Smartphones are the most personal tracking devices ever created. Equipped with GPS, Wi-Fi, Bluetooth, cellular radios, and dozens of embedded app SDKs, your phone monitors your behavior 24 hours a day, 7 days a week — often without any visible indication. The average smartphone pings location services 5,400 times per day, and 92% of free Android apps contain at least one embedded tracker according to research from the University of Oxford. The good news is that both Apple and Google have introduced meaningful privacy controls in recent years. This guide walks you through exactly which settings to change on both iPhone and Android to dramatically reduce how much your phone tracks you.
How Does Your Phone Track You?
Before you can stop tracking, it helps to understand the many channels your phone uses to monitor your activity. Most users are aware of GPS, but that's only one of at least seven distinct tracking mechanisms built into modern smartphones.
GPS location pings are the most obvious form of tracking. Your phone's GPS receiver communicates with satellites to determine your precise latitude and longitude, and it does this approximately 5,400 times per day according to a 2023 study by cybersecurity firm Zscaler. Even when you're not actively using a maps app, background services and apps with location permissions are requesting your coordinates constantly.
Wi-Fi triangulation works even when your Wi-Fi is turned off. Your phone's Wi-Fi radio periodically scans for nearby access points to assist with location accuracy. The MAC addresses and signal strengths of nearby routers can triangulate your position to within a few meters, especially in urban environments. Android and iOS have both added randomized MAC addresses to counter this, but the technique remains effective for location inference.
Cell tower triangulation is controlled entirely by your carrier. As long as your phone has a cellular signal, the network knows which towers you're connected to and can estimate your location. This form of tracking cannot be disabled without turning off cellular service entirely. Bluetooth beacons are increasingly deployed in retail stores, airports, and stadiums. These low-energy transmitters detect your phone's Bluetooth signal to track foot traffic and serve location-based promotions. Retailers like Target, Walmart, and Macy's have all deployed beacon networks.
Accelerometer and gyroscope data can be used for gait analysis — identifying you by the unique way you walk. Researchers at multiple universities have demonstrated that motion sensor data alone can identify individuals with over 90% accuracy. App SDKs — software development kits embedded in apps by third-party analytics and advertising companies — are present in 92% of free apps on the Google Play Store. Finally, your phone's IDFA (Apple) or GAID (Google) advertising identifier links your activity across every app on the device, creating a comprehensive behavioral profile.
What Is Apple's App Tracking Transparency (ATT)?
Apple's App Tracking Transparency framework, introduced with iOS 14.5 in April 2021, was the most significant privacy change in mobile history. ATT requires every app to explicitly ask users for permission before tracking their activity across other companies' apps and websites. The prompt is simple: "Allow [App Name] to track your activity across other companies' apps and websites?" Users can tap "Ask App Not to Track" or "Allow."
The results were dramatic. 75% of users chose to opt out of tracking when presented with the prompt, according to data from Flurry Analytics. This single change cost Meta (Facebook) an estimated $16 billion in advertising revenue in 2022 alone, as the company disclosed in earnings calls. Snap, Twitter, and YouTube also reported significant revenue impacts from reduced iOS targeting capabilities.
However, it's important to understand what ATT actually does — and what it doesn't. When you tap "Ask App Not to Track," the app loses access to your IDFA, and Apple's system instructs the app not to use other identifiers to track you across apps. But ATT does not prevent an app from collecting data about your behavior within the app itself. Facebook can still see everything you do inside the Facebook app. ATT also doesn't prevent fingerprinting techniques, though Apple's policies prohibit them. Some apps, particularly those based in China, have been caught ignoring ATT requirements using a technique called CAID (China Advertising ID). Apple has issued warnings but enforcement has been inconsistent.
Despite its limitations, ATT shifted the entire mobile advertising industry toward privacy-first models and inspired Google to develop its own alternative approach for Android.
What Is Google's Privacy Sandbox for Android?
Google's Privacy Sandbox for Android is the mobile counterpart to the Privacy Sandbox initiative in Chrome. Announced in February 2022, it aims to introduce privacy-preserving advertising APIs while eventually phasing out the Google Advertising ID (GAID). The three core components mirror Chrome's approach: Topics API for interest-based advertising, Attribution Reporting API for conversion measurement, and Protected Audiences (formerly FLEDGE) for remarketing.
The Topics API classifies a user's interests based on app usage into broad categories — similar to how Chrome's Topics API works with browsing history. Only a small number of topics are shared with advertisers, and they refresh weekly. The Attribution Reporting API lets advertisers measure whether an ad led to a conversion without revealing the identity of individual users, using differential privacy and aggregated reporting.
Google's approach differs significantly from Apple's. Where Apple imposed a hard opt-in requirement that effectively killed cross-app tracking for most users, Google is building replacement infrastructure that aims to satisfy both advertiser needs and user privacy. Android 14 and 15 introduced the first Privacy Sandbox features, though adoption has been slow. The timeline has been delayed multiple times, and the GAID remains active — unlike Apple's IDFA, which is effectively dead for most users. Critics argue that Google's approach prioritizes preserving its own advertising business over genuine privacy, since Google controls both the operating system and the largest ad network.
iPhone vs. Android Privacy Settings Compared
| Setting | iPhone (iOS 18) | Android (15) |
|---|---|---|
| Location tracking control | Per-app with "precise" vs. "approximate" toggle | Per-app with "precise" vs. "approximate" toggle |
| Per-app permissions | Full granular control with one-time option | Full granular control with one-time option |
| Ad tracking ID | IDFA — disabled by default since iOS 14.5 | GAID — active by default, can be deleted in Android 12+ |
| System-level tracker blocking | ATT framework blocks cross-app tracking | Privacy Sandbox (partial rollout, not yet blocking) |
| DNS configuration | Limited — requires profiles or apps | Native Private DNS support (DNS-over-TLS) |
| App store privacy labels | Mandatory "App Privacy" nutrition labels | "Data safety" section (self-reported by developers) |
| Default browser changeable | Yes (since iOS 14) | Yes |
| Built-in VPN | iCloud Private Relay (Safari only, paid) | Google One VPN (discontinued 2024) |
| Biometric app lock | Face ID / Touch ID per-app | Fingerprint / face unlock per-app (Android 15+) |
| System-wide ad blocking | Content blockers in Safari only | Private DNS can block ad domains system-wide |
Step-by-Step: Lock Down Your iPhone Privacy
These ten steps will significantly reduce tracking on your iPhone. Each step includes the exact Settings path so you can make changes immediately.
Step 1: Disable your advertising identifier (IDFA). Go to Settings > Privacy & Security > Tracking and ensure "Allow Apps to Request to Track" is toggled off. This prevents apps from even asking for your IDFA and resets the identifier to a string of zeros. This is the single most impactful privacy setting on your iPhone.
Step 2: Set location services to per-app control. Go to Settings > Privacy & Security > Location Services. Review each app individually. Set apps to "Never" or "While Using the App" — avoid "Always" unless absolutely necessary (like navigation). Enable "Precise Location" only for maps apps; disable it for everything else. Approximate location gives a ~15-mile radius instead of your exact coordinates.
Step 3: Disable background app refresh for non-essential apps. Go to Settings > General > Background App Refresh. Turn it off entirely or disable it per-app. Background refresh allows apps to send data to their servers even when you're not using them, which is a primary vector for passive tracking.
Step 4: Verify the tracking toggle is off. Go to Settings > Privacy & Security > Tracking. Confirm no apps are listed as allowed to track. If any appear, toggle them off. Check this periodically as app updates can sometimes re-request permissions.
Step 5: Disable analytics sharing. Go to Settings > Privacy & Security > Analytics & Improvements. Turn off "Share iPhone Analytics," "Share iCloud Analytics," "Improve Siri & Dictation," and "Share with App Developers." This stops Apple and third-party developers from receiving usage telemetry from your device.
Step 6: Configure Safari privacy settings. Go to Settings > Apps > Safari. Enable "Prevent Cross-Site Tracking," "Hide IP Address" (from trackers or both trackers and websites), and "Block All Cookies" if you're willing to sacrifice some convenience. Enable "Fraudulent Website Warning" for security.
Step 7: Enable Mail Privacy Protection. Go to Settings > Apps > Mail > Privacy Protection. Enable "Protect Mail Activity." This prevents email senders from knowing when you open emails, your IP address, and whether you forwarded the email. Email tracking pixels are one of the most pervasive forms of surveillance.
Step 8: Clear significant locations. Go to Settings > Privacy & Security > Location Services > System Services > Significant Locations. Turn this off and clear history. Apple uses this to learn your frequently visited places for predictive features, but it creates a detailed map of your daily life stored on your device.
Step 9: Review the App Privacy Report. Go to Settings > Privacy & Security > App Privacy Report. Turn it on if not already enabled. This shows you which apps accessed your location, photos, camera, microphone, and contacts in the last 7 days, plus which domains they contacted. Use this to identify and remove overly invasive apps.
Step 10: Consider Lockdown Mode for high-risk situations. Go to Settings > Privacy & Security > Lockdown Mode. This is Apple's nuclear option — it disables message attachments, complex web technologies, incoming FaceTime from unknown contacts, and more. It's designed for journalists, activists, and others at risk of targeted surveillance, but it dramatically reduces your attack surface.
Step-by-Step: Lock Down Your Android Privacy
Android offers powerful privacy controls, but many are buried in settings menus or require extra steps. These ten steps cover the most impactful changes you can make.
Step 1: Delete your advertising ID. Go to Settings > Privacy > Ads (or Settings > Google > Ads on some devices). On Android 12 and later, tap "Delete advertising ID." On older versions, you can only reset it — but deleting is far more effective because it prevents apps from using any advertising identifier at all. This is Android's equivalent of disabling IDFA.
Step 2: Audit and restrict location permissions. Go to Settings > Privacy > Permission manager > Location. Review every app. Change "Allowed all the time" to "Allowed only while in use" or "Not allowed." For apps that need location, disable "Use precise location" to limit accuracy to a roughly 1-mile radius instead of exact coordinates.
Step 3: Restrict background data usage. Go to Settings > Apps, select individual apps, then Mobile data & Wi-Fi. Disable "Allow background data usage" for apps that don't need to communicate in the background. This prevents apps from phoning home with tracking data when you're not actively using them.
Step 4: Install and use a permission manager. While Android's built-in Permission manager (Settings > Privacy > Permission manager) is useful, consider installing a more comprehensive tool like Bouncer, which automatically revokes permissions after you close an app. This ensures temporary permissions don't become permanent surveillance.
Step 5: Configure DNS-level blocking. Go to Settings > Network & Internet > Private DNS. Set it to a privacy-focused DNS provider like dns.adguard.com or dns.quad9.net. This blocks tracking domains at the network level, preventing apps from contacting known trackers regardless of their permissions. This is one of Android's strongest privacy advantages over iOS.
Step 6: Disable Google activity controls. Go to Settings > Google > Manage your Google Account > Data & Privacy > History settings. Pause "Web & App Activity," "Location History," and "YouTube History." Also disable "Ad personalization." Google collects enormous amounts of data through these services, and pausing them significantly reduces your profile. Delete existing data while you're there.
Step 7: Enable auto-reset for unused app permissions. Go to Settings > Apps, select individual apps, then Permissions. Enable "Remove permissions if app isn't used." Android 11+ automatically revokes permissions for apps you haven't opened in three months, but you can verify this is active for all apps. This prevents forgotten apps from silently collecting data.
Step 8: Configure Private DNS. If you haven't already set a Private DNS provider in Step 5, go to Settings > Network & Internet > Private DNS and select "Private DNS provider hostname." Enter a trusted provider. DNS-over-TLS encrypts your DNS queries, preventing your ISP and network operators from seeing which domains you visit.
Step 9: Conduct a full permissions audit. Go to Settings > Privacy > Privacy dashboard (Android 12+). This shows a timeline of which apps accessed your location, camera, and microphone in the last 24 hours. For a deeper audit, install the Exodus Privacy app from F-Droid, which scans your installed apps and identifies embedded trackers by comparing them against a database of known tracking SDKs.
Step 10: Consider alternative app sources. The F-Droid app store contains only free and open-source apps, which by definition don't contain proprietary tracking SDKs. For apps you must get from Google Play, check the "Data safety" section before installing. The Aurora Store is an alternative Google Play client that lets you install Play Store apps anonymously without a Google account.
Which Types of Apps Track You the Most?
Not all apps are equally invasive. Research from the University of Oxford that analyzed the top one million Android apps on the Google Play Store found significant variation in tracking behavior by category. Understanding which categories are worst offenders helps you prioritize which apps to replace, restrict, or remove.
Social media apps are among the most aggressive trackers, averaging 5 or more embedded trackers per app. Facebook, Instagram, TikTok, and Snapchat all contain extensive analytics and advertising SDKs. They collect not just your in-app behavior but also device information, contact lists, and cross-app activity. Free games are the worst category overall, averaging 7+ trackers per app. Many casual games are essentially trojan horses for advertising SDKs — the game itself is a vehicle for collecting behavioral data and serving targeted ads. Children's games are particularly problematic despite regulations like COPPA.
Weather apps average 4+ trackers per app and were famously exposed when The Weather Channel app was sued by the Los Angeles City Attorney for secretly selling user location data. Weather apps request "always on" location access, making them ideal vehicles for continuous location tracking. Shopping apps average 6+ trackers per app, collecting detailed purchase behavior, browsing patterns, price sensitivity, and wish list data. News apps average 4+ trackers, largely due to programmatic advertising infrastructure embedded in their content delivery.
The common thread is the free-app business model: if you're not paying for the product, your data is the product. Understanding how online ads track you across these apps reveals why the free-app economy is fundamentally built on surveillance.
How Adreva Respects Mobile Privacy
Adreva takes a fundamentally different approach to advertising that eliminates the tracking mechanisms described throughout this guide. Instead of embedding SDKs inside native apps, Adreva operates as a browser extension — meaning it never has access to your phone's GPS, Bluetooth, accelerometer, contact list, or any other native device API.
There is no background location access because browser extensions don't have that capability. There is no device identity graph, no persistent advertising identifier like IDFA or GAID, and no cross-app tracking SDK. Adreva matches ads based on user-declared interests processed entirely on-device, not on behavioral surveillance collected through hidden app trackers.
This browser-based model means Adreva is inherently compatible with every privacy setting recommended in this guide. You can disable your IDFA, delete your GAID, restrict all location permissions, enable Private DNS blocking, and Adreva continues to work exactly as designed — because it was never relying on those tracking mechanisms in the first place. Learn more about how online ad tracking works and how to evaluate browser extensions for privacy.
Frequently Asked Questions
Does airplane mode stop all tracking?
Airplane mode stops real-time network-based tracking by disabling cellular, Wi-Fi, and Bluetooth radios. However, apps can still log data locally using cached location, accelerometer, and gyroscope data — and transmit it the next time you reconnect. GPS hardware can also function in a receive-only mode without a network connection. Previously cached data remains accessible to apps that already collected it.
Can deleted apps still track me?
Once you delete an app, it can no longer actively collect new data from your device. However, all data the app previously transmitted to its servers remains there and continues to be used for profiling and ad targeting. Your advertising ID (IDFA or GAID) still links your historical data to your device unless you reset or delete it. Deleting the app without resetting your ad ID leaves your historical profile intact.
What is IDFA and GAID?
IDFA stands for Identifier for Advertisers and is Apple's device-level advertising identifier. GAID stands for Google Advertising ID and serves the same purpose on Android. Both are unique strings assigned to your device that allow advertisers to track your behavior across every app you use. Apple's ATT framework effectively disabled IDFA for most users, while Google allows deletion of GAID starting with Android 12. Resetting or deleting these identifiers breaks the link between your current activity and historical behavioral data.
Do privacy-focused apps actually work?
Yes — apps like Signal (encrypted messaging), DuckDuckGo (private browsing), and Firefox Focus (tracker-blocking browser) are effective at mitigating specific threat vectors. Signal prevents message interception, DuckDuckGo blocks web trackers, and Firefox Focus deletes all browsing data when you close it. However, no single app solves all tracking. A layered approach combining multiple tools with the device-level settings described in this guide provides the strongest protection.
Can my phone carrier track me?
Yes — mobile carriers have access to all unencrypted network traffic and continuously collect location data from cell tower connections. T-Mobile, AT&T, and Verizon have all operated data-selling programs that shared real-time customer location data with third parties. The FCC fined the major carriers a combined $200 million in 2024 for these practices. Using a VPN encrypts your traffic from your carrier, but they can still determine your approximate location from cell tower connections.
How can I check which apps are tracking me?
On iPhone, go to Settings > Privacy & Security > App Privacy Report to see which apps accessed sensors and contacted external domains in the last 7 days. On Android, go to Settings > Privacy > Privacy dashboard for a 24-hour activity view, or Settings > Privacy > Permission manager for a full permission audit. For deeper analysis, the Exodus Privacy app (available on F-Droid) scans your installed Android apps against a database of known tracking SDKs and gives each app a tracking score.
Is location tracking legal?
In most jurisdictions, location tracking is legal if disclosed in the app's privacy policy and the user consents — which typically happens when you accept terms during installation. Under GDPR, location data is classified as personal data requiring explicit, informed consent. Under CCPA, consumers have the right to opt out of the sale of their location data. The reality is that most users unknowingly consent to extensive tracking by tapping "Agree" on privacy policies they never read. Understanding data privacy laws is essential for knowing your rights.