4.4 Securing iPhone and Android phones
Reviewed 15 July 2026. Menu names vary by operating-system version and Android manufacturer. Search within Settings if a path below is not identical on your phone.
What mobile security means
A modern phone is usually the most security-sensitive computer a person owns. It contains messages, photographs, location history, health information, passwords, passkeys, banking apps, and the email account used to reset everything else. It receives login codes and often acts as the trusted device that approves new logins. Losing control of the phone can therefore become loss of the person's wider digital identity.
Mobile security is not one property. It has several layers: secure boot makes it harder to replace the operating system; storage encryption protects data when the phone is locked; app sandboxing restricts one app from reading another app's files; permissions control access to sensors and personal information; the app store and malware scanning reduce the chance of installing hostile code; account security protects cloud copies and remote-management functions; and network encryption protects data while it travels. A phone can be strong at one layer and weak at another.
The threat also matters. A six-digit passcode and current software are excellent protection against opportunistic theft. They do not guarantee protection if an abusive partner knows the passcode, if a criminal takes over the cloud account, if the owner is tricked into installing a management profile, or if a highly resourced attacker uses an unknown vulnerability. Settings should follow a threat model, not a desire to turn on every switch.
The iPhone security model
Apple controls the main hardware, the operating system, the default app distribution system, and the security-update channel. An iPhone starts from a hardware root of trust and verifies the software it loads. The Secure Enclave is a separate security subsystem that protects cryptographic material and evaluates Face ID or Touch ID data. Data Protection encrypts files with keys tied to the device and, for protected classes, the passcode. Apps are sandboxed and must request access to protected data and sensors.
This integration has practical advantages. Supported iPhones generally receive security updates directly and at the same time; security capabilities are relatively consistent across models; and the tightly controlled app environment limits common malware. The important word is limits. Malicious and abusive apps still appear, legitimate apps can collect excessive data with permission, web and message parsers can have vulnerabilities, and a person who controls the Apple Account or an unlocked phone may not need malware at all.
The closed model also has costs. The user has less ability to inspect or replace system components, Apple is a large point of trust, and some cloud services are designed for convenience rather than end-to-end confidentiality. App sandboxing means consumer "antivirus" apps cannot inspect the whole phone as desktop antivirus can. That is a security strength of the platform, but it also means an antivirus subscription cannot compensate for an old iOS version, a stolen passcode, or a compromised Apple Account.
The Android security model
Android is a platform used by many manufacturers rather than one uniform product. At the platform level, modern Android uses a hardware-backed boot chain, Verified Boot, file-based encryption, per-app Linux identities, application sandboxing, SELinux access controls, runtime permissions, and hardware-backed key storage where the device supports it. Google Play Protect scans apps and devices for harmful behaviour on devices with Google Mobile Services.
The core architecture is strong. The variation comes from the device around it: manufacturer update policy, hardware security, bundled apps, carrier customisation, bootloader state, and how quickly patches arrive. A current, supported Pixel, Samsung flagship, or another device with a clear long-term patch commitment is a different security proposition from an inexpensive handset receiving irregular updates. "Android is secure" and "Android is insecure" are both too vague to be useful; the exact model, support date, software build, and configuration matter.
Android's openness is also a genuine advantage. It offers more hardware choice, stronger separation options on some devices, work profiles and private spaces, alternative app distribution, and specialist operating systems on selected hardware. The same flexibility increases the number of decisions that can go wrong. Unlocking the bootloader, rooting the phone, installing apps from unknown sources, or running an unsupported custom build can weaken Verified Boot, sandbox assumptions, and update reliability. A carefully maintained specialist installation may improve privacy, but an improvised one can reduce security.
iPhone versus Android: practical pros and cons
iPhone strengths: consistent and long-lived updates across supported devices; tight hardware and software integration; a strong default app sandbox; relatively uniform security features; Stolen Device Protection; and Lockdown Mode for people facing sophisticated targeted attacks. The smaller range of models makes it easier to give reliable instructions and to know whether a feature exists.
iPhone limitations: reliance on Apple for hardware, operating system, app distribution, cloud integration, and account recovery; limited user inspection and customisation; some data remains accessible to Apple under standard iCloud protection; and privacy settings cannot stop an app collecting information that the user intentionally gives it. Lockdown Mode also restricts functionality and is not a general privacy switch.
Android strengths: broad device and price choice; good security architecture on current devices; granular permissions; Privacy Dashboard; Private DNS; always-on VPN support; work profiles or Private Space on supported versions; Android Advanced Protection on supported devices; and the possibility of choosing a manufacturer or specialist system aligned with a particular privacy need.
Android limitations: update duration and speed vary; manufacturer menus and bundled software differ; cheaper or older devices may stop receiving patches while still working normally; sideloading expands the software supply-chain risk; and some biometric implementations provide weaker assurance than others. The Android label alone does not tell you whether the product will be supported for the years you intend to keep it.
For most people the better phone is the supported phone they will keep updated, lock properly, and understand. A well-maintained Android handset is safer than an abandoned iPhone, and a supported iPhone with a weak passcode shown to strangers is less safe than its specification suggests. People at elevated risk should also consider ecosystem diversity, repair and replacement logistics, and whether they need Apple's Lockdown Mode or Android's specialist deployment choices.
A strong baseline for every phone
Choose support before features
Buy a model with a published security-update end date that extends beyond the period you expect to use it. Do not rely on a phone simply because it still runs apps. Once security support ends, newly discovered flaws remain open. On Android, verify the policy for the exact model and region, not only the manufacturer's newest flagship. Replace or repurpose an unsupported phone rather than using it for banking, authentication, or sensitive communication.
Install operating-system and app updates
Enable automatic system updates, security updates, and app updates. Apply urgent security releases promptly. A short delay for a major feature release can sometimes avoid compatibility problems, but repeatedly postponing security patches leaves known vulnerabilities available to attackers. Restart the phone periodically so completed updates take effect and so data protected until first unlock returns to its stronger post-reboot state.
Use a strong device credential
Use at least a six-digit PIN that is not a date, address fragment, repeated digit, or reused bank PIN. A longer numeric PIN or alphanumeric passcode is stronger, especially if the phone could be seized or deliberately targeted. Enter it discreetly. Shoulder-surfing followed by theft defeats impressive hardware if the thief has watched the code.
Biometrics are useful because they make a longer passcode tolerable and reduce how often it is exposed in public. They are a convenience authentication mechanism, not a replacement for the passcode that ultimately protects encryption keys and recovery operations. Register only your own face or fingers. Review enrolled biometrics after repair, travel, or any period when the device left your control. The legal treatment of compelled biometrics and compelled disclosure of knowledge varies with jurisdiction and circumstances; seek legal advice for a real case.
Lock quickly and hide lock-screen data
Set a short automatic-lock interval. Require authentication immediately rather than leaving a grace period. On the lock screen, hide message previews, one-time codes, calendar details, email contents, smart-home controls, reply actions, wallet access, and USB data access unless the convenience is necessary. A locked screen that displays password-reset messages is only partly locked.
Secure the primary account
The Apple Account or Google Account can locate the phone, restore backups, synchronise passwords, and approve recovery. Protect it with a unique password and phishing-resistant passkey or security key where available. Review trusted devices, recovery phone numbers, recovery email addresses, app passwords, and third-party access. Keep at least one recovery method that is not available only through the phone itself. Store recovery codes or a backup security key offline in a physically secure place.
Prepare for loss before it happens
Enable Find My on iPhone or Find Hub/device-finding features on Android. Confirm from another device that you can sign in and locate, mark lost, or erase the phone. Record the IMEI and carrier contact details somewhere else. Set a carrier account PIN and protect number-porting to reduce SIM-swap risk. Know how to revoke wallet cards, active sessions, and mobile service. Remote erase is a last resort and depends on the phone reconnecting; the screen lock and encryption must provide the immediate protection.
Minimise apps
Every installed app is code, an update channel, a set of permissions, and often an account. Remove apps you no longer use. Prefer the official store and a known developer. Read the publisher name, recent reviews, privacy information, and permission requests rather than trusting a familiar-looking icon. Avoid configuration profiles, device-management enrolment, accessibility services, keyboard apps, and VPN apps unless you understand why they need elevated control. Do not install a certificate or management profile merely to join a hotel, airport, cafe, school, or event network.
Hardening an iPhone
Updates and account protection
- Open Settings > General > Software Update > Automatic Updates. Enable automatic download and installation of iOS updates and security responses where offered.
- Open Settings > [your name] > Sign-In & Security. Confirm two-factor authentication, trusted phone numbers, recovery contacts, and security keys if you use them.
- Review every device listed under the Apple Account. Remove devices you no longer possess or recognise.
- Turn on Find My iPhone, the Find My network, and Send Last Location. Activation Lock then makes simple resale harder, but it does not replace reporting a theft.
Passcode, Face ID, and theft resistance
- Open Settings > Face ID & Passcode. Use Passcode Options to choose a longer numeric or custom alphanumeric code if your risk justifies it.
- Under Allow Access When Locked, disable features that expose data or control without unlocking. Keep only the ones whose emergency or accessibility value outweighs the risk.
- Turn on Stolen Device Protection. It requires Face ID or Touch ID without passcode fallback for defined sensitive actions and can impose a security delay before critical account changes. On supported versions, consider requiring the protection away from familiar locations or always, depending on the options shown.
- Lock especially sensitive apps where iOS offers Require Face ID. This adds a boundary after the phone itself is unlocked; with Stolen Device Protection, locked apps can receive stronger protection away from familiar places.
- Use the power-and-volume button gesture or the emergency screen when you need to disable biometric unlock temporarily. After a restart or biometric lockout, the passcode is required.
Lockdown Mode
Lockdown Mode is Apple's optional extreme protection for the small number of people who may be personally targeted by sophisticated mercenary spyware: for example, some journalists, political figures, campaigners, diplomats, lawyers, executives, and people assisting sensitive investigations. It reduces attack surface by restricting message attachments and link previews, some web technologies, unsolicited service invitations, connections to computers and accessories while locked, configuration profiles, and other features that have historically provided exploitation routes.
Turn it on under Settings > Privacy & Security > Lockdown Mode, review the effects, and restart when prompted. Keep every linked Apple device current; protecting only the phone while leaving a synchronised tablet or laptop exposed weakens the result. Exceptions can be added for selected websites or apps, but every exception restores some attack surface.
Lockdown Mode is not an anonymity mode, ad blocker, VPN, firewall, or protection from someone who knows the passcode. It will not stop an app from receiving data you submit, prevent account phishing, hide location from a carrier, or secure an already-compromised cloud account. It can break websites, attachments, shared albums, calls from unknown contacts, accessories, and organisational management. Most users gain more from updates, a strong passcode, Stolen Device Protection, careful permissions, and account security. Turn on Lockdown Mode because the threat warrants its deliberate restrictions, not because "more security" always means "better".
Tracking, permissions, and sharing
- Open Settings > Privacy & Security > Tracking. Turn off Allow Apps to Request to Track if you do not want apps asking to link activity across other companies' apps and websites for advertising or data-broker sharing. Review any existing exceptions.
- Understand the boundary: App Tracking Transparency restricts a defined category of cross-company tracking. It does not stop first-party analytics, information you give an app, server logs, subscription records, or every possible fingerprinting technique.
- Review Location Services app by app. Prefer Never, Ask Next Time, or While Using over persistent access. Disable Precise Location where an approximate location is enough. Check system services and significant-location features separately.
- Review Contacts, Calendars, Reminders, Photos, Bluetooth, Local Network, Microphone, Camera, Health, Motion, and Files permissions. Give selected-photo access rather than the whole library when practical. A flashlight, wallpaper, or simple game rarely needs contacts or microphone access.
- Use the App Privacy Report, where available, to see sensor access and network domains. Treat it as an investigation aid, not proof that a connection is malicious.
- Use Settings > Privacy & Security > Safety Check to review people, apps, devices, and account access. Emergency Reset can stop sharing quickly. In an abusive situation, plan first: removing access or location sharing may alert another person or change their behaviour.
- Keep Private Wi-Fi Address enabled for networks that support it. This reduces use of the hardware Wi-Fi address as a stable tracking identifier. Forget networks you no longer need and disable automatic joining of open hotspots.
iCloud, Private Relay, and backups
Decide deliberately what synchronises to iCloud. Device encryption does not mean every cloud copy is end-to-end encrypted. In the UK, Apple no longer allows users to enable Advanced Data Protection, so categories such as iCloud Backup, iCloud Drive, Photos, and Notes use Apple's standard protection rather than keys controlled only by the user's trusted devices. Some categories, including iCloud Keychain and Health data, remain end-to-end encrypted by default.
iCloud Private Relay, included with iCloud+, protects supported Safari browsing and related name-resolution traffic by separating knowledge of the subscriber from knowledge of the destination. It is useful, but it is not a full-device VPN and does not protect all app traffic. Limit IP Address Tracking controls it for individual Wi-Fi or cellular networks. Do not describe the Private Relay icon as proof that every app is tunnelled.
Hardening an Android phone
Device choice, updates, and boot integrity
- Check the manufacturer's published security-support end date for the exact model. Prefer a device with monthly or clearly scheduled security patches and several years of support remaining.
- Open Settings > Security & privacy > System & updates, or search Settings for Security update, Google Play system update, and System update. These can be separate update channels; check all of them.
- Leave the bootloader locked and Verified Boot intact unless you have a specific, researched reason and a maintained alternative system. A warning at every boot deserves investigation.
- Keep Google Play Protect enabled. It reduces harmful-app risk but is not permission to install indiscriminately.
Screen lock, biometrics, and theft protection
- Use a strong PIN or password rather than a simple pattern. Patterns are easy to observe and may leave visible traces. Set a short lock timeout and immediate locking with the power button.
- Check whether the phone's face unlock is approved for strong authentication. Some models use a convenient camera-based match that apps will not accept for banking or passkeys. A good fingerprint sensor plus a strong PIN is often the more predictable choice.
- Open Settings > Google > All services > Theft protection where available. Enable Theft Detection Lock, Offline Device Lock, Remote Lock, and Identity Check as appropriate. Names and availability vary by device and Android version.
- Identity Check, on supported devices, requires strong biometric authentication for sensitive actions outside trusted places and removes the screen-lock fallback for those actions. It helps against a thief who has observed the PIN. Review trusted places carefully: making a large area trusted weakens the control.
- Enable Find Hub/device-finding and offline finding where available. Review which account can erase or locate the phone and secure that account independently.
Android Advanced Protection
On supported Android versions, device-level Advanced Protection is a single control that holds a group of strong protections on. It can prevent Play Protect from being disabled, block installs and updates from unknown sources, restrict accessibility services to verified tools, enable memory-safety protections on supported hardware and apps, and integrate stronger settings across Google apps. Find it by searching Settings for Advanced Protection, commonly under Security & privacy.
This is not identical to Apple's Lockdown Mode. Lockdown Mode aggressively removes or restricts features to resist sophisticated targeted exploitation. Android Advanced Protection assembles defence-in-depth controls with less disruption. Feature availability depends on Android version, hardware, manufacturer, region, and apps. Some protections can affect performance or compatibility.
Do not confuse device-level Advanced Protection with the separate Google Advanced Protection Program for accounts. The account programme requires passkeys or security keys, restricts third-party access to Google data, adds download checks, and makes recovery more rigorous. People facing targeted phishing should consider both device and account protections, with a backup security key and recovery plan stored away from the phone.
Permissions and app control
- Open Settings > Security & privacy > Privacy > Privacy Dashboard. Review which apps used location, camera, microphone, contacts, nearby devices, call logs, SMS, files, and other permissions, and when.
- Use Only while using the app, Ask every time, approximate location, or selected media where available. Remove permissions from unused apps and enable automatic permission removal for apps you stop using.
- Watch the camera and microphone indicators. Tap the indicator to identify the active app. Quick Settings can disable camera or microphone access globally for a high-risk meeting, but this will also break legitimate calls and recording.
- Audit Special app access: accessibility, notification access, display over other apps, install unknown apps, device admin apps, usage access, unrestricted battery, and VPN. These powers can expose far more than an ordinary permission. Accessibility access in particular can let an app read screens and press controls on the user's behalf.
- Leave Install unknown apps disabled by default. If sideloading is genuinely necessary, enable it only for the intended installer, verify the file and publisher through an independent channel, install it, and disable the permission again. Manual installation transfers update and provenance responsibility to you.
- Use Private Space, a work profile, or a separate user profile on supported devices when genuine isolation is needed. Hiding an icon is not the same as encrypting a separate profile, and notifications, backups, keyboards, accounts, or file sharing can still bridge compartments depending on configuration.
- Review the advertising ID and ad-personalisation controls under Privacy or Google settings. Resetting or deleting an advertising identifier reduces one linkage method; it does not stop account-based, first-party, IP-based, or fingerprint-based tracking.
- Keep Android's Private DNS on Automatic or use a trusted provider hostname if you understand the trust trade-off. Private DNS protects DNS queries and answers where supported; it does not encrypt all traffic or replace a VPN.
Backups and cloud accounts
A backup protects availability but creates another copy to defend. Identify what the phone backs up, who holds the decryption keys, how account recovery works, and whether deleting something from the phone deletes or retains it in the cloud. Photographs may use a separate service from the device backup; messaging apps may have their own backup settings; authenticator seeds and passkeys may synchronise through another credential manager.
Test recovery before an emergency. Confirm that essential photographs, contacts, documents, and authenticator recovery materials can be restored without keeping the only recovery code on the phone being restored. Do not take screenshots of master recovery codes and leave them in a cloud-synchronised photo library. For highly sensitive material, consider an encrypted offline backup under a key you control, balanced against the risk of losing that key.
Review old backups and old devices. An obsolete tablet signed into the same account or a years-old cloud backup can become the weakest route into current data. Remove devices you no longer control, erase them before disposal, and revoke their sessions. After a repair, verify account devices, biometrics, VPNs, certificates, and management profiles.
Mobile data security
Mobile data is generally a good choice when the alternative is an unknown public Wi-Fi network. The cellular connection authenticates the SIM or eSIM and encrypts the radio link between the handset and the mobile network. Other people in a cafe do not join the same local network, and a fake hotspot cannot intercept a connection the phone never makes.
That does not make cellular service anonymous or end-to-end private. The carrier necessarily knows the subscriber or account, SIM identifiers, device and network identifiers, connection times, data volume, and which cells serve the phone. That produces location information of varying precision. Without a VPN or other protective protocol, the carrier can also observe network destinations and may handle DNS queries, although HTTPS normally prevents it reading the contents and exact path of a secure web session. Apps can still send their own analytics and identifiers directly to their providers.
Use 4G or 5G rather than forcing legacy network modes where practical, and keep the carrier settings current. Set a carrier account PIN and port-out protection. Prefer app-based or hardware-backed MFA over SMS because phone-number takeover and message redirection can compromise SMS codes. Be alert to an unexpected loss of service, a notice that the SIM changed, or password-reset messages you did not request.
Disable data roaming when it is not needed, mainly to control cost and unintended foreign-network use. Roaming does not automatically expose plaintext app content, but it adds network and jurisdictional parties. For sensitive travel, consider a separate supported device and a minimal set of accounts rather than carrying a complete personal archive.
When using the phone as a hotspot, set a strong hotspot password, use the strongest compatible Wi-Fi security, disable it after use, and review connected clients. Do not assume the phone's VPN protects tethered devices: routing differs by operating system and VPN app, and tethered traffic may bypass the tunnel. Test the external device's apparent IP address and DNS path rather than inferring protection from the VPN icon on the phone.
Free and public Wi-Fi
"Free Wi-Fi" is not automatically hostile, and modern HTTPS has removed much of the old risk of a hotspot simply reading passwords and page contents. The remaining risks are still meaningful: joining a convincing fake network, local-network probing, insecure non-HTTPS traffic, DNS manipulation, tracking by the venue or network provider, malicious captive portals, and prompts designed to make the user install an app, certificate, or management profile.
Prefer mobile data for banking, account recovery, confidential work, or any task where failure would be costly. If public Wi-Fi is necessary:
- Confirm the network name with a sign or member of staff. A name such as "Station Free WiFi" proves nothing by itself.
- Disable automatic connection to open networks. Join deliberately, use the captive portal, then start the VPN if the VPN could not connect before portal login.
- Do not install a root certificate, configuration profile, device-management enrolment, keyboard, or unknown app to obtain ordinary guest access. Leave if the network requires disproportionate control.
- Keep HTTPS warnings fatal. Do not bypass a certificate error because the venue is trusted; the warning means the secure identity check failed.
- Keep AirDrop, Quick Share, file sharing, media casting, and discoverability restricted. A private/randomised Wi-Fi address reduces stable local tracking but does not hide activity after login.
- Forget the network after use if you do not expect to return. Otherwise the phone may reconnect to a network presenting the same name.
- Avoid sensitive work during the brief period used to satisfy a captive portal before the VPN connects.
A password printed on the wall does not make a guest network private; every visitor may know it. WPA2 or WPA3 still improves radio-link protection, but the network operator and the path beyond the access point remain trusted parties. HTTPS protects each secure service connection. A VPN adds a consistent encrypted path from the phone to the VPN server.
The benefits and limits of a VPN on a phone
A VPN creates an encrypted tunnel from the phone to a VPN server. On public Wi-Fi, it prevents the local operator and nearby network observers from seeing the individual destinations and DNS traffic carried inside the tunnel, subject to the VPN's configuration. On mobile data, it reduces what the carrier can learn about destinations, while the carrier still sees that the phone is connected to the VPN, when, and how much data moves. Websites and internet services see the VPN server's IP address rather than the phone's current public IP address.
This is useful for protecting traffic on untrusted networks, reaching an employer's internal services, reducing ISP or carrier destination logging, keeping a more consistent apparent location, and avoiding exposure of the home or mobile IP address to each site. A full-device, automatically reconnecting VPN with leak protection is more reliable than remembering to turn one on after starting sensitive work.
A VPN does not make the phone anonymous. The VPN provider becomes a concentrated point of trust. Apps still know the account, advertising identifiers, push-notification token, device characteristics, location permission, and information typed into them. Cookies and browser fingerprints remain. A VPN does not stop phishing, malicious apps, screenshots, cloud synchronisation, carrier location records, or an attacker who controls the unlocked device. It normally protects traffic only between the phone and VPN server; traffic then continues to its destination, where HTTPS remains essential.
Choosing and configuring one
- Choose a provider with clear ownership, a sustainable business model, documented logging practices, current independent security assessments, modern protocols, prompt updates, and a history that matches its claims. A privacy policy is evidence of a promise, not proof of technical impossibility.
- Avoid unknown "free" VPN apps. Operating servers costs money; a free service may monetise advertising, behavioural data, traffic manipulation, or an upsell. A reputable limited free tier can be different, but investigate the same company and architecture.
- Use the operating system's supported VPN framework. Do not grant unrelated contacts, photos, accessibility, or device-administrator permissions to a consumer VPN.
- Enable automatic connection on untrusted networks. On Android, use Always-on VPN and, where appropriate, Block connections without VPN. On iPhone, dependable always-on enforcement is normally strongest in a managed configuration; consumer apps often provide on-demand or auto-connect rules instead. Test after sleep, switching from Wi-Fi to mobile data, and changing networks.
- Use a nearby, stable exit unless a different country is required. It generally reduces latency, location anomalies, account-security alerts, and banking blocks.
- Check whether the VPN handles IPv6 and DNS. Use a reputable test site to compare apparent IP and DNS before and after connection, but remember that a successful test says nothing about the provider's internal logging.
- Expect some battery use, latency, connection failures, streaming restrictions, bank challenges, and captive-portal friction. A kill switch trades accidental leakage for complete loss of connectivity when the tunnel fails.
- Do not stack multiple consumer VPNs without a designed reason. Mobile operating systems usually support one active system VPN; DNS filters, firewalls, parental controls, and security apps may compete for the same VPN slot.
iCloud Private Relay and Android Private DNS solve narrower problems. Private Relay is not a full-device VPN. Private DNS encrypts name lookups but not the connections named by those lookups. Tor Browser provides a different anonymity design for web activity and should not be described as simply a stronger VPN. Choose the tool for the threat.
High-risk and emergency actions
If you receive a credible targeted-attack warning from Apple, Google, an employer, or a security team, preserve the message and verify it through a separately obtained official contact. Update all devices, consider Apple Lockdown Mode or the applicable Android and account Advanced Protection controls, and obtain specialist help. Do not forward a suspicious attachment to colleagues for a second opinion; that can spread the risk.
If the phone is stolen, prioritise personal safety. From a different trusted device, mark it lost, contact the carrier, revoke payment cards if necessary, and change the primary account password if account access may be at risk. Review email sessions and password-manager access because they unlock other accounts. Remote erase may be appropriate once recovery is unlikely, but follow organisational or evidential requirements if it is a work device or part of an investigation.
If you suspect intimate-partner monitoring, do not make abrupt changes without considering physical safety. Account or location changes may notify the other person. Use a device the other person cannot access to seek specialist support. Apple's Safety Check is useful, but it cannot audit non-Apple accounts, a different Apple Account, every social service, or a physical tracker. Android permissions and account-device lists likewise show only part of the picture.
If the phone behaves strangely, do not assume sophisticated spyware. Battery drain, heat, and crashes commonly have ordinary causes. Check software version, battery and data use by app, device-admin or management profiles, accessibility services, VPNs, certificates, account devices, and recently installed apps. For a high-consequence case, preserve evidence and seek expert advice before resetting. For an ordinary suspected compromise, update, remove untrusted configuration, change account credentials from a clean device, and factory-reset if confidence cannot be restored.
Mobile security checklists
Ten-minute baseline
- Install all system, security, Google Play system, carrier, and app updates.
- Set a unique six-digit-or-longer PIN and a short auto-lock interval.
- Hide sensitive notification previews and disable unnecessary lock-screen actions.
- Enable account two-factor authentication, device finding, and theft protection.
- Remove apps you do not use and revoke unnecessary location, microphone, camera, contacts, and photo access.
- Disable automatic joining of open Wi-Fi; keep private/randomised Wi-Fi addressing on.
- Set a carrier PIN and move important accounts away from SMS-only MFA.
Elevated-risk baseline
- Use a longer alphanumeric passcode entered away from cameras and onlookers.
- Use phishing-resistant passkeys or hardware security keys with an offline backup key.
- Enable iPhone Lockdown Mode when targeted-spyware risk justifies the breakage, or Android device and Google Account Advanced Protection where supported.
- Turn on Stolen Device Protection or Android Identity Check and audit trusted locations.
- Minimise cloud synchronisation, old backups, linked devices, and third-party account access.
- Use a reputable automatic full-device VPN on untrusted networks and verify reconnection behaviour.
- Separate high-risk roles from everyday accounts or devices where cross-contamination would be costly.
- Maintain an offline recovery plan and a known route to specialist incident response.
Official sources
- Apple Platform Security: hardware security overview and Lockdown Mode security.
- Apple: Stolen Device Protection, app tracking permissions, and Safety Check.
- Apple: iCloud Private Relay on iPhone.
- Android Open Source Project: security overview, encryption, and Verified Boot.
- Android Advanced Protection, Privacy Dashboard, and theft protection and Identity Check.
- Android VPN settings and Private DNS and advanced network settings.
- UK National Cyber Security Centre: VPN guidance and keeping devices updated.