The short version: phone tracking falls into four categories — app-level SDK tracking, website tracking, carrier tracking, and ad-network cross-device tracking. Each requires a different defense. No single setting or app stops all four. The practical approach is layering: tighten your OS privacy settings first (free, takes 10 minutes), add browser-level protections (free, takes 5 minutes), then add network-level tracker blocking for the tracking that OS and browser settings can't touch. Below: the complete breakdown of what each tracking type actually does, which defenses work against which types, and the step-by-step setup for both iPhone and Android.
The 4 types of phone tracking (and which you can actually stop)
Most "stop phone tracking" guides treat tracking as one thing. It isn't. There are four distinct mechanisms, each operated by different parties, collecting different data, through different technical channels. That's why turning off one setting doesn't stop the feeling of being followed around the internet — you've only addressed one of the four.
| Tracking type | Who does it | What they collect | Can you stop it? |
|---|---|---|---|
| App tracking | SDKs embedded in apps (Facebook SDK, Google Firebase, Adjust, AppsFlyer, Branch) | Device ID (IDFA/GAID), app usage patterns, location, purchase history, contacts | Mostly — OS settings + network blocking |
| Website tracking | Cookies, fingerprinting scripts, tracking pixels (Meta Pixel, Google Analytics, TikTok Pixel) | Browsing history, search queries, page interactions, purchase behavior | Mostly — browser settings + extensions + DNS blocking |
| Carrier tracking | Your mobile carrier (AT&T, Verizon, T-Mobile) and ISP | Cell tower location, DNS queries, browsing metadata, supercookies (Verizon's UIDH) | Partially — VPN helps, but cell tower triangulation can't be stopped |
| Ad network tracking | Cross-app profile builders (Google, Meta, data brokers, device-graph companies) | Cross-app behavioral profiles, device graphs linking your phone/laptop/tablet, inferred demographics | Partially — opt-outs + network blocking reduce it significantly |
The rest of this guide walks through each type and gives you concrete steps to reduce or eliminate it. We'll cover iPhone and Android separately where the steps differ, and flag the honest limitations — the things you genuinely cannot stop without trade-offs most people won't accept.
How to stop app tracking on iPhone
Apps are the biggest source of phone tracking for most people. The average iPhone has 80+ apps installed, and research from the EFF has shown that the typical free app contains 6 tracking SDKs that send data to third parties even when you're not actively using the app. Here's how to shut them down.
1. Turn off "Allow Apps to Request to Track"
Go to Settings > Privacy & Security > Tracking and toggle off "Allow Apps to Request to Track." This does two things: it removes your IDFA (the advertising identifier that lets ad networks link your activity across apps) and prevents apps from even asking for permission to track. Without the IDFA, tracking SDKs lose the primary identifier they use to build cross-app profiles. This is the single highest-impact setting on your iPhone.
However, this doesn't stop tracking entirely. As we covered in our analysis of what App Tracking Transparency doesn't stop, apps can still use probabilistic fingerprinting (IP address, device model, screen size, timezone) to identify you without the IDFA. Apple prohibits this, but enforcement is limited.
2. Review and restrict app permissions
Go to Settings > Privacy & Security and review each category: Location Services, Contacts, Photos, Microphone, Camera, Bluetooth. For each app, ask yourself: does this app need this permission to function? A weather app needs location. A flashlight app does not. Set location permissions to "While Using the App" instead of "Always" wherever possible. Disable "Precise Location" for apps that don't need street-level accuracy — the coarse location (approximate area) is usually sufficient for weather, news, and similar apps.
3. Delete apps you don't use
This sounds obvious, but it's one of the most effective steps. Apps with background refresh enabled can collect and transmit data even when you haven't opened them in months. Every installed app is a potential tracking vector. If you haven't used an app in the last 30 days, delete it. You can always reinstall it later. Go to Settings > General > iPhone Storage to see which apps you haven't used recently.
4. Use network-level tracker blocking
The steps above reduce what tracking SDKs can identify, but they don't stop the SDKs from making network requests. The Facebook SDK still phones home. Google Firebase still sends analytics. Adjust and AppsFlyer still fire attribution pings. To actually block these network connections, you need network-level filtering — something that intercepts tracker requests before they leave your device.
Options include Casper's Cloak, NextDNS, or AdGuard — all of which block known tracker domains at the DNS level, preventing the network requests from completing regardless of which app makes them. This catches tracking that ATT and permission settings cannot stop, because it operates at the network layer rather than the app layer. When the Facebook SDK tries to resolve graph.facebook.com for tracking purposes, the DNS filter returns a null response and the data never leaves your phone.
How to stop app tracking on Android
Android's tracking landscape is structurally similar to iPhone's — apps contain tracking SDKs, those SDKs use a device advertising ID, and the data flows to the same third parties. But the specific settings and their locations are different.
1. Delete your Advertising ID
Starting with Android 12, you can fully delete your advertising ID rather than just resetting it. Go to Settings > Privacy > Ads > Delete advertising ID. On older Android versions, go to Settings > Google > Ads > Reset advertising ID and toggle on "Opt out of Ads Personalization." Deleting the ID is more effective than resetting it — a reset just gives you a new ID that trackers immediately start building a new profile around.
2. Review app permissions aggressively
Go to Settings > Privacy > Permission manager. Review Location, Camera, Microphone, Contacts, Phone, and Body sensors. Android's permission system is more granular than iOS in some ways — you can set permissions to "Allow only while using the app," "Ask every time," or "Don't allow." For location, disable "Use precise location" for apps that don't need it. Also check Settings > Privacy > Permission manager > Nearby devices — this controls Bluetooth scanning, which some apps use for Bluetooth beacon tracking (retail stores, malls, stadiums).
3. Disable personalized ads in Google settings
Open the Google app or go to myaccount.google.com/data-and-privacy. Under "Ad personalization," turn it off. This doesn't stop Google from collecting data, but it stops them from using your data to serve targeted ads — which removes the financial incentive for the most invasive forms of behavioral profiling. Also disable Web & App Activity, Location History, and YouTube History if you're willing to lose the personalization features that depend on them.
4. Use Private DNS or VPN-based blocking
Android 9+ has built-in support for encrypted DNS via the Private DNS setting (Settings > Network & internet > Private DNS). Point this to a filtering DNS resolver — NextDNS, AdGuard DNS, or Cloudflare's malware-blocking resolver (1.1.1.2) — for system-wide tracker blocking without installing a VPN app. Alternatively, VPN-based filtering apps (Casper's Cloak, AdGuard for Android) provide the same DNS blocking plus additional network encryption. The VPN approach is slightly more comprehensive because it also encrypts your traffic from your carrier's view, but it uses the VPN slot, which means you can't run another VPN simultaneously.
How to stop website tracking on any device
Website tracking is what produces the "I searched for shoes and now I see shoe ads everywhere" experience. It works through cookies, tracking pixels, fingerprinting scripts, and third-party network requests embedded in web pages. The good news: website tracking is the most blockable of the four types because most of it happens through identifiable third-party domains and scripts.
Browser-level defenses (the first layer)
Your choice of browser matters more than most people realize. Safari has Intelligent Tracking Prevention (ITP), which automatically limits cross-site cookies, downgrades tracking cookies to 7-day expiration, and blocks some fingerprinting APIs. Firefox has Enhanced Tracking Protection (ETP), which blocks known tracking cookies, fingerprinting scripts, cryptominers, and social media trackers by default. Brave blocks third-party ads and trackers out of the box and randomizes some fingerprinting APIs. Chrome, by contrast, provides minimal built-in tracking protection — Google's business model depends on the ad tracking ecosystem that other browsers are blocking.
Practical recommendation: use Safari on iPhone (it's the only browser engine Apple allows on iOS anyway), Firefox or Brave on Android (both support full extensions), and Firefox or Safari on desktop.
Extension-level defenses (the second layer)
On desktop browsers and Firefox for Android, install uBlock Origin — it's the most effective content-blocking extension, using community-maintained filter lists to block tracking scripts, pixels, and fingerprinting attempts. On iPhone Safari, use a content blocker like 1Blocker or AdGuard for Safari (these use Apple's Content Blocker API and work within Safari's restrictions). For a deeper dive on iPhone-specific options, see our guide to blocking website trackers on iPhone.
Network-level defenses (the third layer)
DNS-based blocking catches trackers that browser extensions miss — particularly CNAME-cloaked trackers (where the tracking domain is disguised as a first-party subdomain) and trackers inside apps that aren't browsers at all (in-app webviews in Instagram, TikTok, Facebook, LinkedIn, etc.). When you tap a link inside the Instagram app, it opens in Instagram's in-app browser, which doesn't have your content blocker or uBlock Origin. DNS-level blocking still works in this context because it operates at the network layer, not the browser layer. Tools like Casper's Cloak, NextDNS, Pi-hole, and AdGuard DNS all provide this layer.
Practical habits that help
Clear cookies regularly — or better, use private/incognito browsing for any search you wouldn't want linked to your profile (medical, financial, legal). Use a separate browser for sites where you're logged in (Gmail, Facebook, Amazon) and a different browser for anonymous browsing. This prevents Facebook from linking your logged-in identity to your anonymous browsing behavior through third-party cookies.
How to limit carrier tracking
Your mobile carrier — AT&T, Verizon, T-Mobile, or whichever provider you use — has a unique vantage point. They can see every DNS query your phone makes (unless you use encrypted DNS), every IP address you connect to (unless you use a VPN), and your physical location via cell tower triangulation at all times your phone has cellular signal. Some carriers have gone further: Verizon infamously injected "supercookies" (UIDH headers) into all HTTP traffic, and multiple carriers have sold location data to third-party brokers.
Use a VPN
A VPN encrypts all traffic between your phone and the VPN server. Your carrier can see that you're connected to a VPN server, but they can't see which websites you're visiting, what DNS queries you're making, or what data you're transmitting. This neutralizes DNS-based surveillance and prevents supercookie injection. Reputable VPN options include Mullvad, IVPN, and ProtonVPN — choose a provider with a verified no-logs policy and independent audits. If you're already using a DNS-filtering tool like Casper's Cloak or AdGuard that operates via a local VPN profile, you're already getting this benefit for DNS queries, though the traffic encryption scope varies by tool.
Disable WiFi scanning and Bluetooth scanning
Both iPhone and Android continuously scan for WiFi networks and Bluetooth beacons, even when WiFi and Bluetooth are "off" (swiping them off in Control Center/Quick Settings doesn't fully disable scanning on most devices). These scans can be used for indoor positioning and proximity tracking. On Android: Settings > Location > Location services > WiFi scanning / Bluetooth scanning — turn both off. On iPhone: go to Settings > Privacy & Security > Location Services > System Services and disable "Networking & Wireless."
The honest caveat: cell tower triangulation
Your carrier knows your approximate location at all times your phone has a cellular connection. This is inherent to how cellular networks work — your phone must communicate with nearby cell towers to receive calls and data, and the tower locations are known. No app, VPN, or setting can change this. The only way to stop cell tower triangulation is to enable Airplane Mode or turn off the phone entirely. This is a fundamental trade-off: if you want cellular connectivity, your carrier knows roughly where you are (accuracy ranges from 50 meters in urban areas to several kilometers in rural areas).
How to stop ad network cross-device tracking
Ad networks don't just track you on one device — they build "device graphs" that link your phone, laptop, tablet, smart TV, and any other device you use. The connection is made through shared login credentials (you log into Google or Facebook on all your devices), shared IP addresses (all devices on your home WiFi share one public IP), and shared behavioral patterns (same browsing habits, same times of day, same locations). The result: even if you block tracking on your phone, the ad network may infer your phone's activity from your unprotected laptop, or vice versa.
Opt out of ad personalization everywhere
This needs to be done on every platform you use. On iPhone: Settings > Privacy & Security > Apple Advertising > Personalized Ads — turn off. On Android: delete your advertising ID (covered above). On Google: myaccount.google.com > Data & privacy > Ad personalization — turn off. On Facebook/Meta: Settings > Accounts Center > Ad preferences > Ad settings — limit everything. Also visit the Digital Advertising Alliance opt-out page and the NAI opt-out tool to opt out of interest-based advertising from participating networks.
Separate your logged-in and anonymous activity
The most powerful device-graph signal is a shared login. When you're logged into Google in Chrome on both your phone and laptop, Google trivially links everything you do on both devices. The defense: use separate browsers (or browser profiles) for logged-in and anonymous activity. On your phone, use Safari/Firefox for anonymous browsing and Chrome only for Google services (or vice versa). On your laptop, use browser profiles — one profile logged into your accounts, a separate profile (or a different browser entirely) for everything else.
Block device-graph SDKs at the network level
The SDKs that build device graphs — Facebook SDK, Google Firebase Analytics, Adjust, Branch, AppsFlyer — make network requests to known endpoints. Network-level tracker blocking (DNS filtering) catches these requests across all apps on your device. When DNS-level blocking prevents the Facebook SDK from resolving its tracking endpoint, the SDK can't contribute data to Meta's device graph. This doesn't remove existing data Meta has about you, but it stops the ongoing flow of new behavioral data from your device.
Advanced: decoy traffic
Some privacy tools go beyond blocking by generating decoy network traffic — fake browsing patterns and search queries that pollute your behavioral profile with noise. The idea is that even if some tracking gets through your blockers, the tracker's profile of you becomes unreliable because it contains a mix of real and fake signals. Casper's Cloak includes this as an optional feature; AdNauseam does something similar for ad clicks specifically. This is an advanced measure — blocking is more important than obfuscation, but obfuscation adds a useful second layer for metadata analysis that blocking alone can't address.
The layered approach — what actually works
No single tool stops all phone tracking. The practical strategy is layering multiple defenses so that each layer catches what the others miss. Here's the full stack, ordered from easiest to most advanced:
| Defense layer | What it stops | Tools |
|---|---|---|
| OS settings (ATT, Ad ID deletion, permissions) | IDFA/GAID-based cross-app tracking, unnecessary data collection by apps | Built into iOS and Android (free) |
| Browser settings (ITP, ETP, privacy-focused browser) | Cross-site cookies, known fingerprinting scripts, social media trackers | Safari, Firefox, Brave (free) |
| Browser extensions / content blockers | Analytics scripts, ad pixels, tracking elements, some fingerprinting | uBlock Origin, 1Blocker, AdGuard (free / low cost) |
| DNS-level blocking | App-level tracking SDKs, in-app browser trackers, known tracker domains across all apps | Casper's Cloak, NextDNS, Pi-hole, AdGuard DNS |
| VPN | Carrier DNS snooping, supercookie injection, public WiFi interception | Mullvad, ProtonVPN, IVPN (or VPN-based DNS tools) |
| Decoy traffic | Metadata analysis, behavioral profiling from residual tracking | Casper's Cloak (optional), AdNauseam |
The minimum effective setup (15 minutes): tighten OS privacy settings (ATT on iPhone, delete Ad ID on Android, review app permissions) + install a privacy browser or content blocker + enable DNS-level tracker blocking. These three layers stop the majority of phone tracking without requiring technical expertise or significantly changing how you use your phone.
The comprehensive setup (30 minutes): everything above, plus a VPN for carrier-level protection, browser compartmentalization (separate browsers for logged-in vs. anonymous activity), and opt-outs from the major ad personalization platforms. This addresses all four tracking types to the extent that client-side tools can.
What you can't stop (honest limitations)
Any guide that promises "complete" privacy protection is misleading. Here are the things that no combination of phone settings, apps, or network tools can fully prevent:
First-party tracking. When you use Google Search, Gmail, Google Maps, YouTube, or any Google service, Google tracks your activity within those services. The same applies to Apple (within Apple services), Meta (within Facebook, Instagram, WhatsApp), Amazon, and every other platform. This is first-party data collection — you're using their service, and they're recording how you use it. No blocker can or should prevent this; it's the basic mechanism by which these services work. Your defense is service selection: use privacy-respecting alternatives where practical (DuckDuckGo for search, Proton Mail for email, Signal for messaging).
Cell tower triangulation. As covered in the carrier section: if your phone has cellular service, your carrier knows your approximate location. No software can change this. The only mitigation is Airplane Mode, which most people can't keep enabled continuously.
Device fingerprinting evolution. Fingerprinting techniques evolve faster than defenses. Browser vendors (Apple, Mozilla, Google) and extension developers are in a constant arms race with fingerprinting companies. New fingerprinting vectors — GPU rendering differences, AudioContext variations, battery API data, accelerometer readings — appear regularly. Defenses like randomization and API restriction help, but they're always catching up to the latest techniques rather than getting ahead of them.
Server-side tracking. When a website sends your purchase data directly from their server to Facebook (via Meta's Conversions API) or processes analytics server-side (via Google's Measurement Protocol), no client-side tool can see or block that traffic. The data flows between two servers you don't control. Server-side tracking is growing specifically because client-side blocking has become effective — advertisers are moving data collection to the server side to bypass blockers.
Perfect privacy requires trade-offs most people won't accept. You could use a de-Googled Android phone, communicate only via Signal, browse exclusively through Tor, pay only with cash or Monero, and never create an account on any mainstream service. This would dramatically reduce your trackability — and also make your phone significantly less useful. Practical privacy is about finding the right balance between protection and usability for your specific threat model, not about achieving theoretical perfection.
Bottom line
Phone tracking isn't one thing — it's four distinct mechanisms (app SDKs, website trackers, carrier surveillance, and ad network device graphs), each requiring different defenses. The most effective approach is layering: tighten your OS privacy settings to cut off the easy identifiers, use a privacy-respecting browser to block website trackers, add DNS-level blocking to catch the app-level tracking that OS settings miss, and optionally add a VPN to limit what your carrier can see. No single tool stops everything, but the combination addresses the overwhelming majority of tracking that affects a typical phone user. Start with the free settings changes (15 minutes), then decide whether the remaining gaps warrant additional tools.