The 10-step phone security tune-up you should run every year - and why

Qi Yang/ Moment via Getty Images

Follow ZDNET: Add us as a preferred source on Google.

ZDNET's key takeaways

• A quick cybersecurity wellness check is all it takes to protect your phone from disaster.
• Check your app usage, permissions, and physical security settings.
• An annual checkup reduces data exposure risk, improves privacy, and optimizes your device.

Enjoying the benefits and conveniences of life in our complex world requires daily diligence, from replacing batteries and tracking finances to keeping medical appointments and maintaining vehicles.

Here's another routine task we should all have on our calendars. Conduct an annual cybersecurity wellness check of what's likely the single most important device in your life: your smartphone.

We use our smartphones to communicate, work, shop, and stay connected and entertained -- but we don't always remember to keep them optimized or secure, which can turn these essential devices into serious liabilities.

Also: This silent Android feature scans your photos for 'sensitive content' - how to uninstall it

While we always recommend you accept security updates on your smartphone as soon as they are available, there are other checks that, if performed even once a year, can hugely benefit you. 

Take just one hour to give your smartphone a once-over that will tighten your security, refresh your memory on app permissions, and optimize your privacy settings. Our 10-step checklist makes it a breeze and could save you some major headaches down the line.

1: Make sure your device and apps are up to date 

The first step in any annual cybersecurity checkup is to ensure that your operating system and any mobile applications installed on your smartphone are up to date. This means accepting any new OS and app versions, as well as security updates and patches. 

Also: I always change these 7 phone privacy settings on every new device - here's why

Depending on the make, model, and version of your iOS or Android device, the location where you check your phone's status can vary. However, you can usually find updates under Settings > Security and Privacy > Updates, or Settings > System > Update. You may also be notified when a new software update is available. 

To check the status of your smartphone's apps, you can visit Settings > Apps or the Update tab. 

2: Check your app and device permissions

The next step in your yearly audit is to review your app and device permissions. Whenever you install a mobile application, you will be asked to grant or deny specific permissions, such as access to your files, control over your location services, and permission for the app to send you push notifications. 

There is also a variety of settings on your smartphone that need to be managed -- particularly security and privacy settings.

There are plenty of options to explore, including whether you want your smartphone to automatically detect and block threats; screen locks and biometrics; lost device protection; and whether you are comfortable with personalized ads and sending diagnostic data.

Also: 7+ phone privacy settings to check and turn off ASAP - to avoid exposing your personal data

On Android, you typically need to go to Settings > Security and privacy > More privacy settings > Permission manager. On iOS, you will likely find permissions management under Settings > Privacy and Security, or Settings > the specific app you want to examine. To explore your device settings, simply go to Settings. 

"Never do attackers' jobs for them by giving access away unnecessarily," cautioned Rob Kehoe, chief technology officer of Smarttech247. "Once a year, go through every app on your phone and check what permissions it has. Look at the camera, microphone, location, and contacts. If an app has access it doesn't need, remove it. Set location access to 'only while using' for everything. And if an app isn't useful anymore, remove it completely. This only takes 10 minutes, and most people are shocked by what they find."

3: Delete any apps you no longer use

You should also audit the apps installed on your smartphone. (We recommend checking this more than once a year -- preferably every few months.) Old apps can pose a risk to your privacy; they may have been granted unnecessary permissions and may also consume your device's resources and power. 

If you haven't used a mobile app in a few months, ask yourself: "Do I really need it?" If the answer is no, remove it. You can always reinstall apps later, but each one you remove reduces your potential attack surface. 

Also: Your Android phone keyboard may be tracking your inputs - how to check (and 2 ways to stop it)

While both Android and iOS will revoke permissions from apps you haven't used for several months, it's still advisable to run a check yourself every so often. Take a look at the Apps section in your handset's Settings tab to refresh your memory about which apps are installed. Alternatively, check your home screen and hold your finger down on any app you want to remove -- you should see the option to uninstall it. 

4: Review and refresh your passwords

Hardly a day goes by without a new data breach. The challenge of containing our data and protecting our accounts is now so vast that dedicated services warn consumers about data breaches affecting their accounts, and some companies now prevent users from reusing passwords found in online data leaks. 

Reviewing your passwords and changing them frequently is essential to protecting your accounts and data, and this protection applies to any device you use to access them -- including your smartphone. 

Also: The best password managers of 2026: Expert tested

Passwords should be complex, made up of upper- and lower-case letters, numbers, and symbols, when possible. It's also important never to reuse the same credentials across multiple online services.

If you think you will have trouble remembering complex phrases, consider using a password manager. 

Troy Hunt's Have I Been Pwned search engine is also an excellent resource for checking whether your accounts have been linked to a data breach. Simply by entering your email, you'll be able to see what data might have been leaked about you, and when. If you're ever in doubt, change your password. 

5: Check 2FA, multi-factor authentication settings

After you've refreshed your passwords, you should check all two-factor authentication (2FA) and multi-factor authentication (MFA) settings for your online accounts and devices. Many of us rely on our smartphones for 2FA, receiving a code we need to use when 2FA is enabled on our accounts as a secondary layer of security, so it is important that this information is up to date and our phones are secure. Otherwise, attackers could intercept these codes and compromise our accounts.

Also: Why multi-factor authentication is absolutely essential

If you have 2FA/MFA enabled on your online accounts, go to their privacy settings and verify that the phone number is correct and that you've selected your preferred authentication method. This could be a text message, an emailed code, an authenticator app, or a passkey. Prioritize Google, Apple, and Microsoft services, financial and banking apps, core email accounts, frequently-used shopping services if your details are stored, and work platforms. 

6: Audit your physical device security

Checking our digital services, online accounts, and app usage is only part of an annual cybersecurity audit -- it's also important to review our physical handset security. 

Estimates suggest that approximately 1.3 million phones were stolen in the US in 2023. Stolen handsets can be wiped and resold; if a device is not properly secured, it can lead to the loss of personal information, compromised accounts, lost files, and even financial damage. 

Also: Your Android phone just got a powerful anti-theft upgrade - and I'm sighing in relief

You'll need to dive back into your settings again. Look for options including:

• Lock screen: Do you have a way to lock your smartphone from the screen? Is a passcode or biometric identifier in place? It's best to have some form of lock to prevent data theft or eavesdropping. 
• Safety and emergencies: You can use your smartphone to share your location or notify emergency services when needed. Check that these settings are enabled if you want them. You can also enable alerts when unknown trackers are detected near your handset.
• Biometrics: Your thumbprint or retina is also a valuable way to physically secure your device. Consider enabling these to keep others out of your smartphone, its apps, and its data. 
• Device encryption: On modern smartphones, encryption is often enabled by default when a lock screen is enabled, but you should check, as this helps protect your data on older models. Explore settings, security, and privacy to see if enabling device encryption is possible.  

7: Look for unexpected connected apps and devices

It's also important for you to audit your online accounts, services, and smartphone for any unexpected apps, devices, or active sessions.

For example, if you are logged into your email account only on your smartphone but a laptop connection has also appeared, it could mean someone has quietly gained access to your account. This can be a serious security issue due to eavesdropping, potential data theft, and even the acquisition of 2FA codes if your email is compromised. 

Also: Phone battery draining fast? Malware is one of 8 possible factors - how to tell for sure

Check for any unrecognized locations, access times, or devices -- including older smartphones you've sold or that have been stolen. If you find any, revoke access immediately and change your passwords. You should do the same for any associated online accounts, including e-commerce platforms, work apps, and social media. 

You can usually find details on any connected apps or devices in settings, recent activity, sign-in activity, signed-in devices, and similar items. 

8: Run a malware scan

Android and iOS smartphones have built-in antivirus protection, but it never hurts to run your own check -- preferably more than once a year.

There can be threats lurking on your mobile device, and most of these stem from malicious apps that are hiding information stealers, keyloggers, monitoring software, Trojans, and nuisanceware. Antivirus software can catch these apps before they run on your handset, and scans can give you peace of mind that your smartphone is clean.

Also: The best mobile antivirus software: Expert tested and reviewed

Help yourself, too, by only downloading apps from trusted sources and refraining from jailbreaking your device.

9: Review your account and device recovery settings

Do you have Android's Find My Device, Find My Mobile, or iOS's Find Devices enabled? 

As part of your annual audit, consider enabling features on your smartphone that may increase the likelihood of recovering it if it is lost or stolen.

On Android, the Find Hub lets you locate any registered device on a map, remotely lock it, or erase it, even if it is offline. You mark a device as "lost," and data gathered from a global network of Android devices is used to pinpoint its location. The same type of crowdsourcing is used on iOS, too, and you can access the same functionality if your device is lost -- tracking, locking, and wiping remotely in cases of loss or theft.

Be warned: You will likely need to enable these services and register your devices before such an event occurs.

Many smartphones also offer theft protection features, remote locks, and automatic screen locks when they detect potential theft. You can find these under Settings and menu options such as Lost Device Protection. 

10: Start adopting these security habits

Now that your audit is complete, consider adopting the following five security habits to improve your personal security and privacy:

Also: The best data removal services: Expert tested and reviewed

• Take data breach notifications seriously: If you hear a news report or receive an alert about a breach at a company you are a customer of, change your account passwords immediately. 
• Review apps and permissions frequently: It's best to take a few moments every few months to review your apps, their permissions, and whether you still need them installed on your device. 
• Physically secure your devices: Get in the habit of supervising and protecting your devices at all times. It only takes a distracted moment for your laptop to vanish from your table at a coffee shop, or for your smartphone to disappear from your pocket. 
• Keep your devices updated: It's the simplest step and also one of the most important. Accept new security updates for your smartphone and apps as they become available to stay protected from emerging threats and vulnerabilities. 
• Stay suspicious: If you receive a suspicious SMS, WhatsApp call, or email, you might be getting phished. This is one of the most common threats we face today. Don't panic and don't click any links in the message. If a message looks official but you're unsure, go directly to the organization's website to contact them.