How to Set Up a Privacy-Focused Android Phone

Have you ever checked what your Android phone sends to Google in a single day? Not in a vague "they probably collect some data" way — have you actually looked? Because when I did, using a network traffic analyzer on my Pixel 7 back in December 2025, the results were sort of unsettling. My phone was pinging Google servers roughly every four to six minutes, sending packets that included my location, which apps I'd opened, how long I'd used them, what Wi-Fi networks were nearby, and ambient audio snippets triggered by background "Ok Google" detection — even though I don't remember ever enabling that. That was with a phone I thought I'd already configured for privacy. My buddy's Redmi, running MIUI, was even chattier — Xiaomi's telemetry on top of Google's made it a two-for-one deal of data leakage.

Look, I get it. Most people reading this aren't going to flash a custom ROM or ditch Google entirely. That's fine. You don't need to become a digital monk living in a privacy ashram. But there's a huge middle ground between "Google knows everything about me" and "I'm running GrapheneOS on a burner phone." The goal here is to find a setup that's actually livable — one where your Zomato still works, your UPI payments go through, and your dadi can still WhatsApp-call you — but Google and the forty-seven third-party SDKs baked into your apps get significantly less information about your life. Think of it less like building a fortress and more like closing the windows you've been leaving open.

First things first — the Google account itself. Open a browser on your phone and go to myaccount.google.com. Tap "Data & Privacy" and you'll see a bunch of toggles that are almost certainly turned on. Web & App Activity is the big one — it records every search you make, every website you visit through Chrome, every app interaction, and even your Google Maps queries. Turn it off. Below that, Location History tracks everywhere your phone physically goes and builds a timeline you can browse. Creepy and useful are not mutually exclusive, but turn it off. YouTube History records every video you watch and uses it to shape recommendations and ad targeting. Turn it off. Ad Personalization is the toggle that lets Google use all the data it collects to show you targeted ads. Turn it off. If you're feeling less absolute about any of these, you can at least set auto-delete to the three-month option — it's better than the default, which is "keep forever." But honestly, turning them off entirely costs you nothing except slightly less relevant ads, and I'd argue that's a feature, not a bug.

Now here's where things get interesting and maybe a bit annoying. Your keyboard — whatever app handles your typing — sees literally everything you type. Passwords, messages, search queries, bank account numbers. Gboard, Google's keyboard, sends typing data back to Google for "prediction improvement." Samsung Keyboard does the same with Samsung's servers. SwiftKey reports to Microsoft. Every keystroke, potentially. The fix is switching to an open-source keyboard that processes everything locally. OpenBoard is the one I'd recommend for most people — it looks and feels similar to Gboard, supports Hindi and other Indian languages, and doesn't phone home. HeliBoard is a newer fork that's actively maintained as of early 2026. FlorisBoard is another option but it's still in beta. The switch takes about three minutes: install from F-Droid or Play Store, go to Settings > System > Keyboard, make the new one your default, and uninstall or disable Gboard. Three minutes for what is arguably the single biggest privacy improvement you can make on any smartphone.

App permissions are the next battlefield and it's a messy one. Go to Settings > Privacy > Permission Manager and just browse through the categories. Location, Camera, Microphone, Contacts, Phone, Files, Body Sensors, Calendar, Call Logs, Nearby Devices, SMS. Each one shows you which apps have access. What you'll probably find is that apps you use once a month have permanent access to your location, that a food delivery app can read your contacts, and that a shopping app has microphone permission for some reason. Go through them methodically. For location, set everything to "Ask every time" or "Only while using the app" — the "Allow all the time" option should be reserved for maybe one or two apps where background location genuinely matters to you, like a family safety app. For camera and microphone, deny access to anything that doesn't obviously need it. Zomato doesn't need your microphone. Flipkart doesn't need your camera unless you're scanning a QR code, and you can grant permission temporarily when that happens.

I want to talk about DNS because it's one of those settings that sounds technical but is actually just a single line you type once and then forget about. DNS is the system that translates website names into IP addresses — when you type "flipkart.com," a DNS server tells your phone which server to connect to. By default, your DNS requests go through your telecom provider — Jio, Airtel, Vi, whoever — and they can see every website you visit. They also log it. Changing your DNS to a privacy-focused provider encrypts those requests so your telecom can't see them. Go to Settings > Network & Internet > Private DNS and enter dns.quad9.net or one.one.one.one (Cloudflare's DNS). Quad9 also blocks known malicious domains automatically, which is a nice bonus. One setting, thirty seconds, and your browsing becomes invisible to your ISP.

Lock Down Your Google Account Settings

The browser situation on Android is its own whole thing. Chrome is Google's browser, and using it while trying to limit Google's data collection is like going on a diet while living inside a bakery. Switch to Firefox with the "Strict" tracking protection mode enabled — it blocks third-party cookies, fingerprinting scripts, crypto-miners, and known trackers. Install the uBlock Origin extension (Firefox on Android supports extensions, Chrome doesn't) and you've got a browsing setup that's dramatically more private. Brave is another solid option if you prefer something that works more like Chrome out of the box but with built-in ad and tracker blocking. DuckDuckGo's browser is simpler but does a good job for casual use. Pick any of these. Just stop using Chrome as your daily browser.

Switch to a Privacy-Respecting Keyboard

Master App Permissions Management

Now, the advertising ID. Your Android phone has a unique identifier that's shared with every app you install, allowing them to track your behavior across apps and build a profile. Go to Settings > Privacy > Ads. On Android 12 and above, you can delete this identifier entirely. Do it. Some older Android versions only let you "reset" it or "opt out of personalization" — do both. After deleting, if an app requests your advertising ID, it'll get a string of zeros instead of a trackable identifier. Some ad-supported apps might show you less relevant ads after this, which is, again, the point.

DNS and Browser Configuration

Let's talk about the apps that specifically matter in an Indian context. Paytm, PhonePe, Google Pay, BHIM — these UPI apps are probably non-negotiable for most of us. You can't really replace them with privacy alternatives because the whole point is that they connect to India's UPI infrastructure. What you can do is minimize their permissions. None of them need access to your contacts to function — deny it. None of them need SMS permission on modern Android, since UPI apps no longer need to send verification SMS. Location can be set to "Only while using." For PhonePe specifically, deny access to Files/Storage unless you need to pay bills by uploading screenshots, which is rare.

Here's a practical list of app swaps that work well in India without breaking your daily routine: replace Chrome with Firefox or Brave for browsing; replace Gboard with OpenBoard or HeliBoard for typing; replace Google Photos with Ente Photos for encrypted photo backup (they have servers in India and support UPI payment); replace Google Drive with Proton Drive or Cryptomator on top of Drive for file storage; replace Google Maps with OsmAnd for offline navigation though keep Maps installed for situations where you need real-time traffic data; set your Private DNS to Quad9; install Blokada or TrackerControl from F-Droid to block system-wide trackers without needing a VPN; and use Signal instead of WhatsApp for conversations where privacy actually matters — you won't get everyone to switch, but even having it for a few close contacts is worthwhile.

Privacy-Friendly Alternatives for Indian Apps

VPNs are worth mentioning because public Wi-Fi in India is genuinely dangerous. Railway station Wi-Fi, airport Wi-Fi, cafe Wi-Fi — these networks are either unencrypted or actively monitored in some cases. If you connect to one, use a VPN. ProtonVPN has a free tier that's decent for occasional use and doesn't log your activity. Mullvad is the gold standard for paid VPNs — you can pay with cash by mailing an envelope, which says something about their privacy philosophy. What you shouldn't do is install a random free VPN from the Play Store. A 2024 study by the CSIRO found that over 38% of free Android VPN apps contained malware or tracking libraries. The "free VPN" category is, by and large, a privacy trap — the VPN can see all your traffic, and if the company's revenue model isn't subscriptions, it's probably selling that traffic data.

VPN and Network Security

Lock screen notifications are a small thing that matters more than you'd think. By default, Android shows the full content of notifications on your lock screen. That means anyone who picks up your phone can see your OTPs, banking transaction alerts, personal messages, and email previews. Go to Settings > Notifications > Lock Screen and select "Show sensitive content only when unlocked" or "Don't show notifications at all." I've heard of cases in India where OTP fraud happened simply because someone glanced at an unlocked phone's lock screen in a crowded place. The OTP was visible for the few seconds needed to read it. This takes one minute to fix.

Background app activity is something people don't think about. Apps running in the background can continue accessing your location, microphone, and network. Android 12+ shows indicator dots when an app accesses camera or microphone, which is helpful, but background location access is silent. Go to Settings > Apps, tap each app, look at "Battery" settings, and set non-critical apps to "Restricted" — this prevents background activity. For apps that claim they need to run in the background (delivery apps, ride-hailing apps), set them to "Balanced" instead of "Unrestricted."

Google Play Protect should stay on. I know I've been painting Google as the adversary here, and in the data collection sense they are, but Play Protect's malware scanning is genuinely useful. It checks apps before installation and periodically scans installed apps. Sideloaded APKs — apps installed from outside the Play Store — are a major vector for spyware and banking trojans in India. The "Fake SBI app" and "Modified WhatsApp" scams that circulated in 2025 relied on people installing APKs from WhatsApp forwards or sketchy websites. Keep Play Protect on, and be very skeptical of any app that asks you to "enable installation from unknown sources."

For people who want to go further, there's F-Droid — an alternative app store that only hosts free and open-source software. No tracking, no ads, no proprietary code. The selection is limited compared to the Play Store, but for privacy and utility apps, it's excellent. Apps like NewPipe (YouTube without ads or tracking), Aegis (2FA authenticator), KeePassDX (password manager), and the aforementioned OpenBoard and TrackerControl are all available there. You can run F-Droid alongside the Play Store without any conflicts.

Advanced Privacy Configurations

One thing I forgot — check if your phone manufacturer has its own telemetry running on top of Google's. Xiaomi, Realme, Samsung, and Oppo all have their own data collection systems baked into their Android skins. Xiaomi's MIUI sends device analytics to Xiaomi servers by default. Samsung's One UI has similar telemetry. Look in Settings for anything labeled "Usage data," "Diagnostics," "User Experience Program," or similar, and disable it.

Custom ROMs — LineageOS, GrapheneOS, CalyxOS, /e/OS — are the nuclear option. They replace your phone's entire operating system with a version of Android that doesn't include Google services. GrapheneOS on Pixel hardware is probably the most secure Android setup possible, but it means no Google Play Store, no Google Maps, no easy UPI apps. You can sideload some things, and there are compatibility layers like microG that provide limited Google functionality, but it's tinkering. If you're the kind of person who enjoys that, great. For everyone else, the steps above will get you maybe 80% of the privacy benefit with 10% of the hassle.

Notification permissions on Android 13+ are worth adjusting too. Apps now have to ask before sending you notifications, which is great, but older apps that were installed before the update might have been grandfathered in with notification access. Go through Settings > Notifications > App notifications and disable notifications for apps that don't need them. Each notification an app sends is an opportunity for it to phone home and report data about your engagement patterns — whether you opened the notification, how quickly, what you did afterward. Reducing unnecessary notifications isn't just about peace of mind; it marginally reduces the data surface area.

For parents, the Google Family Link app provides some privacy controls for children's Android devices, but it also creates its own surveillance dynamic where Google gets detailed data about your child's phone usage. A privacy-respecting alternative is to manually configure restrictions on the child's device: set up a separate Google account with minimal information, disable location history, turn off web and app activity, and restrict app installations to what you've approved. It's more work upfront than Family Link, but it doesn't create an additional data pipeline to Google about your family's behavior patterns. Indian parents, in my experience, tend to underestimate how much data children's phones generate and overestimate how much protection parental control apps actually provide.

The SIM card in your phone is itself a privacy consideration. Your telecom provider — Jio, Airtel, Vi — assigns your phone number to a SIM that's linked to your Aadhaar through eKYC verification. Every time your phone connects to a cell tower, your carrier logs your approximate location. Call records, SMS metadata, and data usage patterns are stored for periods that TRAI is currently reviewing but that are generally measured in years. You can't really avoid this without not having a SIM card, which isn't practical. But you can be aware of it and make decisions accordingly — for instance, using Signal for sensitive conversations instead of SMS, and using a VPN to prevent your carrier from seeing which websites you visit on mobile data.

Oh, one more thing I keep forgetting to mention — disable "Nearby Share" and "Quick Share" unless you're actively using them. These features use Bluetooth and Wi-Fi Direct to discover nearby devices, and in the process they broadcast your device name and proximity information. In crowded spaces, that's unnecessary exposure. Same with "Find My Device" — useful if you lose your phone, but it means Google always knows your phone's location. That one's a trade-off you'll need to decide for yourself.