Hardening the Pocket: How to Use ‘Lockdown’ Features to Fight State-Sponsered Spyware
Table of Contents
The New Normal of Digital Surveillance
For journalists, human rights defenders, and political dissidents, the threat of state-sponsored surveillance has shifted from a paranoid hypothetical to a daily operational reality. In early 2025, WhatsApp alerted approximately 90 users—largely civil society members across Europe—that they had been targeted by Paragon Solutions, an Israeli spyware firm. Shortly after, Apple issued threat notifications to a separate group of iOS users. Forensic analysis later confirmed that two journalists had been compromised via ‘Graphite’ spyware using a zero-click attack—a sophisticated exploit that requires no interaction from the victim to gain full device access.
These are not anomalies; they are the current state of play. For over a decade, security researchers have documented a relentless arms race where government hackers deploy expensive, stealthy tools to turn smartphones into portable surveillance hubs. Once installed, this spyware grants operators nearly total control: recording calls, exfiltrating encrypted messages, accessing photo galleries, and remotely activating microphones and cameras to monitor ambient conversations in real-time.
A Trade-off for Peace of Mind
In response to the escalation of these high-end threats, the industry’s biggest players—Apple, Google, and Meta—have introduced opt-in ‘hardened’ modes. These features aren’t meant for the average user who is worried about a random phishing link; they are designed specifically to counter targeted attacks from resourceful intelligence agencies.
The core philosophy of these settings is the reduction of the ‘attack surface.’ By disabling complex web features, restricting certain file types, and tightening authentication, these modes remove the vulnerabilities that spyware typically exploits. The trade-off is a slight loss in convenience. Some websites may render incorrectly, and certain integrated features may be disabled.
“These features are free, easy to enable, and the best defense we have today against sophisticated spyware,” says Runa Sandvik, a security researcher specializing in at-risk communities. “If the features get in the way of something you need to do, you can easily turn them off again.”
Apple’s Lockdown Mode
Apple’s Lockdown Mode is perhaps the most aggressive consumer-facing security setting available. It effectively puts the iPhone into a high-security state by blocking most message attachments, disabling complex web technologies like JIT compilation in Safari, and blocking incoming FaceTime calls from unknown numbers.
The efficacy of the mode is backed by data. Citizen Lab previously noted that Lockdown Mode successfully thwarted an attack using NSO Group’s Pegasus software. To date, Apple maintains that it has not detected a successful compromise of a device with the mode active.
How to enable: Navigate to Settings > Privacy & Security > Lockdown Mode. The device will require a restart to apply the restrictions.
Google’s Multi-Layered Defense
Google approaches the problem from two angles: account-level security and OS-level hardening. The Advanced Protection Program, launched in 2017, focuses on the Google Account. It mandates the use of physical security keys (FIDO2) or software passkeys, effectively neutralizing most credential-theft and phishing attempts.
More recently, Google introduced Advanced Protection Mode for Android. This mirrored the logic of Apple’s approach, adding deeper layers of security to the mobile operating system to protect against the same class of zero-click exploits targeting the kernel or system apps.
How to enable: For account protection, visit the official Advanced Protection page. For Android device protection, go to Settings > Security and Privacy > Other Settings > Advanced Protection.
The WhatsApp Frontline
With over 3 billion users, WhatsApp remains a primary target for espionage. The demand for WhatsApp exploits is so lucrative that vulnerabilities often trade for millions of dollars on the grey market. Following the discovery of NSO Group campaigns in 2019 and more recent operations in Europe, Meta introduced Strict Account Settings.
This opt-in feature streamlines privacy and security controls across iOS and Android, tightening who can add users to groups and refining how the app handles potentially malicious data inputs. To activate this, users should navigate to Settings > Privacy and scroll to the security controls section.
While no single setting provides a ‘silver bullet’ against a nation-state with unlimited resources, the shift toward these high-friction security modes represents a critical evolution in how we protect digital privacy in an era of ubiquitous surveillance.
