"Turn off location services" is the most repeated privacy advice on the internet. It is one switch in a system with a ton of leaks.
GPS itself is receive only. The radio never transmits. Kill the switch and you lose navigation while your position keeps flowing anyway: ad identifiers, your IP address, WiFi mapping, account history, the cellular network itself.
What a solid defense looks like:
Audit location permissions. Almost nothing deserves Always access. Live navigation and an active rideshare trip qualify, little else does. Everything else gets while in use, coarse, or nothing. Websites ask too, so do the same in your browser.
Navigate offline.
@OrganicMapsApp or
@osmandapp run on downloaded maps and plain GPS. Your travel history stays on the device with cloud backup and track sync off.
One subtle leak remains: the first satellite lock on a stock phone fetches assistance data from vendor servers. GrapheneOS routes that through its own.
[Staying on stock Android or iOS?
Damage control: turn off Web & App Activity in your Google account and Timeline in Google Maps. Google moved Timeline on device after the central store became a geofence warrant magnet, but Web & App Activity still logs to their servers.
On iPhone, clear Significant Locations and prune System Services. Treat every toggle as a request [not a guarantee].
Cut the ad pipeline. Delete your advertising ID on Android, deny every tracking prompt on iOS. SDKs inside ordinary apps harvest location and IP and sell it into the bidstream.]
@GrapheneOS can revoke network access per app, which ends that conversation entirely.
Your IP address places you at city level on its own, and far more precisely once brokers join it with those identifiers.
Tor goes further, and on a phone that means Orbot, routing the whole device through Tor, or individual apps on Android. Slower, and exits get blocked, so it is the high threat mode rather than the daily driver. Neither touches GPS permissions, accounts you stay signed into, or tower records.
Orbot is the free exception because it is Tor [not a VPN business]: volunteers run the relays and nobody monetizes your traffic.
Google and Apple maintain databases mapping practically every router on earth to coordinates, so the networks around you place you to the building with GPS off. Randomize your MAC address at the strongest setting offered, iOS now has a Rotating mode. Disable WiFi and Bluetooth scanning, both sit under Location Services on Android. iOS exposes less, but check System Services under Networking & Wireless. Append _nomap to your SSID to pull your router from Google's database. Google's only.
Stop volunteering it. Snap Map, Life360, Strava heatmaps, WhatsApp live location, Find My sharing. Each one is a standing beacon someone else reads. Cellular watches, trackers, and car infotainment write parallel trails.
Strip metadata before posting photos. EXIF carries coordinates, timestamps, and device model.
Microphones and motion sensors are documented location channels. Ultrasonic beacons earned FTC warning letters, and gyroscope route inference exists in the research. Niche next to adtech, but cheap to close: deny the mic by default, revoke sensors where your OS allows.
GrapheneOS has a per app toggle, iOS only covers Motion & Fitness.
Your phone is findable powered off. Recent iPhones keep beaconing into the Find My mesh after shutdown, and Pixel 8 class hardware does the same for Android's network. Both are opt out.
Cellular is the hard floor. Your carrier logs tower connections around the clock. Disable 2G to cut exposure to downgrade attacks from fake base stations. Apple shipped Limit Precise Location, which degrades what the network sees to neighborhood level, but it needs Apple's own modem and in the US only Boost Mobile supports it.
The real answer is still airplane mode with WiFi only and calls over
@signalapp with always relay on, since peer to peer calls expose your IP to the other end. Few people live there. Every layer above still shrinks what anyone can buy about you.
Reducing exposure works.