Smartphones are a bigger and more crucial part of our digital lives than we realize. Your phone enables your social life, stores your financial details, and even acts as a trusted device for authenticating your online accounts. And all that is secured behind a combination of your fingerprint (or your face scan on iPhones) and a 4/6-digit passcode. While it’s fairly tough to forge your biometric data without professional tools, your device PIN is far easier to crack with simple tricks like shoulder surfing or tracing your light fingertip marks on the screen.

Your phone relies heavily on this passcode, which, if compromised, can give anyone access to all your sensitive information. This becomes a grave issue if your phone ends up in the hands of a thief, leaving all your personal details vulnerable. Apple is now taking steps to fix this up for iPhone users, and I wish Google would follow suit to improve Android’s data security as well in case of a theft.

The iPhone 15 Pro Max’s lock screen

Many iPhone users have notably fallen victim to theft frauds where bad actors would first learn their target’s passcode before stealing their phone shortly after. These crooks know exactly what they need to do next — they use the PIN to hastily disable all security systems like Find My, change your iCloud password to lock you out of your own Apple ID, and even gain access to your passwords saved in Keychain (Apple’s built-in password manager). All this happens before you can even realize you’ve lost your phone, let alone using your iCloud account to enable Lost Mode on your iPhone.

The Wall Street Journalfirst raised the alarm about this kind of theft back in February 2023, and it looks like Apple is finally acting on this with the newest iOS 17.3 beta release. With this update, Apple has added an optional setting you may turn on that adds a few extra security measures to minimize the damage from a theft. The company has added multiple authentication methods to double-check it’s actually you before letting you edit sensitive settings and has added lengthy time intervals between such attempts.

The Google Pixel 7’s fingerprint scanner in use.

While these issues were first highlighted for iPhone users, Android is prone to similar safety challenges, and there is a lot for Google to learn from Apple.

Android, go learn from iOS

Not a lot of us realize this, but the 4-digit passcode we use to lock our phones is actually the primary security method, not your biometrics, which is added as an additional form of convenience.

Your phone’s data is encrypted with your passcode. When you restart your phone, you must enter the PIN to verify yourself, and the same goes for when the phone fails to recognize your fingerprint. Your Android phone’s built-in password manager can be unlocked with your device passcode, making all your accounts stored in it vulnerable, and I don’t need to tell you how swiftly these fraudsters can wipe your bank account clean.

Notifications on Google Pixel 8 and iPhone 13

If an intruder has already gotten hold of your PIN, you will find yourself in the same boat as iPhone users have reportedly been in.

In case your Android phone is lost or stolen, andyou use Google’s Find My Device to secure your handset, it will disable the biometrics and once again fall back to your phone’s PIN, password, or, worse, pattern lock. If an intruder has already gotten hold of your PIN, you will find yourself in the same boat as iPhone users have reportedly been in.

Find My Device app running on Google Pixel 7 Pro

Completely disabling biometrics is in a way counterintuitive as it’s the only way to know for sure that it’s you who is unlocking the phone and not some random guy with your PIN. This gets even more worrisome considering many of us tend to reuse the same PIN for multiple apps, especially some sensitive ones like our banking apps, just to avoid remembering a different code for each service. It’s a bigger challenge even for some ofthe top Android tabletsthat don’t come with a fingerprint reader and solely rely on PIN unlock.

What Google can learn

Instead of falling back to your PIN every time, Stolen Device Protection on the latest iOS 17 beta requires Face ID authentication for certain critical sections like accessing Apple Keychain, using cards saved in Safari, and turning off Lost Mode, according toThe Wall Street Journal. Additionally, changing your Apple ID password, the device passcode, and turning off Find My now requires Face ID verification and adds an extra hour-long interval between each failed attempt. Your iPhone will ask for these additional verifications if it’s in a location you don’t frequent, like when you’re not home or in office.

On Android, Google occasionally requires you to punch in your account password if the system finds something suspicious, which is a neat safety measure. However, Android fails in all the same areas as iOS has so far, putting you in a lot of similar problems. Google’s smartphone OS would be much better off if it just copied everything Apple has implemented with the current iOS beta.

Six different password managers arranged artfully on an Android phone’s home screen

In addition to all that, Android could fundamentally change how it treats fingerprint readers and make them a primary authentication method. This is feasible to do on devices that usea class 3 biometric scanner,which is more secure and has a low failure rate. Lost/stolen Android phones should rely on a combination of PIN, biometrics, and your Google account password to keep intruders from getting too far. Your Android phone could use several metrics, including location data, to proactively up the security to ensure even a trusted device is in safe hands.

Lastly, this is the right time for Google to bringits long-overdue Apple Find My alternativeto all Android phones. It should help people track their lost phones even they’re offline or powered off using the existing (and vast) network of Android phones. This could not only help you retrieve your phone faster but also keep your data safe on the off chance you don’t ever get your phone back.

What can you do in the meantime?

While a seemingly straightforward solution is to hide your PIN or password while you enter it publicly, it’s a good measure to enroll prints of more of your fingers for cases when the phone isn’t able to identify one; this way you’re able to minimize the use of PIN unless absolutely necessary. Furthermore, instead of a short 4-digit PIN, opt for a longer PIN or even an alphanumeric passcode which is harder to guess, but that sure won’t be convenient to enter or easy to remember. You can also turn off PIN animations on a lot of Android phones for added security.

And I can’t stress enough how important it is to have two-factor authentication enabled on all your accounts — it can save the day in a situation like theft.

Finally, consider any of thetop third-party password managersin favor of the built-in ones, because putting all your eggs in one basket isn’t a great idea. These third-party options usually have their own authentication method (besides your phone’s biometrics lock) like a separate master password that keeps anyone from getting access to all your accounts even if they know your phone’s PIN. And I can’t stress enoughhow important it is to have two-factor authentication enabledon all your accounts — it can save the day in a situation like theft.