When a crime is committed over the Internet the prosecution has to establish a link between the crime and the accused, usually via an IP address. Typically they get the IP address from the computer targeted in the crime (e.g. a server which is the target of a hack).
The IP address identifies the computer that the targeted computer was talking to. This is usually the computer being used by the perpetrator, but it may not be: the perp may have used another computer as a relay in order to hide their tracks. (BTW a smartphone is just a small computer).
Given an IP address the police will identify which Internet Service Provider owns that IP address and ask them which subscriber was using it at the time. ISPs are required to keep records of IP address assignment for this purpose, and they are usually accepted as accurate by courts. However these are just normal business records, and they have been known to be in error.
(These days the police are helped by the fact that IP addresses do not often change, so its quite possible that when they seize the device they find it still has the IP address in question, making mistakes less of an issue)
Once they have the subscriber identity the next step for the police is to question the subscriber to find out if the subscriber was the perpetrator or if it could have been someone else; questions like "Does any one else use your phone?" get asked.
The prosecution will also have to establish that the phone wasn't being used as a relay by someone else. This can be done by a forensic examination to confirm that malware capable of relaying a connection is not present.
If the prosecution can establish that the IP address was leased to the subscriber's device, the subscriber was the only person to use the device, and there is no relay malware present, then that part of their case is complete.