The First 10 Things I Do on Every New Phone Before I Open a Single App

The First 10 Things I Do on Every New Phone Before I Open a Single App

By Alex Chen ยท ยท 7 min read ยท 23 views

I got a new phone last month. A Pixel 9 Pro, if you care about that sort of thing. It arrived on a Thursday afternoon and my partner watched in visible annoyance as I spent the next 45 minutes doing security setup before I even installed Instagram.

"You could just... use it," she said.

She is right. I could. But I have also seen what happens when people skip security setup on a new phone. I have helped three friends recover hacked accounts in the past year alone. One of them lost access to their banking app for two weeks. Two weeks! Because they used the same password everywhere and their phone had zero protection beyond a four-digit PIN.

So no. I cannot "just use it." And after you read this list, you probably will not want to either.

Here are the 10 things I do on every single new phone, in order, before I touch anything else. Most of them take under a minute each.

1. Set Up a Strong Lock Screen (Not a 4-Digit PIN)

The very first thing. Before Wi-Fi, before accounts, before anything. I set up biometric authentication (fingerprint or face) backed by a 6+ character alphanumeric passcode. Not a PIN. Not a pattern. A real password.

"But nobody is going to brute-force my phone," you say. Maybe not. But a 4-digit PIN has 10,000 possible combinations. A 6-character alphanumeric password has over 2 billion. If your phone gets stolen โ€” and roughly 1 in 10 Americans have had a phone stolen at some point โ€” that difference matters enormously.

On Android: Settings โ†’ Security โ†’ Screen Lock โ†’ Password.
On iPhone: Settings โ†’ Face ID & Passcode โ†’ Change Passcode โ†’ Passcode Options โ†’ Custom Alphanumeric Code.

Takes 30 seconds. Your phone is immediately 200,000 times harder to break into. That is not hyperbole โ€” that is math.

2. Turn Off Lock Screen Notifications Preview

This one is sneaky. By default, most phones show message contents on the lock screen. Which means anyone who picks up your phone โ€” at a coffee shop, at the gym, wherever โ€” can read your texts, see your banking notifications, and view your two-factor authentication codes. Without unlocking anything.

I learned this the uncomfortable way when my friend Derek (different Derek from the one who got hacked, I apparently know a lot of Dereks with security problems) showed me that he could read my Signal messages from across a table just by glancing at my lock screen.

Fix: Show notifications but hide contents. You will see "New message from Signal" instead of the actual message text.

Android: Settings โ†’ Notifications โ†’ Notifications on lock screen โ†’ Show sensitive content only when unlocked.
iPhone: Settings โ†’ Notifications โ†’ Show Previews โ†’ When Unlocked.

3. Enable Find My Device / Find My iPhone

If your phone gets lost or stolen, this is your lifeline. It lets you locate, lock, or remotely wipe your phone from any browser.

I actually used this feature last summer when I left my phone in a Lyft. Tracked it to the driver's next pickup location, called the driver through the Lyft app, and had it back in 20 minutes. Without Find My Device, that phone would be gone. Along with everything on it.

Android: Settings โ†’ Security โ†’ Find My Device โ†’ Turn on.
iPhone: Settings โ†’ [Your Name] โ†’ Find My โ†’ Find My iPhone โ†’ Turn on all three toggles (Find My iPhone, Find My Network, Send Last Location).

The "Send Last Location" part is critical. It sends your phone's location to Apple when the battery is about to die. Without it, a thief just needs to let your battery drain and you lose tracking forever.

4. Update Everything Immediately

Your "brand new" phone probably left the factory weeks or months ago. There are almost certainly security patches waiting. I have never unboxed a new phone that did not have at least one pending update. My Pixel 9 Pro had three.

Go to Settings โ†’ System โ†’ Software Update and install everything. Yes, it takes 15 minutes. Yes, it requires a restart. Do it anyway. Those patches exist because someone found a vulnerability that could compromise your phone, and the manufacturer fixed it. Running an unpatched phone is like leaving your front door unlocked because you just moved in and "nobody knows you live here yet."

People know. Automated scanners know. Update your phone.

5. Review App Permissions (Yes, Already)

Even on a fresh phone, some pre-installed apps have permissions they should not. I check the permission manager before installing anything else, because I want to know the baseline.

The ones I pay attention to:

  • Camera โ€” which apps can access it? On a new phone, this should be minimal.
  • Microphone โ€” same deal. If a weather app wants microphone access, something is wrong.
  • Location โ€” I set most apps to "Only while using" or "Ask every time." Very few apps need your location 24/7.
  • Contacts โ€” games do not need your contacts. Social media apps barely need them.

Android: Settings โ†’ Privacy โ†’ Permission Manager.
iPhone: Settings โ†’ Privacy & Security โ†’ (each permission type).

I found that my Pixel came with a pre-installed carrier app that had camera, microphone, and location access enabled by default. A carrier app. For what? I disabled all three and the app works exactly the same. Make of that what you will.

6. Install a Password Manager

This is the first app I install. Not email. Not messaging. A password manager. Because every single account I create from this point forward should have a unique, randomly generated password.

I use Bitwarden (free tier is genuinely excellent) but 1Password and Dashlane are solid too. The point is not which one โ€” the point is using one at all.

Here is a stat that keeps me up at night: according to a 2024 NordPass study, the average person reuses the same password across 5 different accounts. And the most common password is still "123456." I genuinely do not understand how we have self-driving cars but people are still using "password1" for their banking login.

Install a password manager. Generate unique passwords. Enable the autofill integration. Your entire digital life becomes exponentially more secure with this one step.

7. Enable Two-Factor Authentication on Critical Accounts

Before I sign into anything on the new phone, I make sure 2FA is set up on my most critical accounts. In order of priority:

  1. Email โ€” if someone gets your email, they can reset every other password you have.
  2. Banking and financial apps โ€” self-explanatory.
  3. Cloud storage โ€” Google Drive, iCloud, Dropbox. Contains your life.
  4. Social media โ€” account recovery is a nightmare if you get locked out.

Use an authenticator app (Google Authenticator, Authy, or the one built into your password manager), not SMS-based 2FA. SMS codes can be intercepted through SIM swapping attacks, which are more common than you think. The FBI reported a 400% increase in SIM swap complaints between 2018 and 2023.

Yes, I know this is the least fun step. But it takes about 10 minutes for all your critical accounts. A hacked bank account takes weeks to resolve. I will take the 10 minutes.

8. Set Up Automatic Backups

Your phone will break, get lost, or get stolen eventually. This is not pessimism โ€” it is statistics. The average American replaces their phone every 2.5 years, and not always voluntarily.

Enable automatic backups to the cloud:

Android: Settings โ†’ System โ†’ Backup โ†’ Turn on (backs up to Google).
iPhone: Settings โ†’ [Your Name] โ†’ iCloud โ†’ iCloud Backup โ†’ Turn on.

I also manually back up my photos to Google Photos (free, with compression) because I lost an entire summer's worth of photos in 2021 when my phone died without warning. I still think about those photos. Back up your stuff. Right now. I will wait.

9. Disable Bluetooth and Wi-Fi Auto-Connect

By default, most phones will automatically connect to open Wi-Fi networks and accept Bluetooth pairing requests. This is convenient. It is also a security risk.

Public Wi-Fi networks can be spoofed. Someone sets up a hotspot called "Starbucks_WiFi_Free" and your phone connects automatically because it looks legitimate. Now your traffic is flowing through their device. This is not theoretical โ€” it is a well-documented attack called an "evil twin" and it takes about $30 in hardware to pull off.

Fix:

  • Turn off "Connect to open networks" / "Auto-join Hotspot" in Wi-Fi settings
  • Turn off Bluetooth when you are not actively using it
  • Forget any public Wi-Fi networks after you are done using them

My friend Sarah, who does penetration testing for a living, once set up an evil twin network at a security conference โ€” a security conference! โ€” and 47 phones connected to it within an hour. These were cybersecurity professionals. If they fall for it, anyone can.

10. Enable Encrypted DNS

This is the one most people skip because it sounds technical. It is not. It takes 30 seconds and it prevents your internet service provider (and anyone snooping on your connection) from seeing which websites you visit.

Android (9+): Settings โ†’ Network & Internet โ†’ Private DNS โ†’ Private DNS provider hostname โ†’ Enter: dns.google or one.one.one.one (Cloudflare).
iPhone (iOS 14+): Install a DNS profile from Cloudflare (1.1.1.1 app) or NextDNS.

Without encrypted DNS, every website you visit is logged in plaintext by your carrier. Your ISP can see that you visited WebMD at 2 AM. Your hotel Wi-Fi operator can see that you are checking competitor prices. Encrypted DNS stops that. It is free. There is no downside. Do it.

Bonus: The Whole List Takes Under 30 Minutes

I timed myself on the Pixel 9 setup. The entire security checklist took 27 minutes, including the software update (which ran in the background while I did everything else).

Twenty-seven minutes to make your phone dramatically more secure. That is less time than the average person spends watching TikTok during their morning coffee. Your phone contains your bank accounts, your private conversations, your photos, your medical records, and your entire digital identity. It deserves 27 minutes of attention before you open Candy Crush.

My partner still thinks I am paranoid. But she also asked me to set up her new phone last week using this exact checklist. So who is the paranoid one now?

Want a printable version of this checklist? I will put one together if there is enough interest. Sometimes the simplest security measures are the ones people actually follow through on.

Found this helpful?

Subscribe to our newsletter for more in-depth reviews and comparisons delivered to your inbox.

Related Articles