Your recipe app does not need to know where you are. Your flashlight app does not need access to your microphone. Your free game does not need permission to track your activity across every other app on your phone. And yet, if you installed any of these apps without reviewing their permissions carefully, there is a reasonable chance they have all of those things — because requesting broad permissions is the default behaviour of apps designed to collect and sell data, and most users accept permission requests without reading them. The average mobile app contains between three and seven third-party trackers — software development kits embedded by the app’s developer that transmit your behaviour, location, and device data to advertising networks, data brokers, and analytics firms simultaneously while you use the app, without your awareness.
Mobile tracking is not a hypothetical privacy concern or a theoretical risk — it is an industrial-scale data collection system that runs on every smartphone, generates billions of dollars annually for data brokers and advertising networks, and operates largely in the background of users’ digital lives. The specific data collected includes your precise GPS location (updated continuously when apps have Always location access), your device’s unique advertising identifier (which links your activity across apps into a unified profile), your browsing history, your app usage patterns, your contacts, your microphone audio (when microphone access has been granted), your camera images, and in many cases your health and financial data. Some of this data collection is disclosed in privacy policies that no one reads. Some of it is enabled by permission grants that users accept without understanding what they are authorising. And some of it happens through tracking mechanisms that operate below the permission level entirely.
The good news is that the privacy controls available on both iPhone and Android in 2026 are more powerful than most users realise — and the most impactful changes require only minutes to implement, no technical expertise, and no additional software. This guide covers exactly how app tracking works, which specific settings reduce it most effectively on both platforms, the additional tools that provide deeper protection, what tracking you cannot prevent and why, and the privacy practices that protect your data beyond the settings menu.
How Apps Actually Track You: The Technical Reality
Understanding how mobile tracking works helps clarify which protective measures are effective and which provide only the appearance of protection. The tracking ecosystem operates through several distinct mechanisms, each requiring different countermeasures.
The Mobile Advertising ID is the primary tracking mechanism for cross-app profiling. On iOS, this is called the IDFA (Identifier for Advertisers); on Android, it is the Google Advertising ID (GAID). This identifier is a unique code assigned to your device that advertising networks use to link your activity across different apps into a single behavioural profile. When you open App A, use App B, and browse App C, the advertising ID allows a data broker to connect all three sessions to the same device — building a profile of your interests, habits, and patterns that advertisers pay to target. Before Apple’s 2021 App Tracking Transparency framework, this was done entirely without your knowledge or consent. After ATT, iOS apps must ask permission before accessing the IDFA.
Third-party SDKs — software development kits embedded in apps — are the invisible data collection infrastructure that operates regardless of the app itself. An app developer who wants to display ads in their app integrates an advertising SDK from a network like Google AdMob or Meta Audience Network. That SDK, once embedded, has the same permissions as the app itself — meaning it can access location, device identifiers, and usage data, and transmit all of it back to the network’s servers, in addition to fulfilling its stated advertising function. A single app can contain a dozen different SDKs, each transmitting data to different parties. The California Privacy Protection Agency’s 2025 analysis of mobile apps found this SDK-based data sharing to be the most pervasive and least understood mechanism of mobile tracking.
Fingerprinting is the tracking technique that operates without any permission at all — and that privacy settings cannot fully prevent. Device fingerprinting constructs a unique identifier from the combination of your device’s characteristics: screen resolution, operating system version, installed fonts, time zone, language settings, battery level, and dozens of other signals that individually are innocuous but together create a combination unique to your specific device. Since fingerprinting does not use any permission-controlled identifier, disabling the advertising ID or revoking location permissions does not prevent it. Apple has stated that it prohibits fingerprinting in its App Store guidelines and that apps caught using it will be removed, but enforcement is imperfect and the technique continues to be used by some actors.
Location data is particularly sensitive and particularly profitable. Precise GPS coordinates updated continuously allow data brokers to reconstruct your daily movement patterns — where you live, where you work, which doctors you visit, which places of worship you attend, which political events you participate in, and which stores and restaurants you frequent. The NSA has advised Americans to disable location services on apps specifically because of the risk that location data sold to commercial data brokers can reach foreign adversaries. A single company purchasing your location data from a data broker has access to your physical movements in detail that most people associate only with government surveillance.
iPhone Privacy Settings: The Complete Hardening Guide
The iOS privacy settings that provide the most significant protection against tracking are accessible through Settings → Privacy & Security and require no technical expertise to configure. These are the specific changes that produce the largest reduction in data collection for the least time investment.
App Tracking Transparency — disable all requests: Go to Settings → Privacy & Security → Tracking. Toggle off “Allow Apps to Request to Track.” This prevents any app from even asking for permission to track your activity across other apps and websites — apps are automatically treated as if you denied their tracking request. This is the single most impactful privacy setting on iOS. Before ATT was introduced, advertisers had essentially universal access to the IDFA. After ATT, only users who explicitly allow tracking provide this access, and turning off “Allow Apps to Request to Track” ensures you are never in the group that accidentally approves tracking through a hasty permission tap.
Location Services — audit every app: Go to Settings → Privacy & Security → Location Services. This screen shows every app that has requested location access and what level of access is currently granted. For each app, the options are Never, Ask Next Time Or When I Share, While Using the App, and Always. The correct default for most apps is “While Using the App” — they can access your location when you are actively using them (which is often necessary for the app to function) but not when you are not. The “Always” setting — which allows continuous background location tracking — should be granted only to apps where continuous location is genuinely necessary for their function: navigation apps, ride-sharing apps, and apps that need to alert you based on your location. Weather apps, news apps, shopping apps, and any social media app should never have “Always” location access. Additionally, toggle “Precise Location” off for any app that does not specifically require your exact coordinates — many apps function adequately with approximate location, which is all that “Precise Location: Off” provides.
Microphone and Camera — review all permissions: Go to Settings → Privacy & Security → Microphone and Settings → Privacy & Security → Camera. Any app listed here has previously requested microphone or camera access. Remove access from any app where microphone or camera is not clearly necessary for a function you actually use. Games, weather apps, and most utilities have no legitimate reason for microphone or camera access.
App Privacy Report — see what apps are actually doing: Go to Settings → Privacy & Security → App Privacy Report and enable it. After 7 days of data collection, this report shows which apps accessed which permissions (location, microphone, camera, contacts, photos) and which network domains each app contacted. The network domains section is the most revealing — it shows you which third-party advertising and data brokers your apps are communicating with, often revealing that apps you thought were simple utilities are transmitting data to dozens of external parties. This visibility does not stop the tracking directly but informs which apps deserve closer scrutiny or removal.
Photos — limit access to selected photos: Go to Settings → Privacy & Security → Photos. For any app that has “All Photos” access but does not need your entire photo library, change the setting to “Selected Photos” — which limits the app to the specific photos you explicitly choose to share — or “None” if the app has no legitimate reason to access photos at all. Giving an app access to your entire photo library gives it access to metadata embedded in those photos including precise location data for every photo taken with location services enabled.
Analytics — opt out of Apple data sharing: Go to Settings → Privacy & Security → Analytics & Improvements and disable “Share iPhone Analytics,” “Share iCloud Analytics,” and “Improve Siri & Dictation.” These settings govern whether your device usage data, crash reports, and Siri transcripts are shared with Apple for product improvement purposes.
Apple Advertising — limit personalisation: Go to Settings → Privacy & Security → Apple Advertising and disable “Personalised Ads.” This stops Apple from using your App Store browsing and purchase history to target you with personalised advertisements within Apple’s own apps and services.
Android Privacy Settings: The Complete Hardening Guide
Android’s privacy settings are architecturally similar to iOS’s but vary in detail across different manufacturers (Samsung, Google Pixel, OnePlus, and others implement the Android privacy framework differently). The settings below reflect stock Android; specific menu paths may differ slightly on non-Pixel devices.
Delete or reset the Advertising ID: Go to Settings → Privacy → Ads. On Android 12 and above, you can delete the Advertising ID entirely rather than simply resetting it. Deleting the GAID removes the identifier that links your activity across apps — it is more protective than resetting, which creates a new identifier that begins accumulating a fresh profile immediately. On devices where deletion is available, deleting is the stronger privacy action. Resetting the GAID (on older Android versions where deletion is not available) creates a new identifier, which breaks the continuity of your existing behavioural profile even if it does not prevent future profiling.
Location permissions — audit every app: Go to Settings → Privacy → Permission Manager → Location. Android shows all apps organised by their current location access level: “Allowed all the time,” “Allowed only while in use,” “Ask every time,” and “Not allowed.” Review every app in “Allowed all the time” and determine whether continuous background location access is genuinely necessary for its function. For most apps, “Only while in use” is the appropriate level, and for many apps “Not allowed” or “Ask every time” is correct.
Privacy Dashboard — review permission access history: Go to Settings → Privacy → Privacy Dashboard. This tool shows a historical timeline of which apps accessed which permissions over the past 24 hours — location, microphone, camera, contacts, and other sensitive capabilities. The timeline view makes it easy to identify apps accessing sensitive permissions at unexpected times (a messaging app accessing your microphone when you are not actively using it, for example, warrants investigation).
Permission Manager — audit all sensitive permissions: Go to Settings → Privacy → Permission Manager. This view organises every permission category (Microphone, Camera, Location, Contacts, Body Sensors, Calendar, Call Logs, etc.) and shows which apps have access to each. For each category, revoke access from apps where the permission is not clearly necessary for a function you actively use. Be particularly aggressive with Microphone, Camera, and Body Sensors — these permissions provide access to particularly sensitive data.
Background app activity — disable for non-essential apps: Disabling “Background App Refresh” or battery optimisation exceptions for apps you use infrequently prevents them from communicating with tracking servers when the app is not actively open. On Android, this is managed through Settings → Apps → [App Name] → Battery → Restrict Background Usage for apps that do not need to run in the background for push notifications or real-time features.
Disable Bluetooth and Wi-Fi when not in use: Bluetooth and Wi-Fi can be used for passive location tracking even without GPS — retail stores use Bluetooth beacons to track customer movement through aisles, and Wi-Fi probe requests from your phone can reveal your presence and movement to any network within range. Disabling Bluetooth in locations where you do not need it (shopping centres, airports, streets) reduces this tracking vector.
Additional Tools for Deeper Protection
The built-in platform settings described above address the most significant tracking vectors for most users. For those who want deeper protection, additional tools provide capabilities that operating system settings alone cannot.
A DNS-based ad and tracker blocker — such as NextDNS or AdGuard DNS — filters tracking requests at the network level, preventing apps from communicating with known advertising and data broker domains even when they have legitimate permissions to access the internet. These tools work differently from VPNs: they intercept DNS queries and block those that resolve to known tracking servers, preventing the data from ever being transmitted, rather than simply encrypting the data in transit. NextDNS provides detailed logs of which tracking domains each app attempts to contact — the same kind of visibility as iOS’s App Privacy Report but at the DNS level, available on both platforms.
A VPN encrypts your internet traffic and masks your IP address from the websites and services your apps communicate with — providing meaningful privacy protection against network-level surveillance and preventing your ISP from seeing your app traffic. However, a VPN does not prevent app-level tracking through permissions you have granted, advertising IDs, or fingerprinting techniques. It is a useful layer in a privacy stack but not a substitute for the permission controls described above. Refer to our VPN guide for the best options currently available.
Signal for messaging replaces the data-collection-heavy messaging apps (standard SMS, WhatsApp, Facebook Messenger) with end-to-end encrypted communication whose content cannot be read by Signal, by your carrier, or by law enforcement without physical access to your device. For sensitive communications — financial, medical, personal, or professional — Signal provides a protection level that no mainstream messaging app matches.
Reviewing and deleting apps you no longer use is a frequently overlooked privacy action with meaningful impact. Every app installed on your phone that you have not opened in the past month has permissions that are no longer serving any function — and those permissions continue to enable data collection regardless of whether you use the app. Regular audits of the full installed app list, with aggressive deletion of anything not actively used, systematically reduce the number of entities with access to your device’s data.
What You Cannot Fully Prevent — and the Honest Tradeoffs
Complete elimination of mobile tracking is not achievable without sacrificing so much app functionality that the smartphone becomes practically useless. The privacy measures described in this guide dramatically reduce tracking — they remove the advertising ID from cross-app profiling, revoke location access from apps that do not need it, prevent apps from collecting data in the background, and block known tracking domains at the network level. They do not make tracking impossible.
Fingerprinting cannot be prevented by permission settings, because it uses no permissions. Apps that the platform operator (Apple or Google) catches fingerprinting can be removed from the store, but detection is imperfect and enforcement lags adoption. Using private browsing modes, resetting device settings, and keeping the operating system updated (which changes the combination of signals available for fingerprinting) all reduce fingerprinting effectiveness at the margin, but none eliminates it.
The data that apps collect when you do use them — information about what you tap, how you navigate, how long you spend on specific content — is generally not controlled by permission settings and is difficult to prevent short of not using the apps at all. The permission controls focus on hardware access (location, microphone, camera) and cross-app identifier sharing — they do not control what apps observe about your behaviour within the app itself.
The most practical advice is to apply the settings described in this guide, which address the most significant tracking vectors with the least friction, and then make conscious decisions about which apps you install and what permissions they receive at the moment of installation rather than accepting defaults. The combination of a hardened permission configuration, an advertising ID deleted or reset regularly, a DNS-based tracker blocker, and a policy of only installing apps with clear, justified use provides protection that is meaningfully better than the default state of a newly set up smartphone — without requiring any compromise in the functionality of the apps you actually use.
0 Comments
No comments yet. Be the first to share your thoughts!