This guide is for people who want practical phone security without losing their minds. I'm not going to tell you to throw your phone in the ocean and communicate exclusively via carrier pigeon. I'm going to tell you what actually matters, what doesn't, and what the security industry doesn't want you to know because the truth is less profitable than the fear.
Let's start with the thing nobody wants to hear.
Your phone knows where you are at all times. It knows where you've been. It knows how long you stayed. It knows how fast you were moving and whether you were walking or driving. This is not a flaw in your phone. This is how your phone works. Cellular networks require your phone to identify itself to the nearest tower to function. GPS, Wi-Fi scanning, and Bluetooth beacons refine that location to a few meters. You cannot use a phone and not be locatable. Period.
What you can control is who has access to that data beyond your carrier. Here's how.
Every app on your phone that has location permission is selling or sharing that data. I don't mean "might be." I mean "is." In 2024, the FTC documented that data brokers purchase real-time location data from hundreds of apps and resell it to anyone with money — including law enforcement, private investigators, and stalkers. The apps range from weather apps to flashlight apps to games.
Go to your phone's permission manager right now. Look at which apps have location access. If an app doesn't need your location to function — if it's not a map or a ride-sharing service — revoke it. Set everything to "Only while using the app" at minimum. "Always" should be reserved for exactly zero apps unless you have a specific, conscious reason.
Do the same for camera, microphone, contacts, and call log access. A calculator doesn't need your contacts. A QR code reader doesn't need your microphone. If an app requests permissions that don't match its function, that app is doing something other than what it told you.
This one gets pushback. People love Face ID and fingerprint unlock because they're convenient. Here's the problem: in many jurisdictions, law enforcement can compel you to unlock your phone with your face or fingerprint, because biometrics are considered "physical evidence" rather than "testimony." A PIN or password is testimony — it's something you know — and is protected by the Fifth Amendment in the United States.
This means a cop at a traffic stop can hold your phone up to your face and unlock it. They cannot force you to tell them your PIN. Use a six-digit PIN at minimum. Don't use your birthday. Don't use 123456. Don't use your address. Use something random and memorize it.
If you're in a situation where you think your phone might be seized, power it off. A phone that has been powered off is in "Before First Unlock" (BFU) state — the encryption keys are not in memory, and forensic tools have a much harder time extracting data. A phone that's been unlocked at least once since the last reboot is in "After First Unlock" (AFU) state and is significantly more vulnerable. Power off is your panic button.
SMS text messages are not encrypted. Your carrier can read them. Law enforcement can obtain them with a court order — or sometimes without one. iMessage is encrypted but only between Apple devices, and Apple holds the keys to your iCloud backup, which means your "encrypted" messages are sitting in a database Apple can access if subpoenaed.
Signal is end-to-end encrypted. Signal doesn't store your messages on their servers. Signal's protocol has been independently audited and is considered the gold standard. Use Signal for anything you wouldn't want read aloud in a courtroom.
If someone tells you WhatsApp is "just as good because it uses the Signal protocol" — they're half right. WhatsApp uses the Signal protocol for message encryption, but Meta (WhatsApp's owner) collects metadata: who you talk to, when, how often, your IP address, and your contact list. Metadata is surveillance data. The NSA's former general counsel said: "We kill people based on metadata." Use Signal.
I know. Everyone says this. Nobody does it. Here's why it matters: the commercial spyware industry — companies like NSO Group (Pegasus), Intellexa (Predator), and QuaDream — relies on exploiting vulnerabilities in your phone's operating system. These exploits are called "zero-days" because the manufacturer has had zero days to fix them. When Apple or Google releases a security update, it usually patches vulnerabilities that are being actively exploited in the wild. Not theoretically exploited. Actually, right now, on real people's phones.
If you're running an Android phone that's three versions behind on security patches, you are running a phone with known, documented, publicly available vulnerabilities that any motivated attacker can exploit. Update your phone. Do it today. Set it to auto-update.
If your phone manufacturer has stopped issuing security updates because your model is too old, buy a new phone. A Pixel 8a costs $350 and gets seven years of security updates. This is not a luxury expense. It's the digital equivalent of a functioning lock on your front door.
Your phone can be locked, encrypted, and fortress-like — and it doesn't matter if all your data is sitting in an unencrypted cloud backup that Apple, Google, or Samsung can hand over to law enforcement with a court order.
iCloud: Apple can access your iCloud backup unless you enable "Advanced Data Protection," which was only introduced in 2022 and is not turned on by default. Go to Settings → Apple ID → iCloud → Advanced Data Protection and turn it on. This makes your backup end-to-end encrypted with keys only you hold.
Google: Google Drive backups are encrypted with your Google account credentials, which means Google holds the keys. There is no "Advanced Data Protection" equivalent for Android cloud backups. If you're on Android and you care about this, use local encrypted backups instead of Google Drive.
Alternatively, disable cloud backup entirely and perform local encrypted backups to a computer you control. This is less convenient. Security is often less convenient. That's the trade.
Changing your DNS provider from your ISP's default to something like Cloudflare (1.1.1.1) or Quad9 (9.9.9.9) prevents your ISP from logging every domain you visit. This is a free, five-minute change that meaningfully improves your privacy. On Android, go to Settings → Network → Private DNS and set it to one.one.one.one or dns.quad9.net.
VPNs are more complicated. A VPN hides your traffic from your ISP, but the VPN provider can see everything your ISP would have seen. You're trusting the VPN instead of the ISP. Most commercial VPN providers make promises about "no logs" that have not been independently verified. Some have been caught lying. If you use a VPN, use one that has been independently audited (Mullvad, IVPN) and don't trust the ones spending millions on YouTube sponsorships — that money comes from somewhere, and it's not from respecting your privacy.
Antivirus apps on your phone. They don't work. Android and iOS sandbox apps so aggressively that an antivirus app has no more access to detect malware than any other app. They're security theater that drains your battery and collects your data. Uninstall them.
"Private browsing" or "incognito mode." This hides your history from other people who use your phone. It does not hide your activity from your ISP, your employer, the website you're visiting, or anyone monitoring your network. It is useful for exactly one thing: preventing your browser history from showing what you searched for. That's it.
Phone cases with "signal blocking" or "RFID protection." Your phone is not being compromised by someone standing near you with an RFID reader. These products solve a problem that does not exist. Save your money.
Perfect phone security does not exist. What exists is a set of practical choices that make you a harder target than the person who hasn't made them. The goal is not to be unhackable — the goal is to not be the easiest person in the room to hack. Lock your permissions, use a PIN, use Signal, update your phone, encrypt your backup, change your DNS. These six things, done today, put you ahead of 95% of people. That's not a guess. That's the math.
Stay safe.