App hardening: the right settings per app
You’ve installed the right apps. But default settings aren’t always privacy-friendly — even in open-source apps. This guide walks through the most commonly used privacy apps and explains exactly which settings to change.
App hardening: the right settings per app
You’ve installed the right apps. But default settings aren’t always privacy-friendly — even in open-source apps. This guide walks through the most commonly used privacy apps and explains exactly which settings to change.
Do not use this guide as if every setting applies to everyone. The right settings depend on your base profile, your tolerance for friction, and how much maintenance you actually want to do afterwards.
Who this guide is for
This guide is mainly for readers who already have the basics in place and now want to configure good apps more deliberately.
It fits best for:
- balanced privacy-aware readers who want stronger defaults without changing everything at once
- GrapheneOS users who want to tighten app behaviour after setup
- higher-risk readers who already know why a given setting is worth the extra friction
For low-friction normal users, this is usually not the first page to start with. Begin with passwords, 2FA, app permissions, and browser basics first. Only then does app-by-app hardening become the right next step.
What you gain, and what it costs
If you use this guide properly, you usually gain:
- stronger privacy defaults in apps you already rely on
- less silent data leakage through permissive settings
- more deliberate control over which extra protections are actually worth enabling
But it costs something:
- more setup time than simply installing the app and leaving defaults in place
- some risk of breaking convenience features you may still want
- a maintenance burden if you enable advanced settings without understanding why they matter
This is usually a good trade once your basics are already in place. It becomes overkill when you are tuning advanced app settings before fixing passwords, 2FA, browser defaults, and app permissions first.
How this guide works
Per app: what it does, which settings to change, and why. Settings are marked as:
- Basic — do this always
- Advanced — only when the extra gain is also worth the extra friction
- Optional — depends on use case
Rule of thumb:
- low-friction normal user: stick mainly to basic settings
- balanced privacy-aware: add advanced settings selectively
- higher-risk: use heavier options only with a concrete reason and a routine to keep them up
Signal / Molly
Signal is the standard for encrypted messaging. Molly is a hardened fork — if you use GrapheneOS, use Molly.
Basic settings
Enable registration lock Settings → Account → Registration lock → On
Prevents someone with your phone number from activating a new Signal installation without your PIN.
Block screenshots Settings → Privacy → Screen security → On
Prevents messages from being visible in the app switcher or screenshots.
Hide notification content Settings → Notifications → Show → No name or message
Otherwise messages are visible in push notifications on the lock screen.
Limit phone number visibility Settings → Privacy → Phone number → Who can see my number → Nobody
Signal now hides your number better than it used to, but this setting further limits who can see it in your profile. Also check who can find you by your phone number, and use a username instead of sharing your number where possible.
Advanced
Auto-delete messages Set a default disappearing message timer per conversation. Start with 1 week for daily conversations, shorter for sensitive content.
Database passphrase (Molly) Molly has an extra option: database encryption with a separate passphrase, independent of your phone lock. If someone has your phone but not the Molly passphrase, they can’t read the messages.
Maintenance burden: higher than standard Signal. Only worth doing if you will also use that extra step consistently.
Firefox
Firefox is more privacy-friendly than Chrome, but still comes with telemetry and sync features that send your data to Mozilla by default.
Basic settings
Disable telemetry Settings → Privacy & Security → Firefox Data Collection and Use → Uncheck all
Enhanced Tracking Protection Settings → Privacy & Security → Enhanced Tracking Protection → Strict
HTTPS-Only Mode Settings → Privacy & Security → HTTPS-Only Mode → Enable in all windows
Blocks unencrypted HTTP connections. On the rare sites this breaks, you can add an exception.
Disable Firefox Sync If you don’t use sync: Settings → Sync → Sign out or never sign in. Sync sends your bookmarks, history, and passwords to Mozilla servers.
Advanced (about:config)
Open about:config and change the following:
| Setting | Value | Effect |
|---|---|---|
privacy.resistFingerprinting | true | Makes browser fingerprinting harder |
geo.enabled | false | Disables location API |
media.peerconnection.enabled | false | Prevents WebRTC IP leak when using VPN |
browser.send_pings | false | Disables hyperlink tracking |
network.cookie.cookieBehavior | 1 | Blocks third-party cookies |
dom.battery.enabled | false | Hides battery status (tracking vector) |
Essential extensions
uBlock Origin — tracker and ad blocker. Enable “Advanced mode” for maximum control.
Configuration: go to the dashboard → Filter lists → also enable:
- EasyList
- EasyPrivacy
- uBlock filters — Privacy
LocalCDN — replaces commonly used CDN libraries (jQuery, Bootstrap) locally, so external CDNs can’t track your visits.
ClearURLs — strips tracking parameters from URLs (like ?utm_source=, ?fbclid=).
What you don’t need
Privacy Badger, Disconnect, Ghostery — these are usually redundant if you already use uBlock Origin correctly. More extensions can also increase your fingerprint surface.
For low-friction normal users, uBlock Origin alone is usually enough. Additional extensions also add maintenance and compatibility friction.
Vanadium (GrapheneOS)
Vanadium is GrapheneOS’s default browser. It’s a hardened version of Chromium without telemetry. There’s very little to configure.
Already good by default:
- No Google sync
- No crash reports
- No telemetry
- Per-site sandboxing
What to change: Settings → Site settings → Go through location, camera, microphone, and notifications → block by default where it makes sense
Do not treat disabling Safe Browsing as a blanket recommendation. For many users, the phishing and malware protection is worth keeping.
KeePassDX / KeePassXC
Local password managers — no cloud, no sync unless you set it up yourself.
Basic settings
Strong master password At least 16 characters, mix of letters, numbers and symbols. This is the only password you need to remember — make it count.
Protect database with key file In addition to the master password, you can add a key file. Without that file (on a separate USB or location) the database can’t be opened — even if someone knows the master password.
KeePassDX (Android): Settings → Security → Block screenshots → On Settings → Security → Lock automatically → 30 seconds
KeePassXC (Desktop): Tools → Settings → Security → Lock database after inactivity → 5 minutes Tools → Settings → Security → Clear clipboard after → 10 seconds (automatically clears copied passwords)
Advanced
Store database on encrypted media Save the .kdbx database in your encrypted home directory (Linux: standard if full-disk encryption is on). Never on an unencrypted USB or cloud service.
Backup strategy Database copy on: encrypted external drive + offline location (e.g. at home in a drawer). Sync via Syncthing for multiple devices — but never to Google Drive or Dropbox.
Proton Mail / Thunderbird
Proton Mail (webmail)
Enable two-factor authentication Settings → Security → Two-factor authentication → Hardware key or TOTP app
Don’t use Proton Pass if you already have KeePass Two password managers is one too many.
Block external images Settings → Email → Load remote content → Blocked
External images in emails are tracking pixels — they tell the sender when you opened the email.
Thunderbird with OpenPGP
See the PGP guide for full setup. Quick summary:
Settings → Account Settings → End-to-End Encryption → Add key
Enable: “Encrypt messages by default” for conversations where both parties support OpenPGP.
VPN client (Mullvad / ProtonVPN)
Mullvad
Enable kill switch Settings → Kill switch → On
If the VPN connection drops, the kill switch blocks all internet. Without this, your real IP leaks.
DNS leak prevention Mullvad automatically uses its own DNS. Verify at mullvad.net/check that there’s no leak.
DAITA (Mullvad-specific) Settings → DAITA → On
Defends against traffic analysis by masking the size and timing of data packets. Newer feature, some performance cost.
Lockdown mode Settings → VPN settings → Block when VPN is disconnected → On
Blocks internet even at startup before the VPN connects.
ProtonVPN
Stealth protocol If VPN is blocked (hotels, schools, authoritarian networks): Settings → Protocol → Stealth
Disguises VPN traffic as normal HTTPS.
NetShield (DNS blocking) Settings → NetShield → Block malware + ads
Orbot (Tor on Android)
Set active apps Orbot → App chooser → select which apps run through Tor
Use this for apps where IP anonymity matters: browser, communication apps.
Not for all apps simultaneously Tor is slow. Use it selectively, not as a general VPN replacement.
Combined with VPN You can use Orbot together with a VPN: VPN → Tor (Tor sees the VPN IP, not your real IP) or Tor → VPN (VPN provider sees Tor exit node). Both have trade-offs — choose deliberately.
This is not the default recommendation: for most cases, direct Tor use — or Tor Browser with bridges when blocked — is the better first step.
F-Droid
Disable auto-updates / check manually F-Droid → Settings → Automatically install updates → Off
Review what updates are available before installing. F-Droid updates are slower than the Play Store — that’s intentional and a deliberate choice.
Add IzzyOnDroid repo More apps, well-maintained. See the F-Droid guide.
Show incompatible apps F-Droid → Settings → Show incompatible versions → On
Some apps are hidden by default because they require root or are experimental.
Summary by threat level
Normal use (most people)
| App | Critical setting |
|---|---|
| Signal | Hide notification content, screen security on |
| Firefox | Telemetry off, tracking protection Strict, uBlock Origin |
| KeePass | Strong master password, auto-lock 5 min |
| VPN | Kill switch on |
Elevated risk (activist, journalist, small business)
Everything above, plus:
| App | Critical setting |
|---|---|
| Signal/Molly | Registration lock, disappearing messages, hide number |
| Firefox | privacy.resistFingerprinting on, WebRTC off |
| KeePass | Key file, database on encrypted media |
| Mullvad | DAITA on, always-on VPN + block without VPN |
| Orbot | Browser + communication via Tor |
High risk (source protection, device seizure possible)
Everything above, plus:
- Molly with database encryption separate from phone lock
- No cloud backups of anything
- PGP for email (see PGP guide)
- GrapheneOS profiles for separation (see profiles guide)
- Auto-reboot set to 18-24 hours
Next step
Go further
- GrapheneOS hardening guide — extend the same thinking to the OS layer
- F-Droid: recommended apps — open-source apps without Google Play
- PGP: encrypted communication — encrypted email
- VPN: what it does and doesn’t do — VPN limitations explained
Reviews
- Signal and Molly review — recommended messaging app
- KeePassXC review — offline password manager
- Thunderbird review — email client with PGP
- ProtonVPN review — Swiss VPN provider