Skip to content
DA DownloadAPK

The 2026 Android Privacy Hardening Checklist (15 Steps)

A 15-step Android privacy hardening checklist for 2026: permission manager, Private DNS, scoped storage, ad-blocker DNS, app sandbox, app pinning, biometrics, Google services minimization, and GrapheneOS.

A privacy hardening guide is only useful if every step is concrete and ranked. There is a tendency in this space to either dump twenty paragraphs of philosophy or to publish a “top ten” list where step seven is “use a VPN” and step ten is “buy GrapheneOS”. This is neither.

The 15 steps below are ranked by how much privacy each one buys you for the effort required. Step 1 takes ten minutes and is worth more than step 14. Most readers should stop after step 10 unless they have a specific threat model that justifies going further.

We tested all 15 steps on a Pixel 8 running Android 16 stock, and on a Pixel 7a running GrapheneOS. The instructions are for stock Android; GrapheneOS-specific notes are flagged inline.

1. Audit the permission manager (10 minutes)

Settings > Privacy > Permission manager. Walk through each category. The two that matter most: Location and Microphone. Anything that has access and does not need it: revoke. Anything that has “all the time” access for location: change to “only while using” unless you have a deliberate reason. The flashlight does not need contacts. The notes app does not need fine location. Be ruthless.

This single step buys more privacy than any other action you will take this year.

2. Set Private DNS (5 minutes)

Settings > Network and internet > Private DNS > Private DNS provider hostname. Enter a DNS-over-TLS host. Options:

  • dns.adguard-dns.com (Adguard, ad-blocking and tracker-blocking)
  • dns.quad9.net (Quad9, malicious-domain blocking, no ad blocking)
  • dns.mullvad.net (Mullvad, no logging, optional ad-blocking variant)

Private DNS encrypts your DNS queries. Your ISP can no longer log every site you visit. Your phone uses the chosen provider for system-wide DNS, including inside apps, including over WiFi and cellular. This is the largest single privacy improvement after the permission audit.

3. Install an app sandbox (15 minutes)

Install Shelter from F-Droid. Create a work profile. Move every proprietary app you do not strictly trust into the Shelter profile: social media, games, anything that asks for excessive permissions. Apps in the Shelter profile cannot read your main profile’s contacts, photos, or accounts.

Bonus: freeze apps in the Shelter profile when you are not using them. Frozen apps run no background services and consume no resources.

4. Turn on the DNS-level ad blocker (already done if you picked Adguard or Mullvad in step 2)

If you did, skip. If you picked Quad9, consider one of the ad-blocking alternatives, or install RethinkDNS (F-Droid) as a system-wide DNS-based content filter. RethinkDNS runs a local VPN-style filter that blocks ads, trackers, and configurable categories at the DNS layer.

5. Switch lock screen to PIN with biometric (5 minutes)

Settings > Security > Screen lock > PIN. Set a 6-digit minimum. Enable fingerprint or face for convenience. Learn the lockdown shortcut: hold power, tap Lockdown. Lockdown disables biometrics until the next PIN entry. Use it before any situation where you may be compelled to unlock.

The legal and practical asymmetry between PINs and biometrics is real in most jurisdictions. Compelled biometric unlock has weaker protection than compelled PIN entry. This is not legal advice; it is a documented pattern.

6. Disable the advertising ID (2 minutes)

Settings > Privacy > Ads > Delete advertising ID. This removes the cross-app tracking identifier that Google ships on every Android device. Most apps will fall back to less-effective fingerprinting; that is acceptable. Re-check after every major Android update because this setting has historically been moved around.

7. Review scoped storage (5 minutes)

Settings > Apps > [each app] > Permissions > Files and media. Apps requesting “All files access” are asking for broad read-write to your entire device storage. Almost none need this; the few that legitimately do are usually file managers and backup tools. Revoke for everything else and let the OS prompt the app to request individual file access through the system picker.

8. Audit accounts and remove unused (15 minutes)

Settings > Passwords and accounts. Walk the list. For every account you do not actively use, remove it. Each account on the device is a sync surface and an attack surface. Particularly look for accounts you set up to test an app once and never removed.

9. Turn on app pinning (3 minutes)

Settings > Security > More security settings > App pinning. Enable. When you hand your phone to someone (showing a photo, letting a kid play a game), pin the app first. They cannot exit the pinned app without your PIN.

10. Minimise Google services where possible (varies)

This is the longest step, with a payoff that varies by how Google-dependent your daily use is.

The non-Google replacements that work well in 2026:

  • Maps: Organic Maps (F-Droid) or OsmAnd (F-Droid).
  • Keyboard: AnySoftKeyboard or FlorisBoard (F-Droid). Gboard is solid privacy-wise but Google.
  • Calendar: Etar (F-Droid) for the UI, with your existing calendar sync.
  • Email: K-9 Mail (F-Droid), or use the FastMail / ProtonMail apps if you can move providers.
  • Browser: Firefox or Brave for daily browsing. Tor Browser for sensitive sessions.

The hardest replacements: Photos (Google Photos is genuinely a strong product) and Google Pay (no replacement on most banks).

11. Install a quality VPN where you need one (30 minutes)

For threat models that include “my ISP should not see my browsing” or “I use public WiFi often”, install one of the audited VPN providers we cover in our Android VPN review. The setup is fifteen minutes, but the choice of provider matters more than the setup, so budget time to read.

If your threat model does not include either of those, skip this step. VPNs are oversold.

12. Set up an offline backup workflow (30 minutes)

Backups are a privacy step because the alternative is using a cloud backup that reads everything on your device. Two paths:

  • Seedvault (built into GrapheneOS, available on some other ROMs). Backs up to an encrypted file on local storage or a USB drive.
  • Manual workflow. Photos to Syncthing (F-Droid) targeting a home server or laptop. Documents to the same. Periodically verified.

If you stay on Google Photos, accept that Google Photos sees every photo and that Google’s machine-learning systems process them. That may be acceptable in your threat model. It should be a deliberate decision.

13. Disable telemetry where surfaced (10 minutes)

Settings > Privacy > Usage and diagnostics: off. Settings > Google > Personalised ads: off. Settings > Google > Ads > Opt out of ads personalisation. Settings > Google > Activity controls: turn off Web and App Activity if you can tolerate the search relevance loss. Most readers can.

14. Use a hardened browser by default (15 minutes)

Install Firefox or Brave from F-Droid (Firefox is via the F-Droid alternative repo, or directly from Mozilla; Brave is direct from Brave or the Play Store). For Firefox, install uBlock Origin. For Brave, the built-in shield is sufficient. Set the hardened browser as the default.

For sensitive sessions (research, journalism, anything threat-model-elevated), use Tor Browser (F-Droid) with the default privacy slider at “Safer”. Do not log into accounts inside Tor Browser unless you mean to.

15. Move to GrapheneOS (4 hours including backup)

Optional. Requires a Pixel device (Pixel 6 or newer in 2026). GrapheneOS is the strongest privacy and security Android-compatible OS available. The reasons to do this step:

  • You want sandboxed Google Play (Play Store and services run as regular apps with no privileged access).
  • You want per-app network and per-app sensor toggles built in.
  • You want full disk encryption with a separate boot password.
  • You want hardened memory allocation, hardened malloc, and the GrapheneOS Auditor app for remote attestation.

The reasons not to: you do not have a Pixel, you do not want to reflash, you do not need this level of hardening. Steps 1 through 14 cover most threat models.

How to maintain the hardening

A hardening pass is not one-shot. Two specific cadences worth keeping:

  • Quarterly. Re-run the permission audit (step 1). Apps gain permissions over time; the audit catches creep.
  • At every major Android update. Re-check Private DNS (step 2) and the advertising ID (step 6). These settings have historically been moved around in major Android versions, and not always in privacy-friendly directions.

That is the entire checklist. Most readers will do steps 1 through 10 in one afternoon and stop there. That is the right place to stop for most threat models. Steps 11 through 15 are for readers with a specific reason to go further.

FAQ

Do I need to root my phone or install a custom ROM for this?

No. Steps 1 through 14 work on stock Android with no root required. Step 15 (GrapheneOS) requires a Pixel device and reflashing, and is optional. The bulk of the privacy gain in this checklist comes from the first half, and most of it can be done without enabling developer mode.

Should I use a biometric (fingerprint or face) or a PIN to unlock my phone?

For day-to-day convenience, biometrics are fine. For situations where you may be compelled to unlock (border crossings, traffic stops), a PIN is legally and practically harder to coerce in most jurisdictions. The pragmatic answer is to enable both, then learn the lockdown shortcut on your device that disables biometrics until the next PIN entry. On Android, hold the power button and tap Lockdown.

How much battery does Private DNS use?

Negligible. Private DNS over TLS encrypts the DNS queries your phone already makes; it does not generate new traffic. The battery impact is below 1 percent in our testing across a week of normal use on a Pixel 8 running stock Android. The privacy gain is large: your DNS queries (which include every site you visit) stop being readable by your ISP.

Is GrapheneOS the only ROM worth using for privacy?

For privacy specifically, yes. GrapheneOS is the only ROM with a security model that exceeds stock Pixel firmware and a privacy model that exceeds stock Android. LineageOS, CalyxOS, and DivestOS are all credible projects with their own strengths, but for pure privacy-and-security focus, GrapheneOS is the benchmark. The trade-off is the Pixel device requirement.

FAQ

Do I need to root my phone or install a custom ROM for this?
No. Steps 1 through 14 work on stock Android with no root required. Step 15 (GrapheneOS) requires a Pixel device and reflashing, and is optional. The bulk of the privacy gain in this checklist comes from the first half, and most of it can be done without enabling developer mode.
Should I use a biometric (fingerprint or face) or a PIN to unlock my phone?
For day-to-day convenience, biometrics are fine. For situations where you may be compelled to unlock (border crossings, traffic stops), a PIN is legally and practically harder to coerce in most jurisdictions. The pragmatic answer is to enable both, then learn the lockdown shortcut on your device that disables biometrics until the next PIN entry. On Android, hold the power button and tap Lockdown.
How much battery does Private DNS use?
Negligible. Private DNS over TLS encrypts the DNS queries your phone already makes; it does not generate new traffic. The battery impact is below 1 percent in our testing across a week of normal use on a Pixel 8 running stock Android. The privacy gain is large: your DNS queries (which include every site you visit) stop being readable by your ISP.
Is GrapheneOS the only ROM worth using for privacy?
For privacy specifically, yes. GrapheneOS is the only ROM with a security model that exceeds stock Pixel firmware and a privacy model that exceeds stock Android. LineageOS, CalyxOS, and DivestOS are all credible projects with their own strengths, but for pure privacy-and-security focus, GrapheneOS is the benchmark. The trade-off is the Pixel device requirement.