I wrote this because a “normal” phone leaks silly amounts of metadata—and I wanted a fast, repeatable setup that makes the phone and the person using it hard to profile, hard to hack, and still easy to live with.

1) Start anonymous and clean

• Buy a prepaid phone + prepaid SIM with cash. Factory-reset before setup.
• Create a brand-new Google account only for this phone, then turn off ads & activity.
• For tougher account defenses, enroll in Google Advanced Protection (hardware keys, tight recovery).
• On first boot, sign in with the new account only. Use 2FA + a throwaway recovery alias. No real name, no extra profile data. Don’t add your main Google account—ever.

2) Lock screen: boring = strong

• Skip fingerprint/face unlock; use a long passphrase or a 10+ digit PIN.
• Keep device encryption on (here’s the Android security overview if you want the model).
• Hide lock-screen notification content; disable Smart Lock/trusted devices.

3) Quiet the sensors and radios

• Keep Location, Microphone, and Camera off unless you need them; add quick-setting tiles for one-tap toggles.
• Rename the device to something generic (e.g., “Android-A5”). Disable Nearby Share/quick discovery.
• Bluetooth off by default; unpair anything you don’t need.

4) Network hardening (anti-tracking + anti-hijack)

• Set Private DNS (DNS-over-TLS). Good providers include Quad9 and Cloudflare 1.1.1.1.
• If you use filtering resolvers, enable tracker/ad blocklists for a hosts-file vibe system-wide.
• Use a WireGuard-based VPN and enable the OS kill-switch (WireGuard details); set “Always-on” + “Block without VPN.”
• If your phone allows it, disable 2G to avoid downgrade attacks.

5) Developer Options 

Enable Developer Options (Settings → About phone → tap Build number 7×), then set:

• Memory profiling: Off
• OEM unlocking: Off
• USB debugging: Off, then Revoke USB debugging authorizations
• Wireless debugging: Off
• Default USB configuration: No data transfer
• Wi-Fi MAC randomization: On (prefer non-persistent randomization if offered)
• Add the Sensors-off tile if your ROM supports it
• Select your mock-location app (mechanism explained in the Android docs)

Quick reference to the knobs: Developer options guide.

6) Turn on the protections you already have

• Keep Play Protect/scam protection on for baseline hygiene.
• Short screen timeout; require passcode on wake.
• Enable Lockdown / secure power-off (disables biometrics + power menu until passcode).
• If supported, tuck sensitive apps into a secure container/work profile (concept: Android Work Profile).

7) Mock location 

• When a non-maps app refuses to run without Location, enable your mock-location app to feed a harmless coordinate; turn it off when you need real navigation.
• How it works is in the mock-location docs.
• Some services forbid mock-loc; use judgment.

De-Google the defaults (boost OPSEC)

Browser

Use Brave for built-in content blocking and anti-fingerprinting. Set Shields to Aggressive, block third-party cookies, disable AMP, and prevent WebRTC IP leaks.

Keyboard

Only these per spec: FUTO Keyboard (offline by design) or Yandex Keyboard. In either, turn off cloud personalization/sync and clipboard access.

Email / Calendar / Passwords / Cloud

• Use the Proton suite for Mail, Calendar, Pass, and Drive.
• Use FairEmail for other IMAP/POP accounts (block remote images; prefer plain-text).
• Back up to Proton Drive or MEGA.
• Store passwords in Proton Pass or MEGA Pass.

2-Factor Auth

Use 2FAS for TOTP codes; export encrypted backups and keep a copy offline.

Maps / Navigation

Replace Google Maps with CoMaps (OSM-based, privacy-first, supports offline downloads). Grab your region before trips.

Calls, texts, and your real number

Use Google Voice so you can hand out a Voice number instead of your SIM number (US-only). If you need it, here’s the setup guide. Prefer Wi-Fi/mobile-data calling, share only the Voice number, and keep the OEM Phone app enabled for emergencies/911.

Remove or disable stock Google apps 

UI path (no computer)

Settings → Apps → See all apps → choose the Google app → Disable (or Uninstall updates → then Disable). Also remove its permissions.

ADB (no root; per-user disable)

Enable USB debugging temporarily, then on your Linux box:

adb devices
adb shell pm disable-user --user 0 com.android.chrome
adb shell pm disable-user --user 0 com.google.android.gm
adb shell pm disable-user --user 0 com.google.android.calendar
adb shell pm disable-user --user 0 com.google.android.apps.photos
adb shell pm disable-user --user 0 com.google.android.apps.maps
adb shell pm disable-user --user 0 com.google.android.keep
adb shell pm disable-user --user 0 com.google.android.youtube
adb shell pm disable-user --user 0 com.google.android.apps.youtube.music
adb shell pm disable-user --user 0 com.google.android.apps.docs
adb shell pm disable-user --user 0 com.google.android.googlequicksearchbox
adb shell pm disable-user --user 0 com.google.android.apps.tachyon
adb shell pm disable-user --user 0 com.google.android.videos

Then switch USB debugging off and Revoke USB debugging authorizations.

Don’t nuke Google Play services (com.google.android.gms) on stock ROMs—lots breaks. Keep the OEM Phone app for emergency calling even if you mainly use Voice.

Anti-hacking boosts (small changes, big wins)

• Phishing armor: never enter credentials from links—open the app/site yourself. Use 2FAS codes or hardware keys; avoid SMS 2FA.
• App sources: prefer Play, F-Droid, or known developer sites; be picky with sideloads.
• Accessibility abuse check: Settings → Accessibility → Installed services; disable anything you didn’t turn on.
• Device admin check: Settings → Security → Device admin apps; remove unknown ones.
• Auto-reset permissions: ensure Android’s “auto-revoke for unused apps” is enabled.
• Privacy Dashboard: review which apps hit mic/cam/location this week; uninstall anything grabby.
• Voicemail: set a strong PIN, not the default.
• Wi-Fi hygiene: forget stale networks; turn off auto-connect to open networks.
• Travel/protest mode: export 2FAS, log out of sensitive apps, clear recent tasks, add the Sensors-off tile. If you must pass a phone check, power down (with secure power-off), not just lock.

Five-minute checklist 

• Prepaid phone + SIM (cash). Factory reset → first boot with fresh Google and ads & activity turned off.
• Long PIN/passphrase; encryption stays on.
• Private DNS (DoT) set; WireGuard VPN = Always-on + Block without VPN; disable 2G if possible.
• MAC randomization on; Bluetooth off by default.
• Lockdown/secure power-off; short auto-lock.
• Developer Options: OEM unlock off, USB debug off/revoked, default USB = No data, Sensors-off tile added.
• App swaps: Brave • FUTO Keyboard or Yandex Keyboard • Proton Mail/Calendar/Pass/Drive • FairEmail • 2FAS • CoMaps • Google Voice • MEGA or Proton Drive.
• Disable stock Google apps you don’t use (UI or ADB).
• One phone = one identity. Don’t cross-login with your main accounts.
• SIM swap friction: set a SIM PIN; ask your carrier for a port-out lock; avoid phone-number 2FA.