According to Google's Android Enterprise security team, even if someone bypasses the setup wizard, the device now blocks adding a new Google account, setting a new screen lock, and installing apps — and enabling the "OEM unlocking" developer option no longer deactivates FRP either.
In short: the well-known workarounds stop working, and the device stays unusable until the original account credentials or lock-screen credentials are entered.
Android 16 goes further
At its Android Show event in May 2025, Google announced that Android 16 would add another layer: when a device is reset without the owner's authorization — for example through recovery-mode buttons or a remote wipe that wasn't confirmed by the owner — the system flags the reset as suspicious and restricts the device until the rightful owner verifies it. Reporting at the time indicated the strictest behavior would arrive through Android 16's quarterly platform releases — announced features and what ships on a given phone are not always the same thing.
The direction, though, is clear and one-way: Google intends unauthorized resets to produce a device that cannot be used or sold. One important caveat for a working business: Android 15 and later strengthen FRP at the platform level, but the exact behavior and rollout can vary by manufacturer, model, security patch, and regional firmware. Check the devices you actually handle rather than assuming uniform behavior across brands.
Why this matters to your business now
None of this is a problem when the seller is legitimate and signs out properly. It becomes your problem in four specific places:
- Intake risk moves to the moment you pay. An FRP-locked Android 15 or 16 device is, for practical purposes, unsellable. If you discover the lock after buying a lot, the loss is already booked. Account status has to be checked before money changes hands — per device, not per lot.
- A factory reset is not a clean device. A reset performed with the account still attached produces exactly the locked state FRP is designed to create. Your wiping process needs to confirm that the Google account was removed and the device reaches the setup screen unlocked — not just that a reset ran.
- Locked units poison batch economics. Trade-in programs and wholesale lots are priced on the assumption that most units are recoverable. As Android 15/16 devices become the majority of supply, the recoverable fraction of carelessly prepared lots drops, and lot pricing needs to reflect that.
- Disputes need evidence. When you reject or reprice locked units, the conversation with your supplier goes much better with a per-device record: IMEI, model, lock status, date, and who checked it.
What to change in your workflow
Practical adjustments that small and mid-sized operations can make immediately:
- Add an account-lock check to intake, before payment. Before accepting a device, have the seller remove all Google and manufacturer accounts (Samsung account included). Checking Settings is a useful first look, but the strongest verification is completing the reset workflow and confirming setup proceeds without requesting the previous owner's credentials. On iPhones the equivalent check — Find My iPhone / Activation Lock — has been standard intake practice for years; Android now deserves the same discipline.
- Put account removal into your purchase terms. For walk-in purchases and trade-ins, sign-out becomes a step the seller completes in front of you. For bulk suppliers, put FRP-clear status into the contract, with locked units returnable or discounted.
- Verify, don't assume, after wiping. After erasure, the device should boot to a setup screen that accepts a new account. Treat "reset completed" and "FRP clear" as two separate checkboxes.
- Record everything per device. A lot-level spreadsheet won't tell you which 14 units out of 300 were locked, who supplied them, or whether the pattern is getting worse. Per-device records with IMEI, lock status, test results, and an erasure certificate will.
Where testPod fits
testPod is desktop software for exactly this kind of per-device discipline: connect an iPhone or Android over USB, identify it, run hardware diagnostics, securely wipe it following the NIST SP 800-88 method, and keep a record and erasure certificate for every device — with barcode labels, Excel report exports from the cloud dashboard, and a JSON Cloud API for inventory integration. It runs on the Mac, Windows, or Linux computers you already own, with a free trial (14 days or 25 devices) and published pricing from $30/month per computer.
To be clear about the boundary: testPod does not bypass FRP. Legitimate recovery of a locked device normally requires the previous owner's credentials or an authorized manufacturer or enterprise process. What testPod gives you is the per-device record — identity, test results, wipe evidence, history — while your intake procedure separately verifies that the account lock has been cleared.
The bottom line
Google has spent two Android releases making unauthorized resets useless, and the used-device market inherits the consequences in 2026. Businesses that check account status before paying, verify FRP-clear after wiping, and keep per-device records will barely notice the change. Businesses that keep buying and reselling on lot-level trust will find a growing pile of phones nobody can use.
Sources: Google Android Enterprise security team, "Enhanced Factory Reset Protection in Android 15" (Dec 2024); Android Authority and Phandroid on Google's Android 16 FRP announcements (May 2025).
