Phone Privacy Hardening: Lock Down Your Device

Your phone is the most surveillance-capable device ever invented and most people carry it set to factory defaults. Factory defaults are not designed for your privacy — they are designed for platform revenue, app developer conversion rates, and manufacturer relationships with data brokers. Apple and Google both have business models that depend on data collection. The default configuration reflects that.

This guide tells you exactly what to change, in what order, on both iOS and Android. Not theoretical recommendations. Specific settings paths, specific commands, specific reasoning for each control. Start at the beginning and work through it. The whole process takes about 90 minutes for a thorough audit of a device that hasn't been hardened before.

Before you start: this is a hardening guide, not a paranoia guide. The goal is not to make your phone useless by locking it down completely. It's to eliminate surveillance that provides no value to you and significant value to others.

Why Factory Defaults Are Bad

What Apple Collects by Default

When you set up an iPhone and tap "Agree" through the setup screens without reading them, you consent to:

• Location data collection for "improving Maps and other Apple services"
• iPhone Analytics — daily diagnostic data including usage patterns and device information sent to Apple
• App Analytics — usage data shared with third-party app developers
• Personalized Ads — Apple's advertising platform using your behavior across the App Store and Apple News
• Siri data retention — audio recordings reviewed by human contractors to improve Siri accuracy (a practice revealed in 2019 by a Guardian investigation)
• iCloud backup which gives Apple access to your device contents under legal process — including decrypted messages (iMessage end-to-end encryption is bypassed when messages are included in an iCloud backup)

None of this is hidden. It's in the privacy policies. But the setup flow is designed to make accepting everything the path of least resistance.

What Google Collects by Default on Android

Android's default configuration collects substantially more:

• Location history stored in your Google account — a timeline of everywhere you've been, accurate to within meters, retained indefinitely unless you explicitly delete it
• Web & App Activity — a log of every Google Search, every website visited in Chrome, every YouTube video, every Google app used
• Device information — hardware identifiers, network information, crash data
• Advertising ID (GAID) — a persistent identifier shared across all apps on your device for cross-app tracking
• Wi-Fi and Bluetooth scanning — even when Wi-Fi is "off," many Android devices continue scanning for nearby networks and Bluetooth devices to improve location accuracy
• Usage statistics — how you use your device, which apps, when, for how long

The 2018 Associated Press investigation found that many Google services store your location data even when you've explicitly told Google to stop — a finding that led to a $391.5 million settlement with 40 US states in November 2022. The settlement required Google to be more transparent about location tracking. It did not stop the collection.

Understanding what's collected by default helps you prioritize what to turn off.

Lock Screen Security: The Physical Access Defense

Passcode Strength

A 4-digit PIN has exactly 10,000 combinations. With iOS's default 6-attempt lockout before a 1-minute delay (increasing with further attempts), 10,000 combinations is genuinely hard to brute force on-device. But "hard to brute force" is not the right standard. Law enforcement forensics tools like GrayKey and Cellebrite Premium have bypassed 4-digit PINs in documented cases. A 6-digit PIN (1 million combinations) is better; an alphanumeric passphrase is better still.

The tradeoff is real: A strong passphrase is annoying to type 50 times a day. The solution is using biometrics for convenience while maintaining a strong passphrase as the backup that actually determines your security level.

iOS:

Settings → Face ID & Passcode → Change Passcode
→ Passcode Options → Custom Alphanumeric Code

Use a passphrase of at least 6 words (diceware method) or a random alphanumeric string of at least 12 characters. Avoid patterns, repeated characters, or anything based on memorable information (birthdays, addresses, names).

Android:

Settings → Security → Screen Lock → Password

Set a strong alphanumeric password. Android's pattern unlock is particularly vulnerable to smudge attacks — the grease trace from your finger reveals the pattern to anyone who holds the phone at the right angle under light.

Notification Security

Every notification that shows on your lock screen without authentication is a privacy leak. Text messages, 2FA codes, email subjects, banking alerts — all visible to anyone who picks up your phone.

iOS:

Settings → Notifications → Show Previews → When Unlocked

This hides message content from the lock screen while still showing the app name and sender. For maximum privacy, select "Never" — you'll see a notification badge but no content.

Per-app granularity: Settings → Notifications → [App Name] → Show on Lock Screen (toggle off for sensitive apps).

Android:

Settings → Privacy → Notifications on lock screen
→ "Hide silent conversations and alerts" or "Don't show notifications at all"

On Android 14+, you can set per-app notification lock screen visibility at: Settings → Notifications → App Notifications → [App Name] → Sensitive Notifications.

Specific concern: SMS-based 2FA codes should never be visible on the lock screen. Set your messaging app's lock screen notifications to hidden.

Auto-Lock Timeout

Every second your phone is unlocked and unattended is a physical access vulnerability. Set auto-lock to 30 seconds maximum.

iOS:

Settings → Display & Brightness → Auto-Lock → 30 Seconds

Android:

Settings → Display → Screen timeout → 30 seconds

The inconvenience of frequent re-authentication is real. The alternative — a phone left unlocked on a table at a coffee shop — is worse.

iOS Stolen Device Protection

This is a significant security feature added in iOS 17.3 in January 2024, directly responding to a wave of iPhone theft cases (documented extensively by the Wall Street Journal in early 2023) where thieves watched victims enter their passcode before stealing the phone, then used the passcode to change Apple ID passwords and lock victims out of their digital lives.

Enable it:

Settings → Face ID & Passcode → Stolen Device Protection → Turn On

How it works: When your iPhone is away from trusted locations (home, work), making critical changes — changing your Apple ID password, viewing stored passwords in Keychain, turning off Find My, changing Face ID — requires a biometric check AND a one-hour delay before the change takes effect. This gives you an hour to mark the device lost before a thief can lock you out.

This feature has no meaningful downside. Enable it.

Biometrics and Legal Context

Face ID and fingerprint unlock are convenient but they have a legal vulnerability that PINs/passwords do not: in the United States, courts have generally held that compelled biometric authentication (police forcing you to look at your phone or place your finger on it) does not violate the Fifth Amendment's protection against self-incrimination — because it's not "testimonial." A PIN, being knowledge in your mind, may have Fifth Amendment protection in some circuits.

This is a minority concern for most people, but it's worth knowing how to disable biometrics quickly:

iOS — Emergency lockout: Press and hold the side button plus either volume button simultaneously. This brings up the Emergency SOS screen AND disables Face ID until the passcode is entered. After five failed Face ID attempts, the phone also requires the passcode.

Android: Press the power button, then select "Lockdown" (on Pixel and some other Android devices). This disables biometric unlock until the PIN is entered. You can also set "Require PIN after reboot" in most Android security settings.

App Permissions: The Ongoing Attack Surface

App permissions are not a one-time decision. They accumulate. An app you granted camera access to two years ago because you were uploading a photo still has camera access now. You forgot. The app developer hasn't.

The Nuclear Permission Audit

Set aside 20 minutes and go through every sensitive permission category. This is tedious and worth doing.

iOS Location Services:

Settings → Privacy & Security → Location Services

For each app:

• Never: Default for apps that have no location-relevant function (games, productivity, social, shopping, most others)
• While Using: Apps that need your location when you're actively using them (weather, Maps when navigating, Yelp when searching nearby)
• Always: Reserve for apps whose entire purpose requires background location (Find My, a running tracker that logs your route, navigation while phone is in pocket)

"Always" access means the app can query your location continuously, 24/7, even when the screen is off and you haven't opened the app in weeks. Almost no consumer app legitimately needs this. The number of apps that have "Always" access on a typical unaudited phone is disturbing.

Specific concern: Social media apps (Instagram, TikTok, Twitter/X, Facebook) should be set to "Never" for location. They don't need your precise location to function. Their interest in your location is advertiser revenue.

iOS Microphone:

Settings → Privacy & Security → Microphone

Every app listed here has microphone access. Revoke any app that is not:

• An actual voice communication app (phone, WhatsApp, Signal, Telegram)
• A voice recording app you actively use
• A voice assistant you intentionally configured

Social apps, games, news apps, shopping apps — none of these need microphone access. The persistent consumer concern about social apps "listening" for ad targeting has been repeatedly denied by Facebook and others, and most security researchers believe passive always-on listening is not what's happening (the data costs would be enormous and detectable). But apps with microphone access CAN access the microphone when the app is in the foreground, and some apps do use the microphone opportunistically.

iOS Camera:

Settings → Privacy & Security → Camera

Same analysis: revoke from any app that has no legitimate photo/video function.

iOS Contacts:

Settings → Privacy & Security → Contacts

Contact access is used to build social graphs. Facebook/Meta admitted in 2019 that they had collected contact data from users' phones — including data on people who had never created Facebook accounts — to build "shadow profiles" used for advertising. Apps that ask for contacts to "find your friends" use that data for network mapping. Grant this only to messaging apps (Messages, WhatsApp, Signal) and phone dialers.

iOS Tracking:

Settings → Privacy & Security → Tracking → Allow Apps to Request to Track → OFF

This is Apple's App Tracking Transparency (ATT) setting, introduced in iOS 14.5 in April 2021 — a change that Meta later estimated would cost them $10 billion in annual revenue, because it made cross-app tracking opt-in rather than opt-out.

Turn off "Allow Apps to Request to Track." With this off, apps cannot even ask for permission to track you with your IDFA. For apps already granted tracking permission, the list is visible in this same menu — revoke them all.

Android — Comprehensive Permission Audit:

Settings → Privacy → Permission Manager

Then review each dangerous permission category individually:

Permission Manager → Camera → review all apps → change to "Ask every time" or "Don't allow"
Permission Manager → Microphone → same analysis
Permission Manager → Location → change all "Allow all the time" to "Allow only while using"
Permission Manager → Contacts → revoke from anything not a communication app
Permission Manager → Call logs → revoke from anything not a phone/communication app
Permission Manager → SMS → revoke from anything not a messaging app you use

Android 12+ Indicators:

Android 12 added a privacy dashboard (Settings → Privacy → Privacy Dashboard) showing which apps accessed which sensors in the last 24 hours. Run this after the permission audit to catch anything you missed.

Android 12 also added microphone and camera privacy indicators — a green dot in the status bar appears when an app is actively using the camera or microphone. If you see this dot and you're not in a video call or taking a photo, an app is accessing the sensor in the foreground. Check what's open.

# ADB command to check all app permissions (requires USB debugging):
adb shell pm list packages -f -3 | awk -F'=' '{print $2}' | while read pkg; do
  echo "=== $pkg ==="
  adb shell dumpsys package "$pkg" | grep -A1 "android.permission.CAMERA\|android.permission.RECORD_AUDIO\|android.permission.ACCESS_FINE_LOCATION\|android.permission.READ_CONTACTS"
done

Advertising ID: Nuclear Option

iOS:

Settings → Privacy & Security → Tracking → disable "Allow Apps to Request to Track"

There is no separate "delete" for the IDFA on iOS — disabling tracking prevents apps from accessing it. Some apps receive a zeroed-out ID when ATT is denied.

Android 12+:

Settings → Privacy → Ads → Delete advertising ID

On Android 12 and later, you can delete the GAID (Google Advertising ID) entirely. Apps that request it receive a string of zeros rather than a unique identifier. This is categorically better than opting out while leaving the ID in place (opting out tells apps "don't use this for targeting" — some ignore it; deleting means there's nothing to use).

On older Android, the equivalent is: Settings → Google → Ads → Opt out of Ads Personalization.

Eliminate Unused Apps

Every installed app is:

• An attack surface (vulnerabilities in the code)
• A potential persistent location/data access grantee
• A network endpoint that communicates with third-party servers
• A potential acquisition target (apps get bought by data brokers; their privacy policies change)

The app you installed for a specific trip three years ago is still installed, still has permissions you granted at the time, still potentially running background processes, and may now be owned by a company that didn't exist when you installed it.

Monthly audit: Delete any app you haven't opened in 30 days. Be ruthless. You can reinstall.

iOS — view install history:

App Store → your profile photo → Purchased → Not on This iPhone

This shows everything you've ever downloaded, including apps you've since deleted. Useful for remembering what you installed, but also useful for confirming that apps you deleted are actually gone.

Android — view all installed apps:

Settings → Apps → See all apps

Sort by last update or last used (available on some Android versions) to identify stale apps.

Specific categories to audit aggressively:

• VPN apps (many free VPNs are data collection businesses)
• Free utilities (flashlights, weather apps, QR scanners — frequently monetized by data brokering)
• Social apps you don't actively use (each has extensive permissions)
• Games (often have the broadest permission sets for seemingly legitimate gameplay reasons)
• Shopping apps (tracking purchase intent is lucrative; most collect extensively)

Secure Messaging: Replace SMS and Standard Calls

Standard SMS is a postcard. Carriers can read it. Governments can compel carriers to produce it. Network equipment can capture it in transit. It has no encryption at rest on carrier servers. IMSI catchers (Stingrays) — devices sold to law enforcement that impersonate cell towers — can capture SMS and phone calls in real time.

Signal: The Gold Standard

Signal provides end-to-end encrypted messages, voice calls, video calls, and file transfer. The encryption is based on the Signal Protocol, which is also used by WhatsApp and Facebook Messenger for their E2E-encrypted modes. The difference is that Signal's code is open source and audited, it collects essentially no metadata, and it is operated by a nonprofit (Signal Foundation) with no advertising business model.

Key Signal settings to configure:

Signal → Settings → Privacy → Default Timer → 1 Week

Disappearing messages means that even if your device is compromised in the future, your historical conversation history is not preserved. One week is a reasonable default for most people; set shorter for more sensitive conversations.

Signal → Settings → Privacy → Screen Security → ON

This prevents Signal from appearing in the app switcher preview — your conversation list won't appear when someone double-taps the home button.

Signal → Settings → Privacy → Incognito Keyboard → ON (Android)

Prevents your keyboard from learning your Signal typing patterns (which can include sensitive communications).

Signal → Settings → Notifications → Show → No Name or Message

On the lock screen, this shows "Signal notification" rather than the sender's name and message content.

Registration lock:

Signal → Settings → Account → Registration Lock → ON

Prevents someone from re-registering your Signal number on a new device even if they SIM-swap your number. They'd need your Registration Lock PIN.

iMessage: Useful with Caveats

iMessage provides end-to-end encryption between Apple devices, but with two important caveats:

Caveat 1: Messages fall back to unencrypted SMS (green bubble) when the recipient uses Android. You cannot rely on iMessage encryption in cross-platform conversations. The fallback is invisible — you don't get warned when encryption is unavailable; the bubble just changes color.

Caveat 2: If iCloud backup is enabled and Messages is included in the backup, Apple holds a key to your message history. The E2E encryption of iMessage does not protect messages that are also stored in iCloud backups because Apple generates an additional key for backup decryption. Under legal process (a court order), Apple produces this. This was used in the FBI's 2016 fight with Apple — the data Apple said they couldn't produce from the encrypted iPhone, they could in some cases produce from iCloud backups.

To enable full end-to-end encryption for iMessage backups (introduced in iOS 16 as "Advanced Data Protection"):

Settings → [Your Name] → iCloud → Advanced Data Protection → Turn On

This encrypts iCloud backups with a key only you hold, preventing Apple from complying with legal demands for backup content. The tradeoff: if you lose your recovery key and all your trusted devices, Apple cannot help you recover your data.

WhatsApp: The Metadata Problem

WhatsApp uses the Signal Protocol for message encryption — the same cryptographic foundation as Signal. Message content is end-to-end encrypted. What WhatsApp retains is metadata: who you communicated with, when, how often, the size of messages. This metadata is shared within the Meta ecosystem and used for advertising targeting.

The 2021 WhatsApp privacy policy update that prompted millions of users to switch to Signal (the app shot to number one in multiple countries' app stores) was about data sharing between WhatsApp and Facebook for advertising purposes — confirming what privacy researchers had argued for years.

For casual communications: WhatsApp is adequate — the message content is encrypted. For anything sensitive — sources, legal matters, medical information, personal crises — use Signal, where the metadata is also minimized.

Telegram: Not What Most People Think

A persistent misconception: Telegram is end-to-end encrypted. It is not, by default. Standard Telegram chats are encrypted in transit (client to server) and at rest (on Telegram's servers, encrypted with keys Telegram holds). Telegram can read your messages. Telegram has complied with government requests for user data in some jurisdictions.

The E2E-encrypted option in Telegram is "Secret Chats" — which must be explicitly initiated and only work in one-on-one conversations. Group chats have no E2E encryption option.

Telegram's advantage is its channel feature (one-to-many broadcasts) and large group capability — not its security. Do not use Telegram for communications where confidentiality matters.

Cloud Account Security: The Most Overlooked Attack Surface

Apple ID Security

Your Apple ID is the master key to everything on your iPhone: messages, photos, location, app data, passwords (if you use iCloud Keychain), and backups.

2FA — non-negotiable:

Settings → [Your Name] → Password & Security → Two-Factor Authentication → Turn On

Review trusted phone numbers. Every number listed can receive 2FA codes and authenticate as you. Remove any number you don't exclusively control.

Review trusted devices: Settings → [Your Name] → scroll down. Remove any device you don't recognize.

Recovery contact: Settings → [Your Name] → Password & Security → Account Recovery → Add Recovery Contact. Designate a trusted person who can help you recover access if you lose all your trusted devices.

Sign-in & Security settings at appleid.apple.com: Periodically review recent activity, sign-in locations, and authorized apps.

Google Account Security

Security Checkup: Visit myaccount.google.com/security-checkup — Google's own security audit tool, which surfaces specific issues: signed-in devices, app access, recovery options.

Disable Web & App Activity:

myaccount.google.com → Data & privacy → Web & App Activity → Turn Off

This stops Google from saving your search history, YouTube history, Google Maps searches, and other activity to your account. Google still processes these queries to serve results, but doesn't retain a log tied to your identity.

Disable Location History:

myaccount.google.com → Data & privacy → Location History → Turn Off

Stops the continuous recording of your physical movements in Google's Timeline feature.

Advertising personalization:

myaccount.google.com → Data & privacy → Ad settings → Personalized ads → Turn off

This limits Google's use of your data for ad targeting across Google properties and partner sites.

Delete activity data:

myaccount.google.com → Data & privacy → Web & App Activity → Manage activity → Delete all time

Deletes the historical record of your activity Google has accumulated. Set auto-delete to 3 months for ongoing cleanup.

Network Privacy: DNS and Beyond

DNS Over HTTPS: Encrypt Your Lookups

Your ISP logs every DNS query you make — every domain your phone looks up. This is a detailed behavioral record: which apps you use, which websites you visit, what services you communicate with. DNS queries travel in plaintext by default.

DNS over HTTPS (DoH) encrypts your DNS queries and routes them to a resolver you choose rather than your ISP's default.

Android 9+ (System-Wide Private DNS):

Settings → Network & Internet → Private DNS → Private DNS provider hostname

Enter one of:

• dns.quad9.net (Quad9 — also blocks known malicious domains)
• 1dot1dot1dot1.cloudflare-dns.com (Cloudflare — fast, privacy-focused)
• dns.mullvad.net (Mullvad — ad and tracker blocking, no-logging)

This applies to all connections including cellular, not just Wi-Fi.

iOS (via Configuration Profile):

iOS doesn't have a simple in-settings DoH toggle for system-wide configuration. Options:

1. Download Cloudflare's 1.1.1.1 app from the App Store — installs a DoH configuration profile that covers the whole device
2. Download Quad9's configuration profile from quad9.net/service/set-up-quad9/#ios — same effect
3. Alternatively, configure DoH per-network: Settings → Wi-Fi → [Network] → Configure DNS → Manual → add DoH resolver IP

The Cloudflare 1.1.1.1 app approach is simplest and provides system-wide coverage including cellular.

What DoH does not protect: DNS encryption hides the domains you look up from your ISP. It does not hide the IP addresses you connect to (revealed through network traffic analysis), the SNI (Server Name Indication) extension in TLS handshakes (which reveals the hostname even without DNS), or the timing and volume of your traffic.

For traffic that masks all of this, you need Encrypted Client Hello (ECH, supported in Firefox and Chrome but not yet widely deployed) and a VPN.

VPN Selection and Configuration

A VPN encrypts all traffic between your phone and the VPN server, preventing your ISP and local network from seeing your destination or content. The trade-off: the VPN provider sees what your ISP used to see.

The critical consideration: trust your VPN provider as much as you trust your ISP. Avoid providers that:

• Are free (your traffic is the product)
• Have not undergone independent security audits (claims ≠ verification)
• Are incorporated in jurisdictions with mandatory data retention laws without explicit no-logging guarantees

Providers with verified no-logging policies through independent audit:

Mullvad: €5/month flat rate (no accounts — you buy time with a random account number, which means Mullvad doesn't know who you are). They were audited by Cure53 in 2020 and 2022. In April 2023, Swedish police raided Mullvad's office with a court order for user data — Mullvad produced nothing, because no logs existed. This real-world test is better evidence than any audit.

ProtonVPN: Part of Proton AG's privacy suite. Audited by SEC Consult in 2022. Swiss jurisdiction with strong privacy laws. Has a functional free tier with speed restrictions (useful for evaluation).

IVPN: Audited by Cure53. Offers anonymous payment. No email required to sign up.

Configuration best practice:

Enable: Kill switch (also called "Network Lock" or "Always-on VPN")

A kill switch cuts all internet traffic if the VPN connection drops, preventing your traffic from falling back to your unencrypted connection. Essential if you're using a VPN for actual privacy rather than just shifting trust.

iOS:

Settings → VPN → [VPN Name] → Connect On Demand → Enable

Android:

Settings → Network & Internet → VPN → [VPN Name] → Always-on VPN → Enable
Block connections without VPN → Enable (this is the kill switch)

iOS-Specific Hardening

Lockdown Mode (iOS 16+)

Lockdown Mode is Apple's maximum security configuration, designed for high-risk individuals (journalists, activists, lawyers, executives targeted by sophisticated threats).

Settings → Privacy & Security → Lockdown Mode → Turn On Lockdown Mode

What it disables:

• Most message attachment types (only images, certain video types allowed in Messages)
• Link previews in Messages
• All incoming FaceTime calls from unknown contacts
• Wired connections to computers or accessories when the iPhone is locked
• Configuration profiles
• JavaScript Just-in-Time (JIT) compilation in Safari (breaks some websites)
• Shared albums in Photos

Lockdown Mode is not appropriate for most users — it noticeably reduces usability. It is appropriate for people with specific, credible threat models: journalists communicating with sources in authoritarian countries, human rights workers, lawyers in politically sensitive cases, or executives targeted by corporate espionage.

Check for MDM Profiles

Mobile Device Management profiles can grant extraordinary device control. Always verify what profiles are installed.

Settings → General → VPN & Device Management

A personal iPhone should typically show no profiles, or only profiles you installed yourself (such as the Cloudflare DoH profile). If you see profiles from organizations you don't recognize, investigate before proceeding.

A profile with a VPN payload active can intercept all your traffic. A profile with a certificate payload can enable HTTPS inspection, decrypting your HTTPS traffic at a man-in-the-middle point. Neither of these should exist on a personal device without your explicit knowledge.

Limit Siri Capabilities

Siri requires persistent "always listening" access to detect "Hey Siri." Depending on your threat model, this may be acceptable or not.

Settings → Siri & Search → Listen for "Hey Siri" → OFF (if you don't use voice activation)
Settings → Siri & Search → Allow Siri When Locked → OFF
Settings → Siri & Search → Suggestions in Search → OFF
Settings → Siri & Search → Suggestions in Look Up → OFF

For each installed app, Settings → Siri & Search → [App Name] → off. This prevents Siri from indexing content from apps you want to keep private.

Siri Data and Privacy:

Settings → Privacy & Security → Analytics & Improvements → Improve Siri & Dictation → OFF

This opts you out of sending Siri recordings to Apple for human review.

Android-Specific Hardening

Developer Options: Enable USB Debugging Safely

Developer Options are hidden by default and unlock a range of useful security tools, including ADB access for device auditing. The same settings, however, create security risks if left enabled.

Enable Developer Options:

Settings → About Phone → Build Number → tap 7 times

For security audit (enable temporarily):

Settings → Developer Options → USB Debugging → ON

Use ADB for your audit, then turn USB Debugging off when done:

Settings → Developer Options → USB Debugging → OFF

Leave all other Developer Options at defaults unless you have a specific reason to change them.

ADB security audit commands:

# List all installed apps with APK paths
adb shell pm list packages -f -3
 
# Show all permissions granted to all apps
adb shell pm list packages | while read line; do
  pkg=$(echo $line | sed 's/package://')
  echo "=== $pkg ==="
  adb shell dumpsys package $pkg | grep "granted=true"
done
 
# Check for apps with admin access
adb shell dpm list-owners
 
# View all running services
adb shell dumpsys activity services | grep ServiceRecord
 
# Check battery drain by UID (useful for spotting background processes)
adb shell dumpsys batterystats --charged | grep "^  Uid"
 
# Network statistics (shows data usage by app)
adb shell dumpsys netstats | grep "iface=rmnet" -A20
 
# Check accessibility services
adb shell settings get secure enabled_accessibility_services

Google Play Protect

Google's built-in malware scanner. Verify it's enabled and has recently scanned:

Play Store → profile photo → Play Protect → Scan device

Play Protect scans installed apps against Google's malware database and can detect known stalkerware. It's not comprehensive (it will miss newly released or obfuscated malware), but it's a free baseline that should always be enabled.

Important setting: Play Protect can scan apps sideloaded from outside the Play Store. Enable: Play Protect → Settings → Scan apps with Play Protect (the "Improve harmful app detection" toggle sends suspicious APKs to Google for analysis — disable this if you want to avoid sending app data to Google).

Special App Access: A Comprehensive Review

Settings → Apps → Special App Access

Review every category:

• All files access: Should be empty or contain only a file manager you installed
• Device admin apps: Should be empty or contain employer MDM only
• Modify system settings: Legitimate only for alarm/clock apps that need to modify ringtone
• Display over other apps: Legitimate only for apps you use that need overlays (quick settings widgets, etc.)
• Usage access: Grants access to your app usage statistics — legitimate for parental controls, battery management apps, but should be minimal
• Notification access: Should contain only apps that need to manage notifications (like a smart notification manager you intentionally installed)
• VPN: Should contain only your VPN app
• Wi-Fi control: Should be empty or contain system apps only
• Install unknown apps: Should be empty — revoke any granted permissions

Establishing a Maintenance Routine

Privacy hardening is not a one-time event. Permissions accumulate, apps get installed, account sessions persist, and the threat landscape evolves.

Monthly (30 minutes)

• Review installed apps, delete any not used in the past 30 days
• Check battery and data usage for anomalies
• Review active sessions on Google and Apple ID
• Verify no new permissions granted to apps you don't use

Quarterly (1 hour)

• Full permissions audit (location, microphone, camera, contacts)
• Review MDM profiles (iOS)
• Audit all OAuth-connected apps (Google: myaccount.google.com/permissions; Apple: appleid.apple.com → Apps & Websites using Apple ID)
• Check for OS updates not yet applied
• Review VPN provider's status (any reported data events, ownership changes)

Annually

• Full factory reset evaluation: is a clean start warranted?
• Password rotation for highest-value accounts (email, Apple ID, Google)
• Review hardware security keys (if used): are they physically secure?
• Evaluate whether your VPN provider's no-logging policy has been independently tested

Triggered Events

After handing a device to anyone (repair shop, friend, family member): Assume they had access. Check: all app permissions (particularly accessibility and device admin on Android), MDM profiles (iOS), active account sessions, and device admin apps.

After a relationship ends: If an ex-partner had physical access to your device or account credentials, do the full audit from the partner surveillance detection guide in addition to this hardening checklist.

After any security incident: Device compromise, account compromise, or any event that suggests unauthorized access warrants immediate response: change passwords from a clean device, revoke all sessions, check for new device admin apps or accessibility services (Android) or MDM profiles (iOS), and consider whether a factory reset is warranted.

The Essential Settings Checklist

Lock Screen:

• [ ] Alphanumeric passcode or 8+ digit PIN (not pattern or 4-digit PIN)
• [ ] Notification previews set to "When Unlocked" or "Never"
• [ ] Auto-lock set to 30 seconds
• [ ] Stolen Device Protection enabled (iOS 17.3+)

Permissions:

• [ ] Location: only essential apps on "While Using," zero apps on "Always" without justification
• [ ] Microphone: only active communication and recording apps
• [ ] Camera: only camera apps, video call apps, and apps you actively photograph with
• [ ] Contacts: only messaging apps
• [ ] Advertising tracking: disabled/ID deleted (iOS ATT off, Android delete GAID)

Accounts:

• [ ] Apple ID and Google 2FA enabled with authenticator app (not just SMS)
• [ ] Trusted devices reviewed and trimmed
• [ ] Recovery options verified
• [ ] Web & App Activity and Location History disabled (Google)

Messaging:

• [ ] Signal installed and used for sensitive communications
• [ ] Disappearing messages enabled in Signal
• [ ] iMessage Advanced Data Protection enabled (iOS — if you want E2E backups)

Network:

• [ ] Private DNS configured (Android) or DoH app installed (iOS)
• [ ] Trusted VPN configured with kill switch (if warranted by threat model)

Audits:

• [ ] No unrecognized MDM profiles (iOS)
• [ ] No unrecognized apps in device admin, accessibility services (Android)
• [ ] No unrecognized apps in full app list
• [ ] Play Protect scan clear (Android)

Your phone's default configuration is optimized for engagement, advertising revenue, and convenience — not for your privacy. Every item on this list shifts that balance back toward you. The whole audit takes 90 minutes the first time and substantially less on subsequent quarterly reviews.