How to Secure Your Google Account

    Lock down the Google account behind your Android phone: move it to a private email, set a strong unique password, turn on app-based 2-Step Verification, remove devices you don't recognise, and close the recovery back doors.

    JDCS
    By Jordan Dickson · Reviewed by CSG Security Engineers

    Updated June 2026 · 4 min read

    Your Android phone runs on your Google account — the master key to the whole device. Anyone signed into it from another device can read your messages, open your photos and follow your location through Google sync, with nothing installed on your phone at all. Locking that one account down is the single most important thing you can do to stop being watched.

    Secure your Google account, step by step

    Most of this lives in one place. Open Settings → Google → Manage your Google Account (or go to myaccount.google.com) and tap the Security tab. Work through these in order.

    1. Put it on an email only you control

    Your account's recovery email can reset everything, so whoever can reach that inbox controls the account. If it's an old, shared or reused address, move it to a clean, private email no one else can touch — a fresh Proton Mail address is built for exactly this. Set it under Security → How you sign in to Google → Recovery email.

    2. Set a strong, unique password

    Change your password to something long and unique that you use nowhere else, so an old data breach can't unlock it. A password manager like Proton Pass can generate and store it. Changing it also signs most other sessions out — a clean break if someone has quietly been signed in. Find it under Security → How you sign in to Google → Password.

    3. Turn on 2-Step Verification

    2-Step Verification means a stolen password alone is no longer enough. Turn it on under Security, and add an authenticator app such as Proton Authenticator rather than relying on SMS, which a SIM swap can intercept. Keep a backup method, but don't make a text message your only one.

    4. Remove devices you don't recognise

    Open Security → Your devices to see everything signed into your account. Tap anything you don't recognise and choose Sign out, then change your password so it can't simply sign back in.

    5. Close the recovery back doors

    Finally, check Security → How you sign in to Google for your recovery email, recovery phone and any backup methods. These survive a password change, so an unfamiliar one left in place is a way straight back in. Remove anything that isn't yours.

    One more place to check

    While you're here, open Security → Your connections to third-party apps & services and remove anything you don't use or recognise. An app with account access can keep reading your data long after a password change.

    Already worried it's in place?

    These steps lock the account down. To find monitoring that may already be running — forwarded messages, shared location, rogue apps — check the settings someone can abuse on the phone itself.

    See if your phone is being tracked

    Where to go next

    Common questions

    Is my Google account really how someone watches my phone?
    It's the most common way. Someone who knows your password can sign in on their own device and see your messages, photos and location through Google sync, with no app installed on your phone for a scan to find.
    What's the single most important step?
    Moving your account onto a strong, private email no one else can reach. Every other protection can be undone by someone who controls the recovery inbox, because that's where reset links and verification codes are sent.
    Do I still need to change my password if I turn on 2-Step Verification?
    Yes. 2-Step Verification stops a stolen password being used on a new sign-in, but it doesn't remove sessions already signed in. Change the password to force everyone out, then keep 2-Step on to keep them out.
    Should I use text-message codes for 2-Step Verification?
    Keep a phone number as a backup, but rely on an authenticator app where you can. SMS codes can be redirected with a SIM swap, so they're the weakest link.

    Was this guide helpful?

    Know someone who needs this? Send them the guide.

    JD

    Written by

    Jordan Dickson

    Founder, CyberSecurityGuides

    Founder of CyberSecurityGuides, writing practical, jargon-free guides that help everyday people recover from and protect against online attacks.

    Reviewed by CSG Security Engineers

    More from Device Security