My neighbor got her bank account drained last year. Not from some massive corporate data breach. From her phone—specifically because she’d left location sharing enabled for an app she’d completely forgotten installing back in 2021.
Most people assume mobile security means a passcode and maybe a fingerprint scan. That’s like deadbolting your front door while every window in the house sits wide open. The settings that genuinely protect you are buried three or four menus deep, and nobody mentions them until something’s already gone wrong.
So here’s the thing: you don’t need a cybersecurity degree to fix this. Just 20 minutes and this list.
1. Turn On Two-Factor Authentication (Everywhere)
Non-negotiable. Full stop. Two-factor authentication blocked 99.9% of automated account attacks, according to Microsoft’s own internal data from 2019. And that figure still holds.
Start with your Google or Apple account, then work through your banking apps, email, and social media. Use an authenticator app—Google Authenticator or Authy—rather than SMS codes. SIM-swapping attacks have been undermining SMS-based 2FA for years. The 2020 Twitter hack that hit accounts belonging to Barack Obama and Elon Musk is probably the most famous example.
2. Audit Your App Permissions Right Now
Seriously. Right now. Open your phone settings, navigate to Privacy or App Permissions, and look at what actually has access to your microphone, camera, contacts, and location.
I did this about six months ago and found a flashlight app from 2019 that still had microphone access. A flashlight. With microphone access. It’s genuinely unsettling what accumulates over time.
Android users: Settings > Privacy > Permission Manager. iPhone users: Settings > Privacy & Security. Revoke anything that doesn’t make obvious, logical sense. Your weather app has zero business touching your contacts.
3. Enable Find My Device (And Actually Test It)
Both iOS and Android have this built in. Both are free. And yet most people either have it switched off or have never bothered checking whether it actually functions.
On Android, search “Find My Device” in settings or access it through your Google account. On iPhone, it lives under your Apple ID settings as “Find My.” Enable it, then log into the web interface from another device just to confirm it works—because when you need it, you’ll need it immediately.
4. Lock Down Your Lock Screen Notifications
Here’s one almost nobody thinks about. When your phone’s locked, notification previews can display text message contents, email subjects, even verification codes—all sitting there, visible to anyone who glances at your screen on the subway or in a coffee shop.
On iOS: Settings > Notifications > Show Previews > When Unlocked. Android varies by manufacturer, but look under Notifications > Lock Screen. Set it to hide sensitive content, or hide everything entirely. It’s a tiny change with a disproportionately large payoff.
5. Use a Strong Screen Lock (Not a 4-Digit PIN)
A 4-digit PIN gives you 10,000 possible combinations. A 6-digit PIN jumps to 1 million. A solid alphanumeric passphrase? Billions. Modern brute-force tools can crack a 4-digit PIN in minutes if someone gets physical access to your device.
Use at least a 6-digit PIN—ideally a short passphrase you’ll actually remember. Biometrics are fine as a convenience layer on top of that, but they’re not a substitute for a strong underlying passcode. That distinction matters.
6. Disable Auto-Connect to Public Wi-Fi
Your phone remembers networks. And it’ll automatically reconnect to any network with a matching name—which is precisely how “evil twin” attacks work. A hacker sets up a fake hotspot called “Starbucks WiFi,” your phone connects without asking, and your traffic gets intercepted.
Go into your Wi-Fi settings and kill auto-join for saved public networks. On iPhone, tap the network name and toggle off “Auto-Join.” Five seconds of your time, and it’s done.
7. Keep Your OS Updated (Stop Dismissing Those Notifications)
The 2021 Pegasus spyware scandal hit devices running outdated iOS versions. Apple had already patched the vulnerability—but only users who’d actually updated were protected. Updates aren’t just about new features. They’re frequently closing known security holes that hackers are actively exploiting right now, while you’re reading this.
Set your phone to auto-update. Or at minimum, stop hitting “remind me later” every single time.
8. Review Your Google or Apple Account Connected Apps
Both platforms allow third-party apps to connect to your account. Over time, that list gets long and strange. Old apps. Apps from companies that don’t exist anymore. Apps you opened exactly once in 2018 and never thought about again.
Check yours at myaccount.google.com/connections or Settings > [Your Name] > Password & Security > Apps Using Apple ID. Revoke anything unfamiliar or outdated. You’ll probably be surprised what’s still in there.
Bottom Line
Here’s what I think most security advice gets fundamentally wrong: it frames your phone as a vault that needs a better lock. But your phone is more like a live window into everything about you—and the real threat isn’t someone smashing the glass. It’s all the doors you’ve already left propped open without realizing it. Fixing your mobile security settings isn’t paranoia. It’s closing the gaps you created accidentally, one forgotten app permission at a time.
Frequently Asked Questions
How often should I review my mobile security settings?
Every three to six months is a solid rhythm. Set a calendar reminder and actually keep it. App permissions accumulate quietly, especially after new installs, and your connected accounts list tends to grow without you ever noticing.
Are iPhones more secure than Android phones?
Generally, iPhones operate within a more controlled software environment, which narrows certain attack surfaces. But no phone is bulletproof. Honestly, the real variable isn’t the platform—it’s whether you’re actually using the security settings available to you. Habits matter more than hardware.
What’s the single most important setting to change first?
Two-factor authentication on your primary email account. Your email is essentially the master key to your digital life—if someone gets in there, they can reset passwords for your bank, your social media, and every other account tied to that address.
Can someone access my data even if my phone is locked?
Yes, in certain situations. Lock screen notification previews, some Siri or Google Assistant functions, and USB data access can all expose information on a locked device. That’s exactly why settings like hiding lock screen notifications and disabling USB accessories when locked (available in iOS under Face ID & Passcode) aren’t just minor tweaks—they actually matter.
Photo by Stefan Coders on Pexels
