By
Scott Houghton - Jr. Staff Writer
Updated

You don't need antivirus software, a paid VPN, or a single downloaded app to lock down an Android phone. Almost everything that protects it is already sitting in Settings—switched off or ignored.

I write about the Android operating system for a living, and even I'd left half of these settings untouched until I sat down to write this guide. I know better, and I still put it off because the easy, boring stuff never feels urgent until the day someone breaks through your security.

And when that day comes, the tactics are never as dramatic as the headlines make them sound. Nobody's decrypting your bank app at the coffee shop or using a high-definition scan of your fingerprint to get into your phone. The vulnerabilities that people leave are, boring ones, like a login you forgot to kill or a permission you never should have granted.

The fixes almost feel too easy, and most take a minute or two. I got through the whole list on my own Galaxy Z Fold5 in a single afternoon.

Let’s dive in, and I’ll cover which security measures you should turn now, the order I'd tackle them in, and how to take each step on your own.

1. Run the Google Account Security Checkup first


The single highest-value thing you can do for your phone's security lives on the web, not on your phone. Google's Security Checkup scans your entire account and shows you every weak spot on one screen.

Go to myaccount.google.com/security-checkup on any browser and sign in. You'll get a list ranked by color. Green means you're fine, yellow flags something important to review, and red means fix it now.

Google's Security Checkup page showing a green shield, with flagged tips under Your devices, Sign-in and recovery, and Your saved passwords
Google's Security Checkup grades your entire account on a single screen. Even with a green shield up top, it still flags tips worth clearing, like signing out of an old device.
Image: Scott Houghton | WhistleOut

Work top to bottom and clear the red items first. The three that matter most:

  1. Turn on 2-Step Verification: When you set it up, skip the text-message codes if you can. Those can be intercepted through SIM swapping. An authenticator app like Google Authenticator or a phone prompt is stronger protection.
  2. Add a passkey: A passkey replaces your password with your fingerprint or face. There's nothing to type, which means there's nothing to phish. Google now treats passkeys as the recommended everyday sign-in method, and honestly, it's faster too.
  3. Check "Your devices" and prune the junk: I found a Pixel I traded in two years ago still signed into my account. If you see a device you don't use or don't recognize, sign it out. The same goes for the "third-party access" list (all those apps you signed into with Google and forgot about).

Set a reminder to do this every few months. It takes two minutes, and it's the closest thing to a green checkmark of peace of mind you'll get.

Stop the spam while you're at it

Most phone scams don't start with a hack. They start with a text or a call you shouldn't have answered. These guides cover your options.

2. Clean up your app permissions


App permissions decide what each app on your phone is allowed to see and do, and most people grant far more than they realize. That third-party flashlight app does not need access to your contacts.

The Android Permission manager listing how many apps are allowed to use Camera, Location, Microphone, and more The Android Security and privacy overview showing a green Looks good, no threats found status with Lock screen, Account security, and Lost device protection all checked

Android tucks your privacy controls into a couple of menus. The Permission manager shows exactly which apps can access your camera, location, and microphone, and the Security and privacy page gives you a quick health check.
Image: Scott Houghton | WhistleOut

Android gives you two tools for this: Permission manager, which sorts everything by permission type, and a security and privacy dashboard, which shows you a timeline of which apps used your camera, microphone, and location in the last 24 hours. Both can be found by opening Settings > Security & privacy > Privacy.

5 permission settings worth considering

None of them takes more than a tap or two.

  • Ask every time: Forces untrusted apps to request sensitive access on each use instead of keeping a permanent pass.
  • Approximate location: Hands apps your general area instead of your exact spot, which is plenty for weather and most other apps.
  • Auto-remove unused permissions: Strips access from apps you haven't opened in months. On by default, so it’s best to leave it.
  • Accessibility access: Legitimate apps rarely need it, so revoke it from anything you don't recognize.
  • Device admin access: Only Find Hub and a work profile belong here. Treat anything else as a red flag.

3. Hide sensitive apps with Private Space or Secure Folder


Private Space is a built-in Android feature that hides sensitive apps behind a separate lock, like a phone within your phone. It arrived with Android 15, and it's the cleanest way to keep certain apps out of sight.

Anything you put in Private Space disappears from your main app drawer, recent apps, notifications, and search results when the space is locked. It's essentially a second, sandboxed profile living quietly on your device.

Here's how to set it up on a Pixel and most stock Android phones:

  1. Open Settings > Security & privacy.
  2. Under Privacy > Private space, authenticate with your screen lock.
  3. Sign in with a separate Google account (optional). This is the move if you want true separation, because the apps inside get their own account, browsing history, and app data.
  4. Set a lock for the space. I'd use a different PIN or your fingerprint.
  5. Add apps by installing them from the Play Store inside the space.

To open it, scroll to the bottom of your app drawer and tap the lock icon. To really make it disappear, go into the Private space settings and turn on Hide private space. After that, it won't appear in your drawer at all, and you'll need to search for Private Space to bring it back.

Samsung's Secure Folder icon, a blue folder with a white padlock, beside a phone screen showing the Secure Folder home with Gallery, Contacts, and Calendar inside
Secure Folder gives Galaxy owners a locked, encrypted space for apps and files, sealed off from the rest of the phone.
Image: Samsung

If you're on a Samsung, you won't find Private Space at all. Samsung skipped it in favor of Secure Folder, a separate encrypted space on your Galaxy, locked with its own PIN or fingerprint and sealed by Samsung Knox. Anything you move inside, from apps and photos to files and notes, stays hidden from the rest of your phone—so it never turns up in your gallery or app drawer. Apps inside also run as separate copies, so you can clone one and keep a second, work-only messaging account without carrying a second phone.

  • Set it up under Settings > Security and privacy > More security settings > Secure Folder.
    • Sign in with your Samsung account, pick a lock method, then open the folder and tap the plus icon to add apps.

4. Lock down your phone before you use public Wi-Fi


Public Wi-Fi is safer than it used to be, and most of the scary advice you've read is out of date. Google found that its Chrome users spent over 95% of their browsing time on HTTPS-secured pages. So even if someone wants to use an unsecured page to crack someone's security, most web users probably won't end up on it. And nobody's plucking your bank password out of the air at the airport the way they might have a decade ago.

The risk didn't disappear, though. It just evolved. The most common attack that still works is called The Evil Twin. With The Evil Twin, someone sets up a hotspot with a familiar-looking name like "Airport_Free_WiFi" or "Starbucks_Guest." You connect your phone to it, and your traffic now flows through their equipment. From there, they can serve you a login or payment page that looks identical to the real one, and anything you type into it—your password or your card number—lands straight in their hands instead of going to the site you thought you were on.

Here’s what I suggest you do when logging on to a public Wi-Fi network:

  • Verify the network name. Ask the barista or the front desk for the exact Wi-Fi name. "CoffeeShop-Guest" and "CoffeeShop_Free_WiFi" are not the same, and one of them might be a trap.
  • Turn off auto-join for public networks and forget them when you leave. On Android, tap the network, then forget it. That stops your phone from silently reconnecting to an evil twin next time you're nearby.
  • Save the sensitive stuff for later. Use your cellular data or wait until you’re home to access banking, shopping, or anything with a password worth stealing.
  • Never click past a certificate warning. If your browser throws up a security or "not secure" alert, disconnect. That's your phone telling you something's wrong.

You don't need to be paranoid. You just need to stop letting your phone trust strangers on your behalf.

The best defense here is not needing public Wi-Fi in the first place. If you're forever hunting for free Wi-Fi, a plan with more data often costs less than you'd expect, so it's worth seeing what’s available to help strengthen your phone’s security. Here are some of our favorites that offer plenty of data:

Mint Mobile
Mint Mobile

Unlimited Data Plan

  • Unlimited 4G LTE/5G data
  • 20GB mobile hotspot data
  • Deal: Get this unlimited plan for just $15/mo. (applicable for 3, 6 or up to 12 months of service)
$15.00/mo
$45 for 3 months of service
Visible
Visible

$25 Visible Plan

  • Unlimited 4G LTE/5G data
  • Unlimited mobile hotspot data
$25.00/mo
Taxes & Fees included
US Mobile
US Mobile

Unlimited Starter Plan

  • Unlimited 4G LTE/5G data
  • 10GB mobile hotspot data
  • whistleOut Exclusive: Get this plan for only $45 for 3 months ($15/mo.) with new number activation OR $5 off per month for 6 mo. (up to 3 lines) OR 30 Days FREE Trial
$25.00/mo
Metro by T-Mobile (MetroPCS)
Metro by T-Mobile (MetroPCS)

$40 Period Unlimited Plan

  • Unlimited 4G LTE/5G data
  • No mobile hotspot data
$40.00/mo
Taxes and regulatory fees included.

5. Set up Find Hub so you can find a lost or stolen phone


Find Hub is Google's tool for locating, locking, and erasing a lost Android phone, and it's already switched on the moment you add a Google account. It's the feature formerly called Find My Device, renamed but working the same way.

The catch with recovery tools is that the best ones only help if you enabled them before the phone went missing. So do this now, or verify it’s turned on, while you're thinking about it.

Open Settings > Google > All services > Theft protection.

The Find Hub settings screen on a Samsung phone, with the Allow device to be located toggle switched on, plus Remote Lock, offline device finding, and links to the Find Hub app and web
Find Hub switches on the moment you add a Google account. This screen is where you turn on the extras, like Remote Lock and offline finding, before you ever need them.
Image: Samsung

Here’s what to turn on:

  • Theft Detection Lock uses the phone's sensors and AI to detect a classic grab-and-run motion and automatically lock the screen.
  • Offline Device Lock locks the phone if a thief yanks it offline to dodge tracking.
  • Remote Lock lets you lock the screen from any browser at android.com/lock using just your phone number. Add a security question here too.

If your phone does go missing, open the Find Hub app or go to android.com/find on any device and sign in. You'll get three options:

  • Play Sound rings your phone at full volume for five minutes, perfect for the "it's somewhere in this house" panic.
  • Secure device locks it, signs you out of your Google account, pulls your cards from Google Wallet, and can show a message with your number on the lock screen.
  • Factory reset wipes it as a last resort, though once you do that, you can't track it anymore.

Find Hub can locate a phone even when it's offline, using a giant crowdsourced network of nearby Android devices over Bluetooth, all end-to-end encrypted so nobody, including Google, sees where your phone is except you.

Do this before you lose your phone

Both take two minutes while it's still in your hand.

  • Back up your phone. This action protects your data and ensures a remote factory reset doesn’t destroy your only copy.
  • Save your IMEI number. Dial *#06#, write it down, and keep it somewhere that isn't the phone. It's the first thing the police and your carrier will ask for when you lose your phone.

Android privacy and security: FAQ


Is Private Space the same as Secure Folder?

Not exactly, Private Space is Google's built-in feature on Android 15 and later, while Secure Folder is Samsung's own version, backed by Knox security. The gap between them has mostly closed. As of One UI 8, Samsung rebuilt Secure Folder on Google's Private Space technology, so the two now behave the same way underneath. The only difference is that Private Space can be linked to a separate Google account, whereas Secure Folder can't.

Can Android lock individual apps without a third-party app?

Google has been developing a native App Lock, but it hasn't shipped in the stable release yet. Your built-in options today are Private Space, app pinning, or a manufacturer's own app lock if you're on Samsung, Xiaomi, or OnePlus. Many apps, including WhatsApp and banking apps, also have their own biometric lock in the settings.

Do I still need a VPN on public Wi-Fi in 2026?

You don’t need a VPN as much as the scary stories suggest, but one still helps. Because most web traffic is now encrypted with HTTPS, nobody's easily reading your passwords on a coffee shop network. A reputable VPN still protects your metadata, hides your activity from the network, and covers the older, unencrypted traffic that some apps leak. So it's worth having if you often connect to public Wi-Fi.

How often should I run the Google Security Checkup?

Every 2–3 months is plenty for most people. Set a recurring reminder because the checkup takes about two minutes and catches new issues, such as a forgotten device login or a stale app permission. If you ever suspect your account was accessed, run it immediately and sign out of every device you don't recognize.

Does hiding apps in Private Space actually hide them from everyone?

Once hidden, Private Space won't appear in your app drawer, and its apps won't appear in your notifications, recent apps, or search results while it's locked. Someone would have to know the feature exists and search for it by name to even find the secured entrance.

Scott Houghton

Jr. Staff Writer

Scott Houghton
Scott is a Jr. Staff Writer for WhistleOut with over five years of experience writing about tech, education, and digital services for SaaS companies, higher education platforms, and podcasting brands. He specializes in turning complex topics into clear, helpful content, cutting through the noise, and making smarter decisions about the tools and tech they use every day.

Read full bio


Find a Better Phone Plan

Compare carriers, plans, and deals.

Search 39 Carriers

Compare phones and plans from the following carriers...

Latest Cell Phone Deals

Get the iPhone 17 for FREE through AT&T with trade-in and new plan

FREE iPhone 17 with a new line on T-Mobile's Experience Beyond plan

Save up to $1,099.99 on the iPhone 17 Pro Max with trade-in and new line

Save $200 on the Samsung Galaxy S25

Unlimited Data for $25/month

Unlimited data plans starting at just $25/month