How to Secure the Account That Runs Your Phone

    Your Apple ID or Google account is the master key to your phone — anyone signed in can see everything. Here's why it matters and how to lock it down, with step-by-step guides for iPhone and Android.

    JDCS
    By Jordan Dickson · Reviewed by CSG Security Engineers

    Updated June 2026 · 3 min read

    Your phone runs on a single account — your Apple Account on an iPhone, your Google account on Android. It's the master key to the whole device: anyone signed into it from somewhere else can read your messages, open your photos and follow your location through iCloud or Google sync, with nothing installed on the phone at all. Locking that one account down is the single most important thing you can do to stop being watched — here's why it matters, and the exact steps for your phone.

    Why this account matters most

    Spyware and changed settings are the obvious worries, but they aren't the most common way a phone gets watched. The quiet way is through the account itself: someone who knows the password simply signs in on their own device and mirrors everything, leaving nothing to find on yours. And that account is only ever as secure as the email it's built on, because that inbox receives every login alert, verification prompt and password reset. Secure the account — and the email behind it — and you close the door the rest depends on.

    What securing it involves

    Whichever phone you have, the same five moves close the door: put the account on a private email only you control, set a strong, unique password, turn on two-factor authentication with an authenticator app, remove any device you don't recognise, and close the recovery back doors (recovery email, phone and trusted numbers). The menus differ by device, so follow the walkthrough for yours:

    Already worried it's in place?

    These steps lock the account down. To find monitoring that may already be running — forwarded messages, shared location, rogue profiles — check the settings someone can abuse on the phone itself.

    See if your phone is being tracked

    Where to go next

    Common questions

    Is my Apple or Google account really how someone watches my phone?
    Yes, it's the most common way. Someone who knows the password can sign in on their own device and see your messages, photos and location through iCloud or Google sync, with no app installed on your phone for a scan to find.
    What's the single most important step?
    Moving the account onto a strong, private email no one else can reach. Every other protection can be undone by someone who controls the recovery inbox, because that's where reset links and verification codes are sent.
    Do I still need to change my password if I turn on two-factor?
    Yes. Two-factor stops a stolen password being used on a new sign-in, but it doesn't remove sessions already signed in. Change the password to force everyone out, then keep two-factor on to keep them out.
    Should I use text-message codes for two-factor?
    Avoid them where you can. SMS codes can be redirected with a SIM swap, so an app-based authenticator is safer. Keep a phone number only as a backup method, not the main one.

    Was this guide helpful?

    Know someone who needs this? Send them the guide.

    JD

    Written by

    Jordan Dickson

    Founder, CyberSecurityGuides

    Founder of CyberSecurityGuides, writing practical, jargon-free guides that help everyday people recover from and protect against online attacks.

    Reviewed by CSG Security Engineers

    More from Device Security