App hardening: the right settings per app
Which privacy settings should you enable in Signal, Firefox, your email client, password manager, and more? Explained per app, per threat level.
App hardening: the right settings per app
You’ve installed the right apps. But default settings aren’t always privacy-friendly — even in open-source apps. This guide walks through the most commonly used privacy apps and explains exactly which settings to change.
How this guide works
Per app: what it does, which settings to change, and why. Settings are marked as:
- Basic — do this always
- Advanced — for higher-risk users
- Optional — depends on use case
Signal / Molly
Signal is the standard for encrypted messaging. Molly is a hardened fork — if you use GrapheneOS, use Molly.
Basic settings
Enable registration lock Settings → Account → Registration lock → On
Prevents someone with your phone number from activating a new Signal installation without your PIN.
Block screenshots Settings → Privacy → Screen security → On
Prevents messages from being visible in the app switcher or screenshots.
Hide notification content Settings → Notifications → Show → No name or message
Otherwise messages are visible in push notifications on the lock screen.
Hide phone number Settings → Privacy → Phone number → Who can see my number → Nobody
By default your phone number is visible to everyone on Signal. This restricts it to contacts or nobody.
Advanced
Auto-delete messages Set a default disappearing message timer per conversation. Start with 1 week for daily conversations, shorter for sensitive content.
Database passphrase (Molly) Molly has an extra option: database encryption with a separate passphrase, independent of your phone lock. If someone has your phone but not the Molly passphrase, they can’t read the messages.
Firefox
Firefox is more privacy-friendly than Chrome, but still comes with telemetry and sync features that send your data to Mozilla by default.
Basic settings
Disable telemetry Settings → Privacy & Security → Firefox Data Collection and Use → Uncheck all
Enhanced Tracking Protection Settings → Privacy & Security → Enhanced Tracking Protection → Strict
HTTPS-Only Mode Settings → Privacy & Security → HTTPS-Only Mode → Enable in all windows
Blocks unencrypted HTTP connections. On the rare sites this breaks, you can add an exception.
Disable Firefox Sync If you don’t use sync: Settings → Sync → Sign out or never sign in. Sync sends your bookmarks, history, and passwords to Mozilla servers.
Advanced (about:config)
Open about:config and change the following:
| Setting | Value | Effect |
|---|---|---|
privacy.resistFingerprinting | true | Makes browser fingerprinting harder |
geo.enabled | false | Disables location API |
media.peerconnection.enabled | false | Prevents WebRTC IP leak when using VPN |
browser.send_pings | false | Disables hyperlink tracking |
network.cookie.cookieBehavior | 1 | Blocks third-party cookies |
dom.battery.enabled | false | Hides battery status (tracking vector) |
Essential extensions
uBlock Origin — tracker and ad blocker. Enable “Advanced mode” for maximum control.
Configuration: go to the dashboard → Filter lists → also enable:
- EasyList
- EasyPrivacy
- uBlock filters — Privacy
LocalCDN — replaces commonly used CDN libraries (jQuery, Bootstrap) locally, so external CDNs can’t track your visits.
ClearURLs — strips tracking parameters from URLs (like ?utm_source=, ?fbclid=).
What you don’t need
Privacy Badger, Disconnect, Ghostery — these are redundant if you have uBlock Origin correctly configured. More extensions = larger fingerprint.
Vanadium (GrapheneOS)
Vanadium is GrapheneOS’s default browser. It’s a hardened version of Chromium without telemetry. There’s very little to configure.
Already good by default:
- No Google sync
- No crash reports
- No telemetry
- Per-site sandboxing
What to change: Settings → Privacy and security → Safe Browsing → No protection (Safe Browsing sends visited URLs to Google)
Settings → Site settings → Go through everything: location, camera, microphone, notifications → Block as default
KeePassDX / KeePassXC
Local password managers — no cloud, no sync unless you set it up yourself.
Basic settings
Strong master password At least 16 characters, mix of letters, numbers and symbols. This is the only password you need to remember — make it count.
Protect database with key file In addition to the master password, you can add a key file. Without that file (on a separate USB or location) the database can’t be opened — even if someone knows the master password.
KeePassDX (Android): Settings → Security → Block screenshots → On Settings → Security → Lock automatically → 30 seconds
KeePassXC (Desktop): Tools → Settings → Security → Lock database after inactivity → 5 minutes Tools → Settings → Security → Clear clipboard after → 10 seconds (automatically clears copied passwords)
Advanced
Store database on encrypted media Save the .kdbx database in your encrypted home directory (Linux: standard if full-disk encryption is on). Never on an unencrypted USB or cloud service.
Backup strategy Database copy on: encrypted external drive + offline location (e.g. at home in a drawer). Sync via Syncthing for multiple devices — but never to Google Drive or Dropbox.
Proton Mail / Thunderbird
Proton Mail (webmail)
Enable two-factor authentication Settings → Security → Two-factor authentication → Hardware key or TOTP app
Don’t use Proton Pass if you already have KeePass Two password managers is one too many.
Block external images Settings → Email → Load remote content → Blocked
External images in emails are tracking pixels — they tell the sender when you opened the email.
Thunderbird with OpenPGP
See the PGP guide for full setup. Quick summary:
Settings → Account Settings → End-to-End Encryption → Add key
Enable: “Encrypt messages by default” for conversations where both parties support OpenPGP.
VPN client (Mullvad / ProtonVPN)
Mullvad
Enable kill switch Settings → Kill switch → On
If the VPN connection drops, the kill switch blocks all internet. Without this, your real IP leaks.
DNS leak prevention Mullvad automatically uses its own DNS. Verify at mullvad.net/check that there’s no leak.
DAITA (Mullvad-specific) Settings → DAITA → On
Defends against traffic analysis by masking the size and timing of data packets. Newer feature, minor performance cost.
Lockdown mode Settings → VPN settings → Block when VPN is disconnected → On
Blocks internet even at startup before the VPN connects.
ProtonVPN
Stealth protocol If VPN is blocked (hotels, schools, authoritarian networks): Settings → Protocol → Stealth
Disguises VPN traffic as normal HTTPS.
NetShield (DNS blocking) Settings → NetShield → Block malware + ads
Orbot (Tor on Android)
Set active apps Orbot → App chooser → select which apps run through Tor
Use this for apps where IP anonymity matters: browser, communication apps.
Not for all apps simultaneously Tor is slow. Use it selectively, not as a general VPN replacement.
Combined with VPN You can use Orbot with a VPN: VPN → Tor (Tor sees VPN IP, not your real IP). Or Tor → VPN (VPN provider sees Tor exit node). Both have trade-offs — choose deliberately.
F-Droid
Disable auto-updates / check manually F-Droid → Settings → Automatically install updates → Off
Review what updates are available before installing. F-Droid updates are slower than the Play Store — that’s intentional and a deliberate choice.
Add IzzyOnDroid repo More apps, well-maintained. See the F-Droid guide.
Show incompatible apps F-Droid → Settings → Show incompatible versions → On
Some apps are hidden by default because they require root or are experimental.
Summary by threat level
Normal use (most people)
| App | Critical setting |
|---|---|
| Signal | Hide notification content, screen security on |
| Firefox | Telemetry off, tracking protection Strict, uBlock Origin |
| KeePass | Strong master password, auto-lock 5 min |
| VPN | Kill switch on |
Elevated risk (activist, journalist, small business)
Everything above, plus:
| App | Critical setting |
|---|---|
| Signal/Molly | Registration lock, disappearing messages, hide number |
| Firefox | privacy.resistFingerprinting on, WebRTC off |
| KeePass | Key file, database on encrypted media |
| Mullvad | DAITA on, lockdown mode |
| Orbot | Browser + communication via Tor |
High risk (source protection, device seizure possible)
Everything above, plus:
- Molly with database encryption separate from phone lock
- No cloud backups of anything
- PGP for email (see PGP guide)
- GrapheneOS profiles for separation (see profiles guide)
- Auto-reboot set to 18-24 hours
See also: