How to Stop Your Phone from Being Tracked: The 2025 OPSEC Guide

Why This Guide Matters in 2025

Mobile surveillance capabilities have never been more advanced—or more accessible. Whether you're a journalist, activist, business executive, or privacy-conscious individual, this guide provides actionable steps to protect yourself.

Understanding Your Threat Model

Before implementing security measures, assess your risks:

Low-Risk Profile

• General privacy concerns
• Avoiding targeted advertising
• Basic personal security

Medium-Risk Profile

• Professional confidentiality needs
• Living in privacy-hostile regions
• Previous targeting by harassers

High-Risk Profile

• Journalists with sensitive sources
• Activists in restrictive regimes
• Executives handling trade secrets
• Individuals facing state-level threats

Your security measures should match your threat level. Over-securing wastes resources; under-securing creates vulnerabilities.

Layer 1: Device Security

Choose Privacy-Respecting Hardware

Recommended:

• Google Pixel with GrapheneOS
• iPhones (with limitations)
• De-Googled Android devices

Avoid:

• Budget Android phones with bloatware
• Phones from countries with surveillance laws
• Devices with locked bootloaders

Harden Your Operating System

For Android:

• Install GrapheneOS or CalyxOS
• Disable Google Play Services (or sandbox them)
• Use F-Droid for open-source apps
• Enable verified boot

For iOS:

• Keep updated to latest version
• Disable Siri
• Use Lockdown Mode if high-risk
• Minimize App Store dependencies

Secure Your Lock Screen

• Use alphanumeric password (12+ characters)
• Disable biometrics for border crossings
• Enable auto-wipe after failed attempts
• Set short auto-lock timeout

Layer 2: Cellular Security

Use an Encrypted SIM Card

The most impactful single step you can take:

• Masks your IMSI from all towers
• Encrypts voice and SMS automatically
• Prevents carrier tracking
• Blocks IMSI catchers

This is the foundation of mobile privacy.

Minimize Cellular Exposure

• Enable airplane mode when not needed
• Use WiFi calling through VPN when possible
• Consider multiple SIMs for compartmentalization
• Remove SIM when device is stored

Avoid SIM-Based 2FA

• SIM swapping attacks are common
• Use hardware keys (YubiKey) instead
• Use authenticator apps as backup
• Never link sensitive accounts to phone number

Layer 3: Network Security

Use a Trustworthy VPN

Requirements:

• No-log policy (independently audited)
• RAM-only servers
• Jurisdiction outside surveillance alliances
• Open-source clients preferred

Recommended providers: Mullvad, ProtonVPN, IVPN

Secure DNS

• Use encrypted DNS (DoH or DoT)
• Choose privacy-focused resolvers
• Verify DNS isn't leaking

WiFi Hygiene

• Disable auto-connect to known networks
• Use VPN on all public WiFi
• Consider WiFi MAC randomization
• Avoid captive portals requiring ID

Layer 4: Application Security

Secure Communications

Messaging:

• Signal (verify safety numbers)
• Session (no phone number required)
• Element/Matrix (decentralized)

Voice/Video:

• Signal
• Jitsi (self-hosted ideal)
• Wire

Email:

• ProtonMail
• Tutanota
• Self-hosted with GPG

Minimize Attack Surface

• Uninstall unnecessary apps
• Audit permissions regularly
• Prefer web apps over native
• Use containers/profiles for separation

Secure Browsing

• Tor Browser for sensitive activities
• Firefox Focus for quick searches
• Brave with shields enabled
• Never Chrome (unless required)

Layer 5: Behavioral OPSEC

Compartmentalize Identities

• Separate devices for separate purposes
• Don't cross-contaminate identities
• Use different email/usernames per identity
• Maintain consistent backstories

Location Discipline

• Vary routes and routines
• Be aware of cameras and ALPR
• Use Faraday bags when needed
• Meet sensitive contacts in neutral locations

Communication Discipline

• Assume all channels may be monitored
• Use code phrases for sensitivity
• Practice need-to-know sharing
• Verify identities through secondary channels

Digital Discipline

• Regular security audits
• Keep software updated
• Backup encrypted to secure locations
• Practice secure deletion

Layer 6: Physical Security

Device Physical Security

• Never leave devices unattended
• Use tamper-evident measures
• Consider device destruction protocols
• Maintain secure storage

Travel Security

• Use travel-only devices when possible
• Assume border searches
• Know your rights in each jurisdiction
• Have legal contacts prepared

Counter-Surveillance

• Learn to identify followers
• Vary transportation methods
• Use counter-surveillance routes
• Trust your instincts

Building Your Security Stack

Essential (All Users)

1. Encrypted SIM card
2. VPN on all connections
3. Signal for messaging
4. Strong device security

Enhanced (Medium Risk)

Add:

1. GrapheneOS or hardened iOS
2. Hardware security keys
3. Compartmentalized devices
4. Secure email provider

Maximum (High Risk)

Add:

1. Tor for sensitive browsing
2. Air-gapped devices for critical data
3. Physical security protocols
4. Counter-surveillance training

Common Mistakes to Avoid

Technical Mistakes

• Using SMS for anything sensitive
• Trusting "secure" apps without verification
• Inconsistent VPN usage
• Outdated software

Behavioral Mistakes

• Discussing OPSEC openly
• Inconsistent security practices
• Trusting the wrong people
• Underestimating adversaries

Strategic Mistakes

• Security theater over substance
• All-or-nothing approach
• Ignoring convenience/security balance
• Not maintaining practices long-term

Start Your Security Journey

Perfect security is impossible. The goal is to make surveillance difficult, expensive, and uncertain enough to deter all but the most determined adversaries.

Begin with the foundation: an encrypted SIM card that protects your most basic mobile communications.

GhostSims provides the cornerstone of mobile privacy. Combined with the practices in this guide, you can achieve meaningful protection in an increasingly surveilled world.

Your privacy is worth defending. Start today.