# How to make your Android phone secure: 12 settings that actually matter *Published:* 2025-05-01 *Author:* Stephan Baugh ### TL;DR **The pick:** Theft Detection Lock plus always-on VPN with the system kill switch plus Identity Check. These three close the three biggest exposure windows on any current Android phone. **Runner-up:** the rest of the twelve below add real but smaller increments: stronger PIN, faster auto-lock, phishing protection in Messages and Gmail, app-source restriction, regular OS updates. **Skip if:** you only use the phone for offline tasks. The full twelve is overkill there; the three above are still worth it. .bfa-hero-stat-trio-block, .bfa-hero-stat-trio-block *, .bfa-hero-stat-trio-block *::before, .bfa-hero-stat-trio-block *::after { box-sizing: border-box; } .bfa-hero-stat-trio-block { container-type: inline-size; container-name: bfa-hero-trio; font-family: "Source Serif 4", Georgia, "Times New Roman", serif; color: #0E1A1A; background: #FAF7F2; border: 1px solid #E8E0D2; border-radius: 20px; padding: 36px 28px; margin: 28px 0; } .bfa-hero-stat-trio-block .bfa-hero-trio__eyebrow { font-family: "Inter", system-ui, -apple-system, "Segoe UI", sans-serif; font-size: 12px; letter-spacing: 0.18em; text-transform: uppercase; color: #44706E; margin: 0 0 12px 0; } .bfa-hero-stat-trio-block .bfa-hero-trio__title { font-family: "Fraunces", Georgia, "Times New Roman", serif; font-weight: 600; font-size: 32px; line-height: 1.15; margin: 0 0 14px 0; color: #0E1A1A; } .bfa-hero-stat-trio-block .bfa-hero-trio__title em { font-style: italic; color: #1F3837; } .bfa-hero-stat-trio-block .bfa-hero-trio__intro { font-size: 17px; line-height: 1.55; color: #4B5C5B; margin: 0 0 28px 0; } .bfa-hero-stat-trio-block .bfa-hero-trio__grid { display: grid; grid-template-columns: 1fr; gap: 14px; } .bfa-hero-stat-trio-block .bfa-hero-trio__stat { background: #ffffff; border: 1px solid #E8E0D2; border-radius: 14px; padding: 22px 18px; text-align: left; } .bfa-hero-stat-trio-block .bfa-hero-trio__value { font-family: "Fraunces", Georgia, "Times New Roman", serif; font-feature-settings: "tnum" 1; font-variant-numeric: tabular-nums; font-weight: 600; font-size: 44px; line-height: 1; color: #1F3837; } .bfa-hero-stat-trio-block .bfa-hero-trio__unit { font-family: "Inter", system-ui, -apple-system, "Segoe UI", sans-serif; font-size: 14px; color: #44706E; margin-left: 6px; letter-spacing: 0.04em; } .bfa-hero-stat-trio-block .bfa-hero-trio__caption { font-family: "Inter", system-ui, -apple-system, "Segoe UI", sans-serif; font-size: 13px; color: #728483; margin: 8px 0 0 0; line-height: 1.4; } @container bfa-hero-trio (min-width: 560px) { .bfa-hero-stat-trio-block .bfa-hero-trio__grid { grid-template-columns: repeat(3, 1fr); gap: 16px; } .bfa-hero-stat-trio-block .bfa-hero-trio__title { font-size: 38px; } } @media (prefers-reduced-motion: reduce) { .bfa-hero-stat-trio-block .bfa-hero-trio__value { transition: none; } } Android security playbook Twelve settings. Five minutes. *One materially harder phone to compromise.* --------------------------------------------------------------------------- The Android security model in 2025 is good. The hard part is finding the toggles that activate it. Here are twelve, in priority order. 0settingsRanked by what they actually protect 0windowsSnatched phone, leaking VPN, factory-reset attempt 0minutesTotal setup on a clean phone (function () { function init(block) { if (block.getAttribute("data-bfa-trio-bound") === "1") { return; } block.setAttribute("data-bfa-trio-bound", "1"); var values = block.getElementsByClassName("bfa-hero-trio__value"); var reduce = window.matchMedia("(prefers-reduced-motion: reduce)").matches; function animate(el) { var target = parseInt(el.getAttribute("data-bfa-trio-value"), 10) || 0; if (reduce) { el.textContent = String(target); return; } var start = null; var dur = 1800; function step(ts) { if (start === null) { start = ts; } var t = Math.min(1, (ts - start) / dur); var eased = 1 - Math.pow(1 - t, 3); el.textContent = String(Math.round(target * eased)); if (t < 1) { requestAnimationFrame(step); } } requestAnimationFrame(step); } if (typeof IntersectionObserver === "undefined") { Array.prototype.forEach.call(values, function (el) { animate(el); }); return; } var io = new IntersectionObserver(function (entries) { entries.forEach(function (entry) { if (entry.isIntersecting) { animate(entry.target); io.unobserve(entry.target); } }); }, { threshold: 0.4 }); Array.prototype.forEach.call(values, function (el) { io.observe(el); }); } function run() { var blocks = document.getElementsByClassName("bfa-hero-stat-trio-block"); Array.prototype.forEach.call(blocks, function (b) { try { init(b); } catch (e) {} }); } if (document.readyState === "loading") { document.addEventListener("DOMContentLoaded", run); } else { run(); } })(); Modern Android ships with most of the security it needs out of the box. The twelve toggles below activate the parts that aren't on by default. Run through them once on a new phone, and the device you put back in your pocket is materially harder to steal, harder to wipe, and harder to phish than the one you took out. 1. Theft Detection Lock ----------------------- Settings > Security & privacy > Device unlock > Theft protection > Theft Detection Lock. On-device ML model that locks the phone the moment a snatch motion pattern fires. The single most important setting added to Android in years; not on by default on every device. Battery overhead under 1% per day. 2. Always-on VPN with the system kill switch -------------------------------------------- Settings > Network & internet > VPN > gear icon > Always-on VPN AND Block connections without VPN. The OS-level kill switch is stronger than any in-app kill switch. Together they cover the leak windows during reboot, sleep, and Wi-Fi-to-LTE handoffs that the in-app toggle can't catch. 3. Identity Check ----------------- Settings > Security & privacy > Identity Check. Requires biometrics for sensitive actions (factory reset, screen-lock change, Find Hub disable) outside trusted locations. A thief with your unlocked phone still can't wipe it for resale. Set home as the only trusted location; never the office. 4. A 6-digit PIN minimum, password better ----------------------------------------- Settings > Security & privacy > Device unlock > Screen lock. A 4-digit PIN takes about half a day to brute-force; a 6-digit PIN takes 25 days; a 6-character password is borderline uncrackable for opportunistic theft. Move past 4 digits today. 5. Auto-lock under 30 seconds ----------------------------- Same menu. Anything longer creates a window for the phone sitting on the cafe table to be unlocked when grabbed. Failed Authentication Lock (also same menu) auto-locks after a short burst of bad PINs without burning your retry counter. 6. Phishing protection in Messages and Gmail -------------------------------------------- Google Messages > Settings > Spam protection. Gmail > Settings > account > link warnings. On-device classifiers flag suspicious links before they render. Both ship off on plenty of older devices. 7. App-source restriction ------------------------- Settings > Security & privacy > More security and privacy > Install unknown [apps](https://bestforandroid.com/best/apps-android/ "Best Apps Category"). Set every app to "Not allowed" except a developer environment if you actually need one. Most Android malware in the past three years arrived as a sideload through this vector. 8. Quarterly app cleanup ------------------------ Settings > Apps. Uninstall anything you haven't used in 90 days. Apps you don't open still receive silent updates and request fresh permissions; their attack surface stays live. 9. Find Hub setup ----------------- Settings > Google > Find My Device. The rebranded Find My Device with crowd-sourced offline finding via every nearby Android phone (more than a billion devices). Enable, verify with the find.google.com browser tool, and confirm the offline-finding network is on. 10. Auto-updates for the OS --------------------------- Settings > System > System update > Auto-download. Most Android security incidents in the past two years exploited bugs that had patches available; users just hadn't installed them. Auto-download cuts the delay between patch and protection by weeks. 11. Encrypted backups --------------------- Settings > Google > Backup. Verify the backup is on (Pixel and most newer Samsung devices have it on by default). End-to-end encrypted with a key derived from your screen lock; if you lose the phone, you can restore on the next one without exposing the data to Google. 12. Lock-screen notification privacy ------------------------------------ Settings > Notifications > Notifications on lock screen > Don't show notifications. The default is to show them. A snatched-but-still-locked phone reveals incoming SMS codes, banking alerts, and message previews to whoever is holding it. Hide-on-lockscreen is the simplest fix. .bfa-comparison-table-block, .bfa-comparison-table-block *, .bfa-comparison-table-block *::before, .bfa-comparison-table-block *::after { box-sizing: border-box; } .bfa-comparison-table-block { container-type: inline-size; container-name: bfa-cmp-table; font-family: "Source Serif 4", Georgia, "Times New Roman", serif; color: #0E1A1A; background: #FAF7F2; border: 1px solid #E8E0D2; border-radius: 20px; padding: 28px 22px; margin: 28px 0; } .bfa-comparison-table-block .bfa-cmp-table__eyebrow { font-family: "Inter", system-ui, -apple-system, "Segoe UI", sans-serif; font-size: 12px; letter-spacing: 0.18em; text-transform: uppercase; color: #44706E; margin: 0 0 8px 0; } .bfa-comparison-table-block .bfa-cmp-table__title { font-family: "Fraunces", Georgia, "Times New Roman", serif; font-weight: 600; font-size: 24px; line-height: 1.2; margin: 0 0 18px 0; color: #0E1A1A; } .bfa-comparison-table-block .bfa-cmp-table__scroll { overflow-x: auto; border-radius: 14px; background: #ffffff; border: 1px solid #E8E0D2; } .bfa-comparison-table-block table { width: 100%; border-collapse: collapse; font-feature-settings: "tnum" 1; font-variant-numeric: tabular-nums; min-width: 540px; } .bfa-comparison-table-block thead th { font-family: "Inter", system-ui, -apple-system, "Segoe UI", sans-serif; font-size: 11px; letter-spacing: 0.1em; text-transform: uppercase; color: #44706E; text-align: left; padding: 14px; border-bottom: 1px solid #E8E0D2; background: #FAF7F2; font-weight: 600; } .bfa-comparison-table-block tbody td { padding: 14px; border-bottom: 1px solid #F2EBDD; font-size: 14px; vertical-align: middle; color: #4B5C5B; } .bfa-comparison-table-block tbody tr:last-child td { border-bottom: none; } .bfa-comparison-table-block tbody td:first-child { font-family: "Fraunces", Georgia, "Times New Roman", serif; color: #0E1A1A; font-weight: 600; font-size: 15px; } .bfa-comparison-table-block .bfa-cmp-table__pill { display: inline-block; font-family: "Inter", system-ui, -apple-system, "Segoe UI", sans-serif; font-size: 11px; letter-spacing: 0.04em; padding: 4px 10px; border-radius: 999px; background: #DEEBE7; color: #1F3837; white-space: nowrap; } @container bfa-cmp-table (min-width: 600px) { .bfa-comparison-table-block .bfa-cmp-table__title { font-size: 28px; } .bfa-comparison-table-block thead th, .bfa-comparison-table-block tbody td { padding: 16px 18px; } } All twelve settings ranked ### Setting impact scorecard. SettingImpactSetup timeDefault state on Pixel 9Theft Detection LockHigh30 secOff until enabledAlways-on VPN + system kill switchHigh1 minOffIdentity CheckHigh30 secOff6-digit PIN minimumMed1 minWhatever you setAuto-lock under 30sMed10 secOften 1 min defaultPhishing protectionMed30 secSometimes offApp-source restrictionMed30 secOften permissiveQuarterly app cleanupLow5 min /qtrManualFind HubHigh30 secOn but unverifiedOS auto-updatesHigh10 secOff on some carriersEncrypted backupsMed30 secUsually onLock-screen privacyMed20 secShow all by default .bfa-faq-accordion-block, .bfa-faq-accordion-block *, .bfa-faq-accordion-block *::before, .bfa-faq-accordion-block *::after { box-sizing: border-box; } .bfa-faq-accordion-block { container-type: inline-size; container-name: bfa-faq; font-family: "Source Serif 4", Georgia, "Times New Roman", serif; color: #0E1A1A; background: #FAF7F2; border: 1px solid #E8E0D2; border-radius: 20px; padding: 28px 22px; margin: 28px 0; } .bfa-faq-accordion-block .bfa-faq__eyebrow { font-family: "Inter", system-ui, -apple-system, "Segoe UI", sans-serif; font-size: 12px; letter-spacing: 0.18em; text-transform: uppercase; color: #44706E; margin: 0 0 8px 0; } .bfa-faq-accordion-block .bfa-faq__title { font-family: "Fraunces", Georgia, "Times New Roman", serif; font-weight: 600; font-size: 26px; line-height: 1.18; margin: 0 0 18px 0; color: #0E1A1A; } .bfa-faq-accordion-block .bfa-faq__list { list-style: none; padding: 0; margin: 0; } .bfa-faq-accordion-block .bfa-faq__item { background: #ffffff; border: 1px solid #E8E0D2; border-radius: 12px; margin: 0 0 10px 0; overflow: hidden; } .bfa-faq-accordion-block .bfa-faq__item:last-child { margin-bottom: 0; } .bfa-faq-accordion-block .bfa-faq__btn { appearance: none; -webkit-appearance: none; background: transparent; border: 0; outline: 0; margin: 0; padding: 16px 18px; font: inherit; color: #0E1A1A; text-transform: none; text-decoration: none; box-shadow: none; cursor: pointer; border-radius: 0; width: 100%; text-align: left; display: flex; align-items: center; justify-content: space-between; gap: 16px; font-family: "Fraunces", Georgia, "Times New Roman", serif; font-weight: 600; font-size: 17px; line-height: 1.3; } .bfa-faq-accordion-block .bfa-faq__btn:focus-visible { outline: 2px solid #44706E; outline-offset: 2px; } .bfa-faq-accordion-block .bfa-faq__icon { flex: 0 0 auto; width: 24px; height: 24px; border-radius: 999px; background: #F2EBDD; color: #1F3837; display: inline-flex; align-items: center; justify-content: center; font-family: "Inter", system-ui, -apple-system, "Segoe UI", sans-serif; font-size: 14px; font-weight: 600; transition: transform 250ms cubic-bezier(.22,.85,.18,1); } .bfa-faq-accordion-block .bfa-faq__btn .bfa-faq__icon { transform: rotate(45deg); background: #1F3837; color: #FAF7F2; } .bfa-faq-accordion-block .bfa-faq__panel { display: none; padding: 0 18px 18px 18px; font-size: 15px; line-height: 1.6; color: #4B5C5B; } .bfa-faq-accordion-block .bfa-faq__panel { display: block; } @media (prefers-reduced-motion: reduce) { .bfa-faq-accordion-block .bfa-faq__icon { transition: none; } } @container bfa-faq (min-width: 560px) { .bfa-faq-accordion-block .bfa-faq__title { font-size: 30px; } } Common questions ### Android security FAQ - Do I need an antivirus app on Android?+For most users, no. Google Play Protect (built-in) scans installed apps for malware. Third-party antivirus on Android exists mostly to upsell unrelated features. The twelve toggles above plus sticking to the Play Store close the gaps Play Protect can't on its own. - Will Theft Detection Lock work on older phones?+Requires Android 15 or later. Pixel 8a+, Galaxy S24+, OnePlus 12+, Xiaomi 14+, current Motorola flagships. Older phones running Android 14 or below don't get the feature. - How often should I review these settings?+Once when you set up a new phone, then quarterly thereafter. The settings sometimes reset after major OS updates; the quarterly check catches that. (function () { function init(block) { if (block.getAttribute("data-bfa-faq-bound") === "1") { return; } block.setAttribute("data-bfa-faq-bound", "1"); var btns = block.getElementsByClassName("bfa-faq__btn"); function toggle(btn) { var panelId = btn.getAttribute("aria-controls"); var panel = block.querySelector("#" + panelId); if (!panel) { return; } var open = btn.getAttribute("aria-expanded") === "true"; btn.setAttribute("aria-expanded", open ? "false" : "true"); if (open) { panel.removeAttribute("data-bfa-faq-open"); } else { panel.setAttribute("data-bfa-faq-open", "1"); } } Array.prototype.forEach.call(btns, function (btn) { btn.addEventListener("click", function () { toggle(btn); }); btn.addEventListener("keydown", function (e) { if (e.key === "Enter" || e.key === " ") { e.preventDefault(); toggle(btn); } }); }); } function run() { var blocks = document.getElementsByClassName("bfa-faq-accordion-block"); Array.prototype.forEach.call(blocks, function (b) { try { init(b); } catch (e) {} }); } if (document.readyState === "loading") { document.addEventListener("DOMContentLoaded", run); } else { run(); } })(); Verdict ------- Twelve settings, 5 minutes total on a clean phone. The first three (Theft Detection Lock, always-on VPN with the system kill switch, Identity Check) carry the most weight; the next nine add real but smaller increments. Once configured, the only ongoing maintenance is the quarterly app cleanup, which takes 5 minutes and is the cheapest security work you can do. #### How we tested Settings paths verified May 2025 on Pixel 9 Pro (Android 16), Galaxy S25 Ultra (One UI 7), and OnePlus 13 (OxygenOS 15). Vendor menu structure varies; the toggles are the same but the path may differ by one or two screens.