Most people know they should be doing something about their phone security. They just never get around to it. These five changes take under twenty minutes total and address the most common ways phones get compromised.
1. Set up a password manager
If you’re reusing passwords across sites — and most people are — a single breach exposes everything. A password manager fixes this by generating and storing unique passwords for every account. You only remember one strong master password.
Start with Bitwarden (free, open source) or 1Password ($3/month). Install the app on your phone and the browser extension on your computer. Import your existing passwords if you’ve been storing them in Chrome or Safari — both export a CSV you can import. Then, over the next few weeks, update passwords for your most sensitive accounts: email, banking, and social media first.
2. Enable two-factor authentication on your email
Your email account is the master key to your digital life. Anyone who gets into it can reset passwords for every other account you own. Two-factor authentication (2FA) means a stolen password alone isn’t enough to get in — an attacker also needs access to your phone.
Use an authenticator app rather than SMS. Google Authenticator and Authy are both free. Open your email provider’s security settings, look for “Two-factor authentication” or “Two-step verification,” and follow the setup steps. It takes about three minutes. Do your banking app next.
If you want one app that handles both passwords and 2FA codes, 1Password does both. Fewer apps to manage.
3. Audit your app permissions
Apps ask for permissions they don’t need. A flashlight app doesn’t need access to your contacts. A game doesn’t need your location. These permissions sit there collecting data long after you’ve forgotten about the app.
On iPhone: go to Settings → Privacy & Security. Review each category — Location, Microphone, Camera, Contacts. For anything that doesn’t obviously need that access, set it to “Never” or “While Using.” On Android: Settings → Apps → select an app → Permissions. Do this for the apps you don’t use daily first; they’re usually the worst offenders.
While you’re in there, delete apps you haven’t opened in six months. Fewer apps means a smaller attack surface.
4. Set your lock screen to require a PIN or face ID immediately
The default on most phones is a grace period — you can unlock without a PIN for 30 seconds or more after last use. That’s long enough for someone to grab your phone and access it while you’re distracted.
On iPhone: Settings → Face ID & Passcode → Require Passcode → set to “Immediately.” On Android: Settings → Security → Screen lock → set to lock immediately. Also make sure your passcode is at least six digits, not four. And if your phone supports Face ID or fingerprint, enable it — it’s faster and more secure than skipping the lock screen entirely.
5. Switch your browser’s default search to one that doesn’t track you
Google builds a detailed profile of you from every search you run. That profile is used to target ads and gets shared with data brokers. You don’t have to stop using Google entirely, but changing your default search engine on your phone takes 30 seconds and immediately limits that data collection.
DuckDuckGo gives Google-quality results for most searches without the tracking. On iPhone: Settings → Safari → Search Engine → DuckDuckGo. On Android Chrome: Settings → Search engine → DuckDuckGo. If you find yourself needing Google for a specific search, you can still go to google.com directly — you’re just not feeding it every casual search you run.
The bottom line
You don’t have to do all five today. Pick the one that feels most overdue — probably the password manager or the 2FA setup — and do that one now. Each of these changes makes you meaningfully harder to compromise without requiring you to overhaul how you use your phone.