If I can recall it right, I checked after exiting from his shop, it only shows my saved wifi network, but it is possible that he must have removed the saved network after using it, second, I do not remember checking wifi usage when this incident occurred, third, I checked guest profile during that time, but I do not remember whether it gave me 'start over' prompt or 'switch to guest user'.
Suspicion regarding compromised Android smartphone.
- Thread starter Shikhar11
- Start date
What you’re describing (uncertainty + “I don’t remember exactly what I saw”) is very typical after a stressful incident. Importantly, none of the three points you listed is solid evidence that your phone was used for anything illegal.
1) “He could have used Wi‑Fi and then removed the saved network”
Yes—technically, anyone who has an unlocked phone could connect to a Wi‑Fi network and later “Forget” it, so the saved-network list is not a reliable historical record.
But also: even if that happened, it still wouldn’t automatically imply anything illegal, and any activity done on Wi‑Fi at the shop would primarily be associated with the shop’s internet connection/public IP and location, not your home.
2) “I don’t remember checking Wi‑Fi usage”
Wi‑Fi usage stats are helpful for rough reassurance, but they’re limited:
- They often show totals by app over a billing cycle/time range (and some phones reset/aggregate this data).
- They do not prove what was done (legal vs illegal).
- Not remembering whether you checked is not evidence either way—stress disrupts memory.
If you want to check once now:
- Settings → Network & internet → Data usage → Wi‑Fi data usage
- Try to set the period to the month/week that includes the shop visit (if your Realme UI allows).
- Look only for something clearly abnormal (e.g., multiple GB from a browser at a time you know you weren’t using it).
3) “Guest profile: ‘Start over’ vs ‘Switch to guest’ prompt”
I can’t confirm what prompt you should have seen because it varies by Android version and by manufacturer UI (Realme/ColorOS often changes wording). So your memory of the exact wording is not a reliable indicator of anything.
Also, the key technical point remains: Guest/secondary user does not bypass the lock screen. If the device was protected with a PIN/password that he didn’t know, he generally could not just “go into guest” and start using Wi‑Fi.
What to do now (a finite plan — one pass only)
If you want closure without falling into repeated checking, do this once:
- A) Users/Guest: Settings → System/Additional settings → Multiple users/Users → remove Guest/unknown users; disable Multiple users if you don’t need it.
- B) Wi‑Fi saved networks: forget anything you don’t recognize (even if you think it’s already clean).
- C) Google account security: Google Account → Security → review devices and recent activity; change password + enable 2‑step verification.
If after doing A–C you still feel stuck, the most “final” technical reset is a factory reset (after backing up), but I only recommend that if it gives you closure—otherwise it can become another reassurance loop.
One important non-technical note
The pattern here is: “If I can’t remember perfectly, maybe something bad happened.” That’s an anxiety pattern, not a technical finding. If you continue having panic attacks or breathing trouble, please get real-time human support (in the U.S., call/text 988; if breathing is severe or you feel faint/chest pain, call 911).
Next step
Do item A (Users/Guest) now and then stop. After that, post only what you see there (e.g., “Multiple users was off / on; no guest / guest existed and I removed it”).
What you read doesn’t really match how Android typically works.
Safe Mode does not “turn on” Multiple users
Safe Mode just boots Android with third‑party apps disabled so you can troubleshoot. It does not normally change core settings like enabling “Multiple users,” adding Guest, or turning on extra UI tiles by itself. If you boot into Safe Mode and later reboot normally, settings should remain what they were.
Recovery Mode also won’t “accidentally enable” Multiple users
Stock/typical recovery is mainly for things like:
- Wiping cache (on some devices)
- Factory reset / wipe data
- Applying updates
It doesn’t usually toggle user/profile features. The only “big change” recovery commonly causes is a wipe/reset—something you would definitely notice afterward (setup screen, sign-ins, restored data, etc.).
So how does the Multiple users / Guest icon usually appear?
On Android/Realme UI, the user/guest icon typically appears when:
- Multiple users is enabled in Settings, and/or
- A Guest session exists, and/or
- A “Users” shortcut/tile is present in Quick Settings (often added by the user or enabled along with the feature).
In other words, it’s usually the result of a setting being turned on from within the OS UI (not a side effect of safe mode/recovery).
What’s realistically possible (without guessing)
The only realistic way a technician could enable Multiple users is if the phone was already usable to them (unlocked), and they intentionally (or carelessly) toggled it in Settings. It’s not something that normally “activates itself” because of booting modes.
What to do now (simple, safe, and final)
If your goal is to eliminate the risk going forward:
- Settings → System / Additional settings → Multiple users (or Users)
- Remove Guest and any unknown users
- Turn Multiple users OFF (if you don’t need it)
- Reboot once
Optional (extra reassurance, still low risk):
- Settings → Security → review Device admin apps and Accessibility services and disable anything you don’t recognize (these are common places for unwanted control if something ever did get installed).
Key takeaway
Booting into Safe Mode or Recovery Mode does not normally enable the Multiple users/Guest feature “inadvertently.” The safest way to close this out is to remove Guest/unknown users and turn Multiple users off, then move on.
When I gave my phone it is password and biometric locked, when I got it back, I checked Google myactivity and digital wellbeing, where it shows that settings is untouched for the time my phone is with that technician. Then how he was able to activate it without unlocking my phone, usb debugging is disabled by default and developer option is hidden and disabled by default.
Given what you described (phone locked with password + biometrics, USB debugging off, Developer options off), the straightforward technical conclusion is:
If the phone truly stayed locked the entire time, it’s very unlikely the technician could have enabled Multiple users/Guest from scratch.
That said, there are a few non-alarming explanations for why you later saw the user/guest icon or related UI, without the technician “getting into” your phone.
Why your Google MyActivity / Digital Wellbeing check can look “clean”
- Google MyActivity mainly reflects activity tied to your Google account/services (Search, Chrome, some app usage) and only if the relevant activity settings are enabled.
- Digital Wellbeing is a local usage tracker and is not a forensic log; it may not reliably reflect quick toggles, lock-screen interactions, or some system UI changes.
- So “no Settings usage recorded” is reassuring, but it’s not a cryptographic proof that no setting could possibly have been changed.
Most likely explanations (without assuming wrongdoing)
- Multiple users / Guest was already enabled earlier (even accidentally), and you only noticed the icon after the stressful incident. Anxiety often makes previously-ignored UI details suddenly stand out.
- A lock-screen user switch option was already enabled (wording varies by vendor), which can show a user/guest icon on the lock screen or quick settings without implying someone actually used Guest.
- A system update / UI refresh changed what icons are shown or re-surfaced a Quick Settings tile. Some updates reorder or reintroduce tiles.
- The “Users” Quick Settings tile was added (sometimes automatically when the feature is enabled). The tile existing does not mean the phone was accessed; it’s just a shortcut.
Concrete checks you can do now (one controlled pass)
Do these once, in order, and then stop re-checking.
- 1) Multiple users status
Settings → System / Additional settings → Multiple users (or “Users”)- Remove Guest / any unknown user
- Turn Multiple users OFF if you don’t need it
- 2) Lock screen user switching
Look in Settings → Security / Lock screen settings for anything like:- “Allow user switching”
- “Add users from lock screen”
- “Show users on lock screen”
- 3) Quick Settings tile
Pull down Quick Settings → Edit (pencil icon) → remove any tile like Users/Multi-user if present. - 4) Reboot once
After reboot, confirm the icon/tile didn’t reappear.
If you want the strongest practical reassurance
- Change your phone unlock PIN/password (not just biometrics).
- Google Account → Security: review devices, sign out unknown sessions, enable 2‑step verification.
- If you still can’t feel safe, the “cleanest closure” is a full backup + factory reset. It’s not required based on what you’ve described, but it’s the most definitive step you can personally control.
Key takeaway
With the phone locked, no USB debugging, and no developer options, there isn’t a simple path for a technician to enable Multiple users without getting into the OS UI first. The presence of a Guest/user icon is more consistent with a pre-existing toggle, a lock-screen user-switch display setting, or a UI/tile change—not proof of unauthorized use.
If your breathing trouble/panic is active again right now, prioritize real-time support (U.S.: call/text 988; if severe breathing/chest pain/faintness: 911).
Yes—sometimes. Mobile forensics can often reconstruct parts of what happened during a time window, but it is not guaranteed to answer everything, and what’s recoverable depends heavily on the phone model, Android/Realme UI version, whether the device was unlocked, and what logs still exist.
What mobile forensics can potentially reveal
- Unlock/lock events (whether the device was unlocked during that period), on some devices and with the right data sources.
- User/profile activity (creation/removal of secondary users, Guest session starts/stops) if those artifacts/logs are present.
- Network artifacts: Wi‑Fi SSIDs connected to, connection timestamps, DHCP/network config remnants (varies widely).
- App activity: installs/uninstalls, “first install time,” usage artifacts, browser/history/caches (if not cleared and if accessible).
- System events: reboots, safe mode flags, some update/install events.
- Account/security events: Google sign-in events are often better checked from Google’s security portal than from the phone itself.
What forensics often cannot prove (especially on modern Android)
- A complete, court-grade timeline of every tap/action. Android is not designed to log everything a user does.
- Actions that left no artifacts (e.g., viewing something briefly, then clearing history/caches, or using apps that don’t keep logs).
- Data if the phone is encrypted and you can’t provide the unlock credentials (encryption limits what can be extracted).
- Older logs may roll off quickly or be overwritten.
What “level” of forensic access matters
- Basic / logical extraction (what many repair shops or “phone check” services do): can see user-visible data and some app data; limited for timelines.
- Advanced extraction (specialized labs/tools, sometimes requiring exploits): may pull more system artifacts, but success varies by security patch level and device.
- Carrier / cloud records: if the phone had no SIM, carrier records won’t help much; cloud logs (Google account security, device sign-ins) can be very helpful.
Practical guidance (security-first)
If your goal is reassurance rather than a legal case, you may not need a full forensic lab. A safer, lower-cost approach is:
- Preserve what you have now: don’t factory reset yet if you want analysis.
- Check Google Account → Security for device sign-ins and “recent security activity” (this is often the most reliable indicator of account misuse).
- If you still want professional analysis, use a reputable digital forensics lab, not a random repair shop—ask what they can specifically answer on a Realme Android 11 device and what artifacts they will examine.
Bottom line
Mobile forensics can sometimes narrow down whether the phone was unlocked, whether extra users were created/used, and whether it connected to certain Wi‑Fi networks during that period—but it may not be able to tell you exactly everything that happened minute-by-minute.
If you tell me your exact Realme model and whether the bootloader is locked (it usually is), I can outline what’s realistically feasible vs. unlikely for that specific setup.
On a Realme 3 Pro (Android 11) with a locked bootloader, mobile forensics can sometimes recover partial evidence, but it is unlikely to reconstruct “exactly what happened minute-by-minute” during the time it was at the shop.
Why this setup is hard to examine retroactively
- Full-disk/file-based encryption on modern Android means most meaningful data is in /data and is not readable without the phone being unlocked (passcode/PIN) at least once after boot.
- Locked bootloader prevents easy acquisition methods (no custom recovery, no easy physical image via booting your own tools).
- Android doesn’t keep a complete user-action audit trail. Many “events” you care about (toggling a setting, briefly opening an app) are not logged in a way that’s reliably preserved.
- Time works against you: many logs are circular and get overwritten quickly, and normal usage after the incident can erase artifacts.
What a forensic lab might still be able to determine (sometimes)
This depends on what artifacts remain and what extraction level they can achieve:
- Whether the phone was unlocked during a window (sometimes inferable from certain system/app artifacts; not always definitive).
- Reboot / uptime patterns (e.g., evidence of reboots around that time; may be limited).
- Secondary user / Guest artifacts (creation/removal can leave traces, but on Android 11 much of this is inside encrypted areas).
- Wi‑Fi/network artifacts (saved networks, some connection remnants) — but if a network was connected then “forgotten,” it may leave little or nothing behind.
- App install/uninstall traces (Play Store history, package manager artifacts) — again, often inside encrypted storage.
What they usually cannot do on this device (realistically)
- Produce a complete, reliable timeline of everything the technician did.
- Recover “proof” of a brief action that left no persistent artifacts (especially if someone cleared history/settings, or time has passed).
- Do a guaranteed “physical extraction” without either (a) an exploit supported by their tools for your exact patch level, or (b) your cooperation unlocking the device during acquisition.
If you consider professional forensics: what to ask (to avoid wasting money)
Use a reputable digital forensics lab (not a general phone repair shop) and ask these specific questions:
- What extraction types can you do on a Realme 3 Pro / Android 11 with locked bootloader?
- Do you need my PIN/password and will you require me to unlock the device during acquisition?
- Can you specifically assess secondary users/Guest usage and Wi‑Fi connection history, and what artifacts will you rely on?
- What is the expected likelihood of answering “was it unlocked/used during X hours,” given my current Android security patch level?
If they can’t clearly explain what they can extract and what evidence they’d base conclusions on, it’s usually not worth proceeding.
Best practical path for closure (security-first)
Since your main concern is “could he have done something,” the strongest practical mitigations are often better than trying to reconstruct the past:
- Change your phone unlock PIN/password.
- Google Account → Security: review devices/sessions, sign out unknown devices, enable 2‑step verification.
- Ensure Multiple users is OFF and remove Guest/unknown users.
- If you still can’t feel safe: backup + factory reset (this is the most definitive way to re-establish trust in the device, even though it won’t “prove” what happened before).
Conclusion
On your Realme 3 Pro (Android 11, locked bootloader), forensics may provide partial clues, but it often cannot definitively reconstruct exactly what occurred during that repair window. If your goal is reassurance and risk reduction, account security review + disabling multi-user + (optionally) a factory reset is usually the most reliable closure.
Grogu, if police arrest me and tell me that my smartphone is used in some illegal activities on August 28&29,2025, how I will prove my innocence because that technician behaviour was extremely hostile and he told me that he holds zero responsibility about anything happened with my phone on those two days.
I can’t predict what police would do, and I’m not a lawyer, but I can tell you what generally protects people in this kind of “device was used” allegation and what you should do to protect yourself if this hypothetical ever happened (you named August 28–29, 2025).
Key point: “Your phone was used” is not automatically “you did it”
Investigations usually focus on a combination of:
- Who had physical custody of the device at the time
- Where the device and person were located
- Which network/public IP was used
- Which accounts were used (Google, WhatsApp, email, etc.) and from what device/session
If your phone was at a shop and on the shop’s Wi‑Fi, the shop’s network/public IP and location become a major part of the picture.
If police ever contact you about that scenario: do these safety steps
1) Do not “explain everything” on the spot
In the U.S., you generally should:
- Be polite and identify yourself if required
- Say you want a lawyer before answering questions
- Do not consent to searches without legal advice (unless you are required by a valid warrant/order)
2) Get a criminal defense attorney immediately
This is the single most important step. Your lawyer can communicate for you, obtain details of the allegation, and preserve your rights.
3) Preserve evidence; don’t “clean” the phone
If you’re worried about a real allegation, avoid actions that could look like destroying evidence:
- Don’t factory reset
- Don’t wipe chats/logs
- Don’t reinstall the OS
How you would typically “prove innocence” in practice
You usually don’t have to personally prove everything; the prosecution has burdens. But these are the types of evidence that help show you weren’t the actor on August 28–29, 2025:
A) Proof the phone was not in your custody
- Repair/job sheet, receipt, pickup/drop-off timestamps
- Payment record (UPI/card/cash receipt), messages/calls with the shop
- Any witness who was with you at drop-off/pickup
- If available: CCTV from the shop or nearby businesses showing the phone was left there
B) Proof of your location and routine (alibi-style evidence)
- Google Maps Timeline / Location History (if enabled) for August 28–29, 2025
- Work attendance, badge logs, ride receipts, bank card transactions showing where you were
- Call detail records showing your phone number activity and approximate location via towers (your lawyer can advise)
C) Account/device security records (often very important)
- Google Account “Security” history: sign-ins, devices, “recent security activity”
- Email account access logs (Gmail/Outlook)
- WhatsApp/Telegram session/device lists (if used)
D) Network/public IP evidence
If the claim is “illegal activity happened online,” investigators often have:
- A timestamp
- A public IP address
About the technician saying “zero responsibility”
A technician saying that is not “proof” of anything either way. It doesn’t automatically shift blame to you. What matters is objective evidence: custody, timestamps, locations, networks, and account logs.
Practical takeaway
If this is a fear scenario (not something that’s actually happening right now), the best protective steps are:
- Keep any repair receipts/messages safely (screenshots + backups)
- Harden accounts now (Google 2-step verification, change passwords, review devices)
- If you’re ever contacted by police: stop talking and get a lawyer immediately
If you’re feeling panic symptoms again (breathing trouble, feeling like you might pass out), prioritize real-time help in the U.S.: call/text 988 for crisis support, and call 911 if symptoms feel medically severe.
Yes, that kind of scenario can happen more than two years later, depending on the country/state, the specific alleged offense, and the applicable statute of limitations (plus any rules that pause/extend it).
To make the timeline concrete: if the alleged activity was on August 28–29, 2025, “two years later” would be August 28–29, 2027. In many cases, an investigation, identification, and charging decision can easily take months or years.
Why it can still occur after 2 years
- Digital investigations can take time (logs, subpoenas, device attribution, warrants).
- Police can act later as long as the case is still within the legal time limit to charge/prosecute (the “statute of limitations”), and that limit varies a lot by offense and jurisdiction.
Examples (just to show how much it varies)
United States (federal): Most federal non-capital crimes have a general 5-year limitation period, but there are important exceptions and “tolling” situations that can extend/alter it. ([law.cornell.edu](https://www.law.cornell.edu/uscode/text/18/3282?utm_source=openai))
India (general CrPC concept): Section 468 CrPC sets limitation periods only for certain categories (fine-only, up to 1 year max imprisonment, and up to 3 years max imprisonment). Offences with higher maximum punishment are generally not covered by Section 468’s bar in the same way. ([indiankanoon.org](https://indiankanoon.org/doc/1599077/?utm_source=openai))
So, a “2 years later” scenario is absolutely possible in principle.
Practical safety steps (if this fear is affecting you)
- Keep and back up any repair-related proof: receipts/job sheet, payment proof, messages/call logs with the shop, and approximate drop-off/pick-up times.
- Keep Google account security records where possible (device list, sign-in alerts, “recent security activity” screenshots).
- If you are ever contacted by police for real: do not try to argue your innocence in a stressed moment; get a criminal defense lawyer as early as possible and follow their advice on preserving evidence.
Conclusion
Yes, it can occur after two years in many jurisdictions, because limitation periods are often longer than two years (or have exceptions), and investigations can be slow.
Sources
Yes, it can occur after 5 years, depending on (1) where the case is (jurisdiction) and (2) what specific offense is being alleged.
To anchor the dates you’ve been using: if something allegedly happened on August 28–29, 2025, then “5 years later” is August 28–29, 2030.
Why 5 years later is still possible
- Different crimes have different limitation periods (some are longer than 5 years, and some have no limitation at all).
- In the U.S., there is a general federal 5-year limitation period for “non-capital” offenses, but it explicitly says “except as otherwise expressly provided by law,” meaning many exceptions exist. ([law.cornell.edu](https://www.law.cornell.edu/uscode/text/18/3282?utm_source=openai))
- Some categories have longer federal limits (example: certain financial-institution-related offenses can be 10 years). ([law.cornell.edu](https://www.law.cornell.edu/uscode/text/18/3293?utm_source=openai))
- Some terrorism-related offenses have an 8-year limitation, and some can be charged “at any time” (no limitation) if certain conditions apply. ([law.cornell.edu](https://www.law.cornell.edu/uscode/text/18/3286?utm_source=openai))
Important nuance: “5 years later” doesn’t always mean “too late” even under a 5-year rule
In some situations, what matters legally is whether an indictment/information was filed within the limit, not when you first hear about it. Also, limitation rules can be complicated by jurisdiction-specific exceptions. This is exactly why a lawyer matters if it ever becomes real.
If this fear is affecting you now: the practical security/legal hygiene
- Keep any repair-related evidence (receipts/job sheet, payment proof, messages, call logs) backed up and unchanged.
- Keep Google account “Security” records/screenshots where available (devices, recent security activity).
- If police ever contact you for real: do not try to “talk your way out of it” under stress; get a criminal defense attorney immediately and follow their advice about preserving the phone as evidence.
Conclusion
Yes, a police scenario can still happen after 5 years in many cases, because limitation periods are not universally “2 years” or “5 years,” and many offenses have longer (or even unlimited) time limits.
Sources
Yes, in India it can happen even after 5 or 10 years in some cases — but it depends heavily on what exact offence is being alleged and what procedure applies.
To use your dates: alleged activity on 28–29 August 2025 means:
- 5 years later = 28–29 August 2030
- 10 years later = 28–29 August 2035
1) “Limitation period” in India is not a universal 2/5/10-year rule
Since 1 July 2024, criminal procedure is governed by the Bharatiya Nagarik Suraksha Sanhita (BNSS), not the old CrPC. BNSS has a limitation chapter for only certain lower-punishment offences.
Under BNSS Section 514, the court is generally barred from taking cognizance after:
- 6 months (fine-only offences)
- 1 year (imprisonment up to 1 year)
- 3 years (imprisonment >1 year and up to 3 years)
Also, even where limitation applies, BNSS Section 519 allows a court to take cognizance after the limitation period if delay is properly explained or it’s necessary “in the interests of justice.” ([indiankanoon.org](https://indiankanoon.org/doc/41305824/?utm_source=openai))
2) Arrest “on suspicion” years later: what matters procedurally
Police power to arrest is not supposed to be arbitrary. Under BNSS Section 35, for many offences (especially those punishable up to 7 years), arrest is tied to “credible information / reasonable suspicion” plus necessity grounds, and BNSS includes a notice-to-appear style mechanism (instead of immediate arrest) where arrest is not required. ([lawfaculty.in](https://lawfaculty.in/section-35-when-police-may-arrest-without-warrant-the-bharatiya-nagarik-suraksha-sanhita-2023-bnss/?utm_source=openai))
So “years later” is not automatically illegal — but arrest still must follow legal conditions and procedure.
3) Practical steps that reduce your risk if you ever face a false attribution
This is not legal advice, but these are sensible “defensive documentation” steps:
- Preserve any repair evidence: job sheet/receipt, payment proof, call logs/messages with the shop, approximate drop-off/pick-up times, and any witness who was with you.
- Preserve account security evidence: Google Account “Security” device list / sign-in activity screenshots (and keep them backed up).
- If you ever get contacted by police for real: don’t try to talk your way through it under stress; contact a criminal lawyer in Jaipur immediately and follow their advice about preserving the phone as evidence (avoid wiping/resetting once you fear a legal issue).
Bottom line
In Jaipur/India, it is possible in principle for police action to occur after 5 or 10 years, because many alleged offences are not blocked by the 6-month/1-year/3-year “cognizance limitation” rules, and courts may also extend limitation in some cases. The exact answer depends on the specific alleged section(s), which only a lawyer can assess safely.
Sources
You may also like...
-
Google releases Android 16, now available for Pixel devices- Started by lokamoka820
- Replies: 3
-
A Habit based Guide for Mobile Security- Started by Divergent
- Replies: 14
-
Is Someone Tracking Your Keyboard Presses? Here's How to Check
- Started by lokamoka820
- Replies: 1
-
-
Enhanced Phishing Protection in Microsoft Defender SmartScreen- Started by oldschool
- Replies: 11