For everyone who's keeping their Android

Harden stock Android instead of switching

You have an ordinary Android phone – Samsung, Xiaomi, Pixel & co. – and don't want to (or can't) switch to GrapheneOS? Understandable. With the right settings you can squeeze a lot more privacy out of even a factory-shipped Android. Here's the compact checklist to work through – sorted by area.

An honest reality check up front: Even a well-hardened stock Android does not reach the level of GrapheneOS – the Google Play Services keep running with system privileges and collect data deep inside the device, and you can neither verify the boot chain nor block network access per app for every app. With this checklist you'll still get very far and noticeably reduce tracking and data leakage. If you want the maximum, you'll still find it with GrapheneOS.

Paths may differ: Android looks different depending on the manufacturer – Pixel (pure Android), Samsung (One UI), Xiaomi (HyperOS/MIUI) and so on. The menu labels below follow current Android; when in doubt, search the settings for keywords like "ads," "location" or "diagnostics."

1 · Slim down your Google account

The biggest source of data isn't the phone, it's your Google account. This is where most of the effort pays off – and much of it applies across all your devices. Work through it at your own pace.

Open the activity settings: Settings → Google → Data & privacy (or myactivity.google.com).
"Web & App Activity": OFF – and delete existing activity. This is the biggest lever against profiling.
"Timeline" (formerly "Location History"): The cloud-based Location History was retired at the end of 2024 – the Timeline now lives only on the device (in Google Maps → profile → "Your Timeline"). Turn it off there and delete the local data.
"YouTube History": OFF if you don't need it.
Personalized ads: OFF (Data & privacy → Personalized ads).
Enable auto-delete for everything you want to keep (e.g. "after 3 months").
Fewer accounts = less sync: sync only the Google services you really need (Settings → Accounts).

2 · Permissions & privacy

Every app gets only what it really needs – nothing more. Thankfully, Android makes this fairly convenient these days.

Go through the Permission manager: Settings → Security & privacy → Privacy → Permission manager. Check camera, microphone, location, contacts & co. for each app.
Location per app: set it to "Allow only while using the app" or "Ask," and turn off precise location wherever "approximate" is enough.
"Pause app activity if unused": ON (formerly "Remove permissions if app is unused") – automatically strips rights from rarely used apps, stops background activity and clears temporary data.
Camera/microphone access as a system-wide quick toggle in the control center.
Privacy dashboard: take a look – it shows which app accessed what and when.

3 · Advertising ID & diagnostics data

Two quick toggles with a big impact against cross-app tracking.

Delete advertising ID: Settings → Security & privacy → Privacy → Ads → "Delete advertising ID". After that, apps no longer get a device-wide tracking identifier.
Usage & diagnostics data to Google: OFF (Settings → Google → … → Usage & diagnostics).
Manufacturer telemetry: turn it off as well (see section 7).

4 · Location services

You don't have to sacrifice location entirely – usually it's enough to decide deliberately.

Wi-Fi & Bluetooth scanning: OFF (Location → Location services) – prevents location estimation via radio networks in the background.
Google Location Accuracy: choose deliberately; disable it for more privacy (at a small cost in accuracy).
Emergency Location Service (ELS) you can leave on – it only kicks in during an emergency call.
Per app, set it to "Allow only while using the app" or "Never."

5 · Network & connections

Encrypted DNS is the simplest lever with the biggest effect – it blocks ads and trackers system-wide, across all apps.

Set up Private DNS: Settings → Network & internet → Private DNS → "Hostname" → dnsforge.de. Details & variants on the Recommendations page.
Randomized MAC address per Wi-Fi network (the default on modern Android) – makes tracking across networks harder.
Bluetooth & NFC off when not in use.
Disable "connect automatically" for public Wi-Fi networks.

6 · Lock, updates & app protection

The foundation: a well-secured, up-to-date device that holds up against unfamiliar hands.

Strong lock: at least a 6-digit PIN, better still a passphrase. Biometrics only as added convenience on top.
Lock-screen notifications: show sensitive content "only when unlocked."
Install updates promptly – security patches are the single most important factor. Check how long your model still gets updates.
Google Play Protect: ON.
"Install unknown apps" only allowed for the source you actually use (e.g. F-Droid) – otherwise off everywhere.
Device encryption is the default on modern Android – combined with a strong lock, it stays effective.

7 · Manufacturer bloatware & telemetry

Besides Google, the manufacturer collects data too. Depending on the brand there are dedicated toggles – here are the most important ones.

Samsung (One UI)

"Customization Service" & "Send diagnostic data": off.
Personalized ads in the Samsung account: off.
Turn off Bixby/ads in Samsung's own apps; keep the Samsung account minimal.

Xiaomi (HyperOS/MIUI)

Disable "Recommendations"/ads in system apps (Files, Security, Themes).
Turn off MSA & the "User Experience Program."
Avoid GetApps/the proprietary store.

General

Disable pre-installed bloatware (App info → Disable).
Use the manufacturer cloud only when necessary.
Swap default apps for more data-frugal ones.

Tool tip – Universal Android Debloater (UAD-NG): Bloatware can also be removed conveniently and entirely without root. The open-source Universal Android Debloater Next Generation is a desktop app (Windows/macOS/Linux) that uses ADB over USB to disable pre-installed apps or remove them per user – with curated lists (recommended / advanced / expert) and a short explanation for each package. The package lists update automatically on startup.

Caution & requirements: You need the Developer options with USB debugging enabled and ADB on your computer. Only remove what you understand – some packages are interconnected, and overzealous cleanup can break features. Most removals are per-user and reversible (via the tool or a factory reset), but make a backup beforehand: no backup, no mercy. 🙂

8 · Better app sources

Where your apps come from is part of what determines your privacy.

F-Droid for open-source apps, Obtainium for apps straight from GitHub, Aurora Store as an anonymous gateway to the Play catalog. Details & rules of thumb on the Software page.
Before installing, quickly check the permissions and the data safety notice.

9 · Separating apps: Private Space & work profile

You can wall off sensitive or "nosy" apps from the rest – the strongest tool on stock Android.

Private Space Android 15+

A separately encrypted, PIN-protected space inside the phone. The apps installed there disappear from the app list, "Recent apps," notifications and settings as soon as the space is locked – its very existence can even be hidden. Ideal for banking, health or Google-heavy apps.

Settings → Security & privacy → Private Space (devices with Android 15 and enough RAM).

Work profile as an "app box"

With apps like Shelter or Insular (via the Android work profile) you can lock apps into a separate container – including a clone of your own and "freezing" them when not in use. Good for fencing in Google or social apps.

10 · Maximum protection at elevated risk

For people with a particular need for protection, Android bundles its strongest features in one place.

Advanced Protection Android 16

A device-wide switch that enforces several protective features: always-on malware scanning, blocking sideloading, protection against insecure networks/links, theft detection, offline device lock and encrypted "Intrusion Logging" (rolling out since the Android update at the end of 2025).

Settings → Security & privacy → Advanced Protection → enable device protection.

Advanced Protection Program (account)

Google's account-based high-security program: sign in with a passkey or hardware security key (e.g. YubiKey) – a physical key has no longer been mandatory since 2024 – plus stricter phishing and app checks. Worthwhile for journalists, activists and exposed individuals.

Rule of thumb: If it's about less tracking in everyday life, steps 1–9 are enough. If you are a specific target of attacks, additionally enable Advanced Protection – and seriously consider switching to GrapheneOS.

Harden stock Android instead of switching

1 · Slim down your Google account

2 · Permissions & privacy

3 · Advertising ID & diagnostics data

4 · Location services

5 · Network & connections

6 · Lock, updates & app protection

7 · Manufacturer bloatware & telemetry

Samsung (One UI)

Xiaomi (HyperOS/MIUI)

General

8 · Better app sources

9 · Separating apps: Private Space & work profile

Private Space Android 15+

Work profile as an "app box"

10 · Maximum protection at elevated risk

Advanced Protection Android 16

Advanced Protection Program (account)

And if that's not enough for you?