The complete Android privacy and security checklist for 2026

Android gives you enormous control over your privacy and security — if you know which settings to change. This checklist walks through the changes that deliver the biggest protection for the least effort, from quick wins to deeper hardening. Work through it once and you will have closed the doors that the vast majority of threats walk through.

Lock screen and device access

• Set a strong screen lock. Use a PIN of at least six digits or a password, not a pattern (patterns are easy to shoulder-surf). This single step blocks the physical-access installation that most stalkerware requires.
• Enable biometric unlock for convenience, but keep a strong backup PIN — biometrics can be bypassed in ways a good PIN cannot.
• Hide sensitive notification content on the lock screen so messages and codes are not visible to anyone holding your phone.
• Turn on automatic lock after a short idle time.

App permissions

• Open the Permission Manager (Settings → Privacy → Permission manager) and review each sensitive category: Location, Camera, Microphone, Contacts, SMS.
• Switch location to "while using" for apps that do not need constant tracking, and "deny" for those that have no business knowing where you are.
• Revoke microphone and camera access from anything without an obvious need.
• Scrutinise Special access → Device admin apps and Accessibility — these are the powerful permissions stalkerware abuses. You should recognise everything listed.

Block the stalkerware installation route

• Keep "Install unknown apps" disabled for every app (Settings → Apps → Special access → Install unknown apps). This is the channel almost all stalkerware uses.
• Enable Google Play Protect (Play Store → Profile → Play Protect) so apps are scanned, and run a manual Play Protect scan now.

Account security

• Secure your Google account with a strong, unique password and two-factor authentication — your Google account is the keys to your phone, email, photos and location.
• Review devices signed in to your Google account and remove any you do not recognise.
• Run a Security Checkup at your Google account's security page, which flags weak spots automatically.
• Use a password manager so every account has a unique password, limiting the damage if one is exposed.

Updates

• Install system updates promptly. They patch the security holes that malware and spyware exploit. Check Settings → System → System update.
• Keep apps updated through the Play Store, ideally automatically, since app updates also fix vulnerabilities.

Network and browsing

• Be cautious on public Wi-Fi and avoid logging into sensitive accounts on networks you do not trust.
• Check which apps consume background data (Settings → Network → Data usage) periodically, watching for anything transmitting more than it should — a sign of data exfiltration.
• Scan suspicious links before tapping them using the URL scanner.

Regular maintenance

• Uninstall apps you no longer use. Every app is a potential risk and a data collector; fewer apps means a smaller attack surface.
• Re-audit permissions every few months — they accumulate as you install and update software.
• Scan anything you sideload. If you ever must install an APK from outside the store, run it through the file scanner first.
• Watch for the warning signs of monitoring covered in our tracking signs guide.

For higher-risk users

If you are a journalist, activist, or someone in a controlling relationship, consider additional measures: Android's built-in security features are strong when fully used, and you may benefit from real-time monitoring that alerts you the instant a new app or permission appears. Our guide to real-time anti-spy protection explains how continuous monitoring complements this checklist.

Security is not a one-time task but a set of habits. Work through this list now, set a reminder to revisit it in a few months, and you will keep your Android phone — and the life stored on it — genuinely private.

Frequently asked questions