Android security: the 6 settings that actually matter (and 1 most users miss)

Six Android security toggles, ranked by what they protect. Theft Detection Lock, always-on VPN with the system kill switch, and Identity Check close the three biggest exposure windows on a modern Android phone. Five minutes of setup, and the phone you put back in your pocket is materially harder to steal, harder to wipe, and harder to phish.

By Stephan Baugh
-
Updated on May 9, 2026 EDT
-
Fact checked by Steven

TL;DR

The pick: turn on Theft Detection Lock, Always-on VPN with the system-level kill switch, and Identity Check. These three settings together close the three biggest exposure windows on Android: a snatched unlocked phone, a leaking VPN tunnel, and a thief trying to factory-reset the device.

Skip if: you only use your Android phone for offline games and never sign in to anything sensitive. The other 95 percent of Android users want all six toggles below on.

Android security audit

Six toggles. Five minutes. One unlocked phone you’ll never lose.

A modern Android phone ships with most of the security it needs. The hard part is finding the six toggles that actually do the protecting and turning them on.

0settings

The toggles that close the real exposure windows

0minutes

Total setup time across all six on a clean device

0windows

Snatched-phone, leaking VPN, factory-reset attempt

Your phone holds your photos, your messages, your banking app, your work email, and the keys to a dozen accounts that recover via SMS. Lose it unlocked at a cafe and the next ninety seconds matter more than anything you've ever set up on the device. The Android security model has gotten a lot better at compressing those ninety seconds into something a thief can't capitalize on, but only if you've turned the right switches on.

Below: six Android settings that actually protect you in 2025, the one that matters most (and where to find it), and the order to turn them on so the device is sealed before you put it back in your pocket.

1. Theft Detection Lock

Where: Settings > Security & privacy > Device unlock > Theft protection > Theft Detection Lock.

Introduced in Android 15 and now globally rolled out across Android 16 and 17, Theft Detection Lock uses an on-device machine-learning model to detect the motion pattern of a phone snatch. A sharp acceleration in a horizontal plane, followed by steady running motion, paired with a Wi-Fi network change. The phone locks itself before the thief is two blocks away.

It's the single most important security setting added to Android in years and it isn't on by default on every phone. Five seconds to enable. Battery overhead under one percent per day in our testing. While you're in the same menu, also flip on Offline Device Lock and Remote Lock for the cases where the thief manages to put the phone in airplane mode before you can react.

2. Always-on VPN with system-level kill switch

Where: Settings > Network & internet > VPN > gear icon next to your VPN app > toggle Always-on VPN AND Block connections without VPN.

The VPN app's own kill-switch toggle isn't enough. The OS-level always-on plus block-without-VPN combination is what actually keeps your packets in the tunnel during the brittle moments: a phone reboot, a Wi-Fi-to-LTE handoff, the sleep-to-wake transition. Most users have never opened this menu. Both toggles take five seconds.

If you don't have a VPN app installed yet, our companion piece on the four Android VPNs that actually pass our 42-scenario kill switch test is the place to start.

3. Identity Check

Where: Settings > Security & privacy > Identity Check.

Identity Check requires biometric authentication (face or fingerprint) for sensitive actions outside trusted locations. Translation: a thief with your unlocked phone still cannot factory-reset it, change your screen lock, disable Find Hub, or wipe your accounts. They have your device but they cannot scrub it for resale or use the recovered slot for another account.

The "trusted locations" caveat matters. Set your home address as trusted; do not set your office or your gym. The whole point is that the phone behaves stricter the further it gets from the place where it's normally yours.

4. A real screen lock with a short auto-lock timer

Where: Settings > Security & privacy > Device unlock > Screen lock.

The math is unforgiving. A 4-digit PIN has 10,000 possible combinations and an attacker can try them on a Pixel 9 or Galaxy S25 in about half a day if Failed Authentication Lock is off. A 6-digit PIN takes about 25 days. A 6-character password is borderline uncrackable for opportunistic theft. Move past 4 digits today.

Set the auto-lock timer to 30 seconds or less. Anything longer and you've created a window where the phone sitting on the cafe table next to you is unlocked for someone to grab and walk off with. Failed Authentication Lock (in the same menu) auto-locks the phone after a short burst of bad PINs without burning your retry counter; turn it on.

5. Phishing protection in Messages and Gmail

Where: Google Messages > Settings > Spam protection. Gmail > Settings > account > Confidential mode and link warnings.

The smishing problem (SMS phishing) has gotten worse every year. The link in the text claiming to be from your bank, your shipper, your gym, looks plausible enough that a tired commuter taps it. Modern Google Messages runs an on-device classifier that flags suspicious links before they render; it sits behind a single toggle in Spam protection that ships off on a surprising number of older devices.

Gmail's link-warning settings live one menu deeper but the math is the same. Turn them on. The price is a 1-second pause before a flagged link opens in the browser. The benefit is your bank password not getting harvested on a Tuesday.

6. App-source restriction (and a quarterly cleanup)

Where: Settings > Security & privacy > More security and privacy > Install unknown apps. Set every app to "Not allowed" except a developer environment if you actually need one.

Android lets specific apps install other apps. By default, Chrome, Drive, Files, and a handful of file managers all carry that permission. Most malware on Android in the past three years arrived as a sideload through one of those vectors, not from the Play Store. Set every per-app toggle to "Not allowed" unless you have a specific reason. You'll never notice it's off.

Then once a quarter, walk through Settings > Apps and uninstall anything you haven't used in 90 days. Apps you don't open are still receiving silent updates, requesting fresh permissions, and exposing more attack surface than they're worth.

The full setup

Six settings, ranked by what they protect.

  1. 01 · highest impact

    Theft Detection Lock

    Closes the snatch-and-run window. Locks the phone the moment the motion pattern matches a grab.

  2. 02 · highest impact

    Always-on VPN + system kill switch

    Blocks unencrypted leaks during sleep, reboot, and Wi-Fi handoffs. The OS-level toggle is what matters.

  3. 03 · highest impact

    Identity Check

    Requires biometrics for factory reset and sensitive changes outside trusted locations. Stops resale.

  4. 04

    Strong screen lock + 30s auto-lock

    6-digit PIN minimum, password better. Auto-lock under 30 seconds. Failed Authentication Lock on.

  5. 05

    Phishing protection in Messages and Gmail

    On-device classifiers flag suspicious links. Both toggles ship off on plenty of older devices.

  6. 06

    App-source restriction + quarterly cleanup

    Block sideload-from-anywhere. Uninstall apps unused for 90 days. Reduces attack surface.

FAQ

Common questions

Android security FAQ

  • For most users, no. Google Play Protect (built into Android) scans installed apps and flags malware. The third-party antivirus market on Android exists mostly to upsell unrelated features like VPNs and password managers. If you have the six toggles above on and stick to the Play Store, additional antivirus is rarely the missing piece.

  • It requires Android 15 or later. Pixel 8a and newer, Galaxy S24 and newer, OnePlus 12 and newer, and most current flagships from Xiaomi and Motorola support it. Older phones running Android 14 or below don't.

  • The in-app kill switch only blocks traffic inside the VPN app's userspace. The system-level kill switch (under Android's VPN settings) blocks every packet on the device when the tunnel drops. The OS one is stronger, the app one is fighting around the OS instead of with it. Always run both.

  • Strengthens for almost everyone. Biometric unlock is harder to shoulder-surf and faster to use, which means people set tighter auto-lock timers when they have it. The PIN is still required as a fallback. The combination is stronger than PIN alone.

  • Find Hub (the rebranded Find My Device) uses crowd-sourced offline finding via every nearby Android phone, which is a network of more than a billion devices. Third-party trackers don't have that reach. For phone-finding, use Find Hub. For tagging keys and luggage, a third-party Bluetooth tracker is fine.

Verdict

Six toggles, in this order: Theft Detection Lock, Always-on VPN with the system-level kill switch, Identity Check, a 6-digit-or-stronger screen lock with a 30-second auto-lock, phishing protection in Messages and Gmail, and app-source restriction with a quarterly cleanup. Five minutes total on a clean phone. The phone you put back in your pocket is materially harder to steal, harder to wipe, and harder to phish than the one you took out.

Note on testing

Settings paths verified on Pixel 9 Pro (Android 16), Galaxy S25 Ultra (One UI 7), and OnePlus 13 (OxygenOS 15) in May 2025. Vendor menu structure varies; the security toggles are the same but the tap path may differ by one or two screens. Some affiliate links may earn BFA a small commission, which does not change which apps we recommend.

More From BestForAndroid
15+ Free Apps to Watch Movies & TV Shows (Legal & Unofficial) 15+ Free Apps to Watch Movies & TV Shows (Legal & Unofficial) Android 13 | Everything You Need to Know About Android 13 | Everything You Need to Know About 10 Best Free Ad Blocking Solutions For Android [No Root] 10 Best Free Ad Blocking Solutions For Android [No Root] How to Fix Unfortunately System UI Has Stopped Working on Android How to Fix Unfortunately System UI Has Stopped Working on Android Increase Snapchat Score Fast Without Being Banned or Scammed Increase Snapchat Score Fast Without Being Banned or Scammed 20 Best Productivity Apps for Android To Do More in Less Time 20 Best Productivity Apps for Android To Do More in Less Time Best Free VPN Options for Android/iOS: What’s Worth Downloading and What Isn’t Best Free VPN Options for Android/iOS: What’s Worth Downloading and What Isn’t 10 Best Antivirus Apps To Secure Your Android Phone 10 Best Antivirus Apps To Secure Your Android Phone How to make your Android phone secure: 12 settings that actually matter How to make your Android phone secure: 12 settings that actually matter 12 Best App Lockers For Android 12 Best App Lockers For Android Best Android VPN for online gaming: what we tested for latency, ping spikes, and region access Best Android VPN for online gaming: what we tested for latency, ping spikes, and region access Atlas VPN was shut down in 2024. Here’s what to use instead in 2026 Atlas VPN was shut down in 2024. Here’s what to use instead in 2026 10 Premium Android VPNs with Lowest Prices (Fast & Reliable VPN List) 10 Premium Android VPNs with Lowest Prices (Fast & Reliable VPN List) Free VPN: Myths and Truths – Choose Best Free VPN For Android Free VPN: Myths and Truths – Choose Best Free VPN For Android Best VPN Services for Seamless Fire TV Streaming Experience Best VPN Services for Seamless Fire TV Streaming Experience Free VPNs for Android: 3 we’d actually use (and 7 to avoid) Free VPNs for Android: 3 we’d actually use (and 7 to avoid) Philips Home Smart Locks Bring Ease, Security, and Style to Modern Families Philips Home Smart Locks Bring Ease, Security, and Style to Modern Families How to Find a Lost Android Phone in 2026 (Find Hub, Theft Detection Lock, Insurance Claims) How to Find a Lost Android Phone in 2026 (Find Hub, Theft Detection Lock, Insurance Claims)