Android’s built-in Privacy Dashboard lists which apps used your microphone or camera in the last 24 hours. It does not tell you that a flashlight app phoned a Singapore ad server twice an hour overnight, or that the keyboard you trusted with your passwords ships an event to four analytics SDKs every time you open a message. The good stuff lives outside Settings.
We tested seven apps that audit what your other apps are doing on Android. The list mixes always-on network firewalls with one-shot permission scanners, weighted toward tools that don’t require root. Pick one and you’ll be deleting apps inside a week.
What to look for in a privacy audit app
- No root required. Anything that asks for root is a non-starter for most users. The good apps work through Android’s VPN slot or accessibility services.
- Per-app permission and tracker breakdown. Knowing that “camera was used” matters less than knowing which exact SDKs the app embeds.
- Outbound network logging. Permission lists tell you what an app could do. Network logs tell you what it actually did.
- Open source. A privacy tool you can’t read the code for is a contradiction.
- Low battery overhead. Always-on tools claim a permanent notification and a bit of battery. If the app hides this in fine print, walk away.
- No upsell to a cloud product. Some “privacy scanners” exist to sell you their cloud VPN. The best tools work entirely on-device.
Quick comparison
| App | Best for | Free plan | Open source | Standout feature |
|---|---|---|---|---|
| NetGuard | Per-app network firewall | Yes | Yes | Blocks domains without root |
| Exodus Privacy | Tracker SDK breakdown | Yes | Yes | Reports which trackers each APK embeds |
| GlassWire | Visual data-usage graphs | Yes, premium tier | No | Per-host data and timeline |
| Bouncer | Temporary permission grants | Paid | No | Auto-revokes permission after the task |
| TrackerControl | Block trackers in apps | Yes | Yes | DNS-based per-app blocking |
| PCAPdroid | Packet-level inspection | Yes | Yes | Full PCAP capture without root |
| DuckDuckGo App Tracking Protection | Set-and-forget | Yes | Partly | Blocks 3rd-party trackers across all apps |
The apps
1. NetGuard — Best per-app network firewall
NetGuard is the first thing to install. It runs as a local VPN on your device, blocks any app’s network access on a per-app basis, and lets you allow or deny by Wi-Fi versus mobile. The pro features add hostname-level rules so you can let a weather app reach its own API while blocking the four ad servers it tries to phone home.
Where it falls short: The UI is dense. The bundled “log all DNS lookups” view requires the pro upgrade to be really useful.
Pricing: Free. A one-time pro purchase unlocks per-host rules and logging.
Platforms: Android.
Bottom line: NetGuard is the firewall everyone should run. It pays for itself the first time it shows you an app pinging a server it has no business knowing about.
2. Exodus Privacy — Best tracker SDK report
Exodus Privacy opens every APK on your phone and lists the third-party SDKs baked into it: Google AdMob, Facebook Audience Network, Amplitude, Segment, AppsFlyer, and the rest. It does it locally and against the public εxodus database. A single tap shows which trackers an app uses; you decide whether to keep the app.
Where it falls short: Only inspects the APK, not the runtime. An app could ship an SDK and never call it, or fetch one over the network and dodge detection.
Pricing: Free.
Platforms: Android.
Bottom line: Run Exodus once a quarter. It’s the cleanest way to spot a free app that’s been quietly stuffed with tracker SDKs.
3. GlassWire — Best visual data usage
GlassWire plots every byte your phone sends or receives on a timeline. You can drill into a single app and see which hosts it talked to, which protocols it used, and when. Alerts fire when a new app first uses data or when traffic spikes overnight. The free tier covers most of what a typical user wants.
Where it falls short: Closed source. The premium tier paywall the most interesting alerts.
Pricing: Free. Premium is a few dollars a month.
Platforms: Android, Windows.
Bottom line: GlassWire turns the firehose of Android network activity into a chart you can read at a glance.
4. Bouncer — Best for temporary permission grants
Bouncer changes how permissions work. When an app asks for camera, microphone, or location, you can grant it for “this session only,” and Bouncer revokes it as soon as you leave the app. No more letting the food delivery app keep precise location for weeks because you couldn’t be bothered to revoke it after the order.
Where it falls short: Paid app. The free trial is short. Some custom Android skins resist Bouncer’s revoke-on-exit hook.
Pricing: Paid, a one-off price under a streaming subscription.
Platforms: Android.
Bottom line: Bouncer is the easiest behaviour change you can make. Buy it once, use it for years.
5. TrackerControl — Best DNS-based per-app blocking
TrackerControl sits in the same VPN slot as NetGuard but focuses on tracker domains specifically. It ships the Disconnect Me block list and lets you decide which categories (advertising, analytics, social, fingerprinting) each app is allowed to reach. The per-app log shows tracker calls in real time, which is more satisfying than it should be.
Where it falls short: Only one app can hold the VPN slot at a time. You’ll pick between TrackerControl and NetGuard unless you stack them with a profile manager.
Pricing: Free.
Platforms: Android.
Bottom line: TrackerControl is the right pick if you want category-level blocking without writing your own rules.
6. PCAPdroid — Best for deep inspection
PCAPdroid captures every packet your apps send and writes a PCAP file you can open in Wireshark. It works without root by hijacking the local VPN slot. The companion mitm mode (with a generated certificate) lets you see decrypted HTTPS bodies, which is the only way to confirm what an app is actually sending to its servers.
Where it falls short: Steep learning curve. Reading a PCAP isn’t for beginners. The mitm setup requires installing a CA cert and trusts it.
Pricing: Free. A small pro upgrade unlocks geolocation and decrypted body export.
Platforms: Android.
Bottom line: PCAPdroid is for the moment you stop believing what an app’s settings screen tells you and want to confirm it yourself.
7. DuckDuckGo App Tracking Protection — Best set-and-forget
DuckDuckGo App Tracking Protection is built into the DuckDuckGo Privacy browser. It uses the VPN slot to block known third-party tracker calls from any app on your phone, without you having to configure anything per-app. The weekly summary shows you the top trackers it blocked and the apps that called them.
Where it falls short: Less surgical than NetGuard or TrackerControl. You can’t easily make exceptions for an app you trust.
Pricing: Free.
Platforms: Android, iOS.
Bottom line: DuckDuckGo is the right starter app. Move to NetGuard or TrackerControl when you want more control.
How to pick the right one
- If you’ve never installed a privacy tool: DuckDuckGo App Tracking Protection. Set it once and walk away.
- If you want to actively block specific traffic: NetGuard or TrackerControl.
- If you want to audit before you uninstall: Exodus Privacy.
- If you want a chart of your data usage: GlassWire.
- If you want permissions to expire automatically: Bouncer.
- If you want to read the actual packets: PCAPdroid.
You can stack a few of these. A practical kit is NetGuard for blocking, Exodus Privacy for app review, and Bouncer for permission hygiene.
FAQ
Does Android already show which apps are spying on me?
The Privacy Dashboard in Settings lists camera, microphone, and location access in the last 24 hours. It does not show network calls, tracker SDKs, or background data. That’s what the apps in this list cover.
Do I need root to audit apps on Android?
No. Every app in this list works on stock Android without root. NetGuard, TrackerControl, and PCAPdroid use the local VPN slot. Exodus Privacy and Bouncer rely on Android’s permission and package APIs.
Will a firewall app slow my phone down?
The always-on VPN slot adds a tiny CPU and battery cost. On most phones from the last three years the difference is unnoticeable. NetGuard’s documentation is honest about the trade-offs.
Can I block trackers without breaking my apps?
Sometimes. Many apps still work fine with their analytics SDKs blocked. A few (typically those that auth through ad SDKs or use Firebase for core features) won’t load. The fix is to allow that specific host, not turn off all blocking.
What is the most private way to audit apps on Android?
Stack PCAPdroid for actual traffic, Exodus Privacy for SDK inventory, and NetGuard for blocking. All three are open source and work without root.
