When you unbox a new phone, it’s configured to be as open and connected as possible. That’s great for user experience. It’s terrible for security. Every default setting that makes your life slightly more convenient also makes your device slightly more exposed. Here’s what’s actively working against you right now.

Bluetooth is broadcasting your device identity. Unless you’ve explicitly turned it off, your phone is constantly broadcasting Bluetooth signals that can be used to track your location, identify your device model, and in some cases execute relay attacks. Bluetooth Low Energy (BLE) beacons are used in retail stores to track customer movement. The same technology can be used by bad actors in public spaces.

Wi-Fi auto-connect is a trap. Your phone remembers every Wi-Fi network you’ve ever connected to and will automatically rejoin any network with the same name. An attacker can set up a hotspot called ‘Starbucks WiFi’ or ‘Airport Free WiFi’ and your phone will connect without asking. Once connected, they can intercept traffic, inject malicious redirects, or harvest credentials. Turn off auto-join for open networks.

No SIM lock means your number can be hijacked. Most phones ship without a SIM PIN. That means if someone removes your SIM card and puts it in another phone, they have your phone number — which means they can receive your 2FA codes, reset your email password, and cascade into your bank accounts. Set a SIM PIN in Settings → Cellular → SIM PIN (iOS) or Settings → Security → SIM card lock (Android).

Location services are over-shared. By default, many apps request ‘Always’ location access when ‘While Using’ would be sufficient. Some apps don’t need location at all. Every app with location access is a potential data leak — your movement patterns, home address, and workplace are all derivable from location data. Audit permissions and switch everything to ‘While Using’ or ‘Never’ unless there’s a genuine reason for ‘Always.’

Lock screen notifications reveal too much. By default, message previews appear on your lock screen — meaning anyone who picks up your phone can read incoming texts, emails, and notifications without unlocking it. This includes 2FA codes sent via SMS. Go to Settings → Notifications and change notification previews to ‘When Unlocked’ for all apps.

USB debugging and developer options are potential backdoors. On Android, if you’ve ever enabled developer options or USB debugging (common for tech enthusiasts), your phone can be accessed and controlled via a USB connection without your knowledge. Disable developer options when you’re not actively using them.

None of these defaults are bugs — they’re design choices that prioritize ease of use. But they create an attack surface that most people never think about. The fix takes 10 minutes. The breach that results from ignoring them takes months to recover from.