Guides

Phone Security: The Complete Guide to Locking Down Your iPhone or Android

Heads up: this article contains affiliate links. If you buy through them we may earn a commission at no cost to you. We only recommend tools we trust — see our disclosure.

Take a second and think about what's on your phone right now: your email, your banking apps, your photos, your messages, the codes that protect every other account you own, and probably a map of everywhere you've been. If a stranger picked it up unlocked, they'd hold the keys to your entire digital life. That's not meant to scare you — it's meant to explain why a little time spent locking down your phone is some of the highest-value security work you'll ever do.

This guide walks you through it calmly, step by step, for both iPhone and Android. You don't need to do all of it today. Work through it at your own pace, and by the end your phone will be a far harder target — without becoming annoying to use.

Why your phone is your most valuable target

Your phone isn't just another gadget; it's the master key to everything else. Here's why it sits at the center of your security.

  • It holds your email. And email is the reset button for nearly every other account. Whoever controls your inbox can request password resets everywhere.
  • It's your second factor. Those one-time login codes — by text, by app, or by tap — usually live on your phone. A thief with your unlocked phone can sail past the very protections meant to stop them.
  • It's your wallet. Banking apps, payment apps, and saved cards turn your phone into cash.
  • It's your memory. Photos, messages, and notes are deeply personal and, once gone or exposed, can't be un-shared.

There's one more reason worth naming. Phones are designed to be glanced at constantly, often in distracting places — a coffee shop, a crowded train, a hotel lobby. That makes them easy to shoulder-surf, easy to grab, and easy to leave behind. The combination of "holds everything" and "out in the world all day" is exactly what makes them the prize.

The encouraging part: because the phone is so central, a handful of solid habits protect a huge amount at once. You're not chasing a hundred fixes — you're tightening the few that matter most. Let's get to them.

Set a strong screen lock and use biometrics wisely

Everything else rests on this. If your lock screen is weak, none of the fancier protections matter.

Pick a real passcode

Skip the four-digit PIN. Use at least a six-digit code, and ideally a longer alphanumeric passcode (a short word-plus-numbers phrase you'll remember). On iPhone, go to Settings, then Face ID & Passcode, choose "Change Passcode," then "Passcode Options," and pick "Custom Alphanumeric Code." On Android, look under Settings, Security, Screen lock. Avoid obvious choices like 1234, birthdays, or repeated digits.

Use biometrics — but understand the trade-off

Face unlock and fingerprint unlock (Face ID, Touch ID, or Android's equivalents) are genuinely good. They make a strong passcode painless to live with, so you're more likely to keep one. Use them for everyday convenience.

The one thing to know: your passcode is the real master key — biometrics are just a fast shortcut to it. So memorize a strong passcode, never share it, and learn how to quickly disable biometrics in a pinch. On iPhone, pressing the side and a volume button together briefly requires the passcode again. That's handy if you're ever in a situation where you don't want a phone unlocked by your face.

Also set your screen to auto-lock quickly — 30 seconds to a minute — so a phone left on a table doesn't sit open. And turn off lock-screen previews for sensitive notifications, so a passerby can't read your incoming bank texts or two-factor codes without unlocking the phone. On iPhone that's Settings, Notifications, Show Previews, set to "When Unlocked." On Android, look under Settings, Notifications, for the lock-screen privacy option.

Keep the operating system and apps updated

This is the least glamorous step and one of the most important. Most phone "hacks" rely on flaws that were already fixed in an update people hadn't installed yet. Staying current closes those doors automatically.

  • Turn on automatic OS updates. iPhone: Settings, General, Software Update, Automatic Updates. Android: Settings, System, Software update (wording varies by maker).
  • Turn on automatic app updates. iPhone: Settings, App Store. Android: in the Play Store under your profile, Settings, Network preferences.
  • Mind your phone's age. Older phones eventually stop receiving security updates. When yours reaches that point, it's the strongest reason to upgrade — not the camera.

That's it. Flip those switches once and most of this maintenance happens while you sleep.

Audit your app permissions

Apps love to ask for more access than they need. A flashlight app does not require your contacts. Spending ten minutes here noticeably shrinks how much of your life leaks out.

What to check

  • Location: set apps to "While Using the App" rather than "Always," and turn it off entirely for apps that have no business knowing where you are. Reserve "Always" for things like real-time navigation.
  • Microphone and camera: grant these only to apps that obviously need them. Both phones show an indicator dot when the mic or camera is active — glance at it occasionally.
  • Contacts: be stingy. Many apps ask to upload your whole address book, which exposes other people's info, not just yours.
  • Photos: prefer "Selected Photos" (iPhone) or limited access (Android) instead of your entire library.

Where to find it

On iPhone, go to Settings, Privacy & Security, then tap each category (Location Services, Microphone, Camera, Contacts) to see exactly which apps have access. On Android, open Settings, Security & privacy, Privacy, Permission manager. Both let you sweep through by permission type, which is faster than checking app by app.

Install apps safely

The simplest rule keeps you out of most trouble: stick to the official store — the App Store on iPhone, the Google Play Store on Android. Even there, a little caution goes a long way.

  • Check the developer name and reviews. Scammers clone popular apps with slightly-off names.
  • Be suspicious of an app demanding lots of permissions that don't match what it does.
  • Delete apps you no longer use. Every app is a little extra surface area and another company holding your data.
  • Ignore links in texts or emails pushing you to "install this app." Go to the store and search for it yourself.
  • Re-read permission prompts when an app updates. Apps sometimes ask for new access after an update, and the moment it pops up is the easiest time to say no.

A quick word on "free" apps: if an app is free and you can't tell how it makes money, the answer is often your data. That's not always sinister, but it's a reason to favor well-known, reputable apps and to keep an eye on what you grant them.

We'll cover the Android-specific risk of installing apps from outside the store (sideloading) below, because it deserves a clear word.

iPhone-specific protections

Apple gives you several strong features that are off or under-used by default. Turning them on takes minutes.

Stolen Device Protection

This is the big one, and many people don't know it exists. Stolen Device Protection adds a layer that kicks in when your phone is somewhere unfamiliar, requiring Face ID or Touch ID — with no passcode fallback — for sensitive actions like viewing saved passwords or changing your Apple ID. It also adds a security delay before the most critical changes. This defeats the classic theft trick where a thief who watched you type your passcode then changes everything. Turn it on in Settings, Face ID & Passcode, Stolen Device Protection.

Find My

Make sure Find My iPhone is on (Settings, your name, Find My). It lets you locate, lock, or erase a lost phone, and it ties the device to your account so a thief can't easily reuse it. Enable "Send Last Location" so the phone reports its spot before the battery dies.

iCloud settings and backups

Review what's syncing to iCloud and turn on iCloud Backup so a lost phone isn't a lost life. For an extra tier of protection, Apple offers Advanced Data Protection, which end-to-end encrypts far more of your iCloud data — worth considering if you're comfortable safely storing a recovery key.

Lockdown Mode (for high-risk users)

Most people don't need Lockdown Mode, and that's fine. But if you're a journalist, activist, executive, or anyone who might be targeted by sophisticated attackers, it dramatically reduces the ways your phone can be attacked, at the cost of some convenience. It's in Settings, Privacy & Security, Lockdown Mode.

Android-specific protections

Android gives you powerful controls too; the menus vary a little by manufacturer, but the features are there.

Google Play Protect

Play Protect scans your apps for known bad behavior automatically. Confirm it's on by opening the Play Store, tapping your profile, then Play Protect, and make sure scanning is enabled. It's a free, built-in safety net.

Find My Device

Turn on Find My Device (Settings, Security & privacy, Find My Device) so you can locate, lock, or erase your phone remotely. As with iPhone, this also helps tie the device to you so it's harder to wipe and resell.

Permission manager and privacy dashboard

Android's Permission manager (Settings, Security & privacy, Privacy) lets you sweep permissions by type, and the Privacy dashboard shows which apps recently used your location, camera, or mic. Check it now and then — it's an easy way to catch an app overreaching.

Sideloading risks

Android lets you install apps from outside the Play Store, which is called sideloading. It's a genuine feature with legitimate uses, but it's also the main way malicious apps sneak onto Android phones. Unless you have a specific, trusted reason, leave "install unknown apps" turned off, and never enable it just because a website or message told you to. If you ever do allow it for one task, turn it back off afterward.

Use a password manager's autofill

Your phone is the perfect place to break the habit of reusing passwords, because a good password manager makes strong, unique passwords easier than weak ones. It stores every login in an encrypted vault and fills them in for you with a tap.

Set your phone to use a dedicated manager as its autofill provider. On iPhone: Settings, General, AutoFill & Passwords. On Android: Settings, then search "autofill service." From then on, logging in becomes faster, and you never have to remember (or reuse) another password. A trusted, audited option like Bitwarden works beautifully across phone and computer, and 1Password is another excellent choice if you'd like a more polished interface. If you're weighing options, our best password managers guide breaks down the differences, and you can generate strong passwords any time with our password generator.

Turn on two-factor authentication

Two-factor authentication (2FA) means logging in needs two things: your password and a second proof it's really you — usually a one-time code or a tap on your phone. Even if someone steals your password, they're stuck without that second factor. Turn it on for your most important accounts first: email, banking, and the account tied to your phone (Apple ID or Google).

  • Best: a hardware security key like a YubiKey for your most critical logins — it's nearly phishing-proof.
  • Great for most people: an authenticator app that generates codes, or your password manager's built-in code feature.
  • Better than nothing: text-message codes. They're vulnerable to certain attacks, but still far safer than no second factor at all.

One practical caution: if your only second factor lives on your phone and your phone is lost, you can lock yourself out. Save your backup recovery codes somewhere safe (in your password manager or printed and stored at home) when you set 2FA up.

The risk of public USB charging

You'll sometimes see public USB charging ports at airports, hotels, and conference centers. In rare cases a tampered port or cable could try to pull data from or push something onto a connected phone — an old trick sometimes called "juice jacking." It's uncommon, but it's trivially easy to avoid.

  • Plug your own charger into a regular wall outlet instead of a public USB port.
  • Carry a small portable battery pack and charge from that.
  • If you must use a public USB port, a "charge-only" cable or a tiny "USB data blocker" adapter passes power but not data.
  • If your phone ever asks whether to "trust this computer" while charging, say no — a charger has no reason to ask.

Your lost-or-stolen-phone plan

Decide what you'll do before it happens, so panic doesn't cost you time. Keep this simple sequence in mind.

  1. Locate and lock it remotely using Find My (iPhone) or Find My Device (Android) from another device or a friend's. Locking displays a message and a contact number on the screen.
  2. If recovery looks unlikely, erase it remotely. Your data is gone from the device but safe in your backup.
  3. Change your most critical passwords right away — email first, then banking — especially if biometrics weren't protecting everything.
  4. Contact your carrier to suspend the line and block the device, which stops calls, texts, and SMS-based codes from reaching a thief.
  5. Report it to the police if it was stolen; you may need a report number for insurance or your carrier.

Because you set up Find My, a strong passcode, and Stolen Device Protection or its Android equivalent earlier, a lost phone becomes a hassle rather than a catastrophe.

Back up your phone

Backups are what turn "my phone is gone" into "I'll restore it on a new one this evening." They also protect you from a cracked screen, a dropped-in-water moment, or a bad update.

  • iPhone: turn on iCloud Backup (Settings, your name, iCloud, iCloud Backup). You can also back up to a computer for a free, local copy.
  • Android: turn on backup to your Google Account (Settings, System, Backup), and let Google Photos sync your pictures.
  • Check it occasionally. A backup you assumed was running but wasn't is a painful surprise. Once in a while, confirm the last backup date is recent.

If you'd like to keep going beyond your phone, our start here page and full training walk you through securing the rest of your digital life at a comfortable pace.

The quick version

  • Your phone is the master key to your email, banking, 2FA codes, and photos — which is exactly why locking it down protects so much at once.
  • Set a strong lock: at least six digits (or a short alphanumeric passcode), use biometrics for convenience, and auto-lock quickly. Your passcode is the real master key.
  • Turn on automatic updates for both the OS and your apps, and replace a phone once it stops getting security updates.
  • Audit permissions: limit location to "While Using," and be stingy with mic, camera, contacts, and photos.
  • Install only from the official store and delete apps you don't use.
  • iPhone: enable Stolen Device Protection, Find My, and iCloud Backup; Lockdown Mode if you're high-risk.
  • Android: confirm Play Protect and Find My Device are on, use the Permission manager, and keep sideloading off.
  • Use a password manager's autofill so every login is strong and unique.
  • Turn on two-factor authentication for email, banking, and your Apple ID or Google account — and save your backup recovery codes.
  • Avoid public USB ports; use a wall outlet, a battery pack, or a data-blocking cable.
  • Have a lost-phone plan: locate, lock, erase, change passwords, call your carrier.
  • Back up regularly so a lost phone is an inconvenience, not a disaster.

Liked this?

Get one short, useful security email when we publish something new.

More in Guides

Get the plain-English security newsletter

One short email when we publish something useful. No spam, no fearmongering. Unsubscribe anytime.