Hardening a Smartphone Is Not the Same as Securing One

What government and defense organizations need to understand before relying on consumer device protection modes

There is a version of this conversation happening in security teams across government and defense organizations right now. Someone raises the question of mobile device security for sensitive communications. Someone else points out that Apple now has Lockdown Mode, and Google has Android Advanced Protection Mode, and both are designed specifically to defend against sophisticated spyware. Both are free. Both are already on devices people carry. Case closed?

Not quite.

These modes represent genuine security engineering from two of the most sophisticated technology companies on the planet. For the threat model of a journalist, an activist, or a corporate executive, they are meaningful and — in Apple's case — demonstrably effective. But for government and defense personnel whose communications represent high-value intelligence targets, there is a foundational problem with this approach that no software update will fix.

What These Modes Actually Do

Apple's Lockdown Mode, introduced in 2022, works by disabling or restricting the features of iOS that sophisticated attackers most commonly exploit: it kills JavaScript JIT compilation across all browsers, blocks most message attachments, disables link previews, blocks FaceTime from unknown callers, and prevents USB data transfer when the device is locked. Apple has stated it has no record of a successful mercenary spyware compromise against a device with Lockdown Mode active, and independent researchers at Amnesty International's Security Lab and Citizen Lab have corroborated this.

Android's Advanced Protection Mode, introduced with Android 16 in 2025, takes a different but complementary approach: it locks existing security settings so they cannot be disabled, blocks all app sideloading, disables 2G connectivity to mitigate IMSI catcher attacks, and on supported hardware enables Memory Tagging Extension — a hardware-level feature that detects memory corruption exploits at runtime. Google co-designed the mode's forensic logging feature with Amnesty International's Security Lab, making it the first major platform to build purpose-built intrusion detection logging into a consumer device.

These are not trivial improvements. They should be taken seriously. But they have a ceiling, and that ceiling matters enormously for the audience reading this.

The Problem No Mode Can Solve

Here is an uncomfortable fact that applies to both platforms: enabling Lockdown Mode or Advanced Protection does not encrypt your carrier voice calls. A senior official with Lockdown Mode fully enabled, making a standard phone call, is still transmitting unencrypted voice over public telecommunications infrastructure that can be intercepted at the carrier layer.

The reasonable response is: use Signal. And for many contexts, that is correct. But Signal on a hardened iPhone brings us to the deeper problem — one that no app-layer solution fully resolves when the threat model includes nation-state actors using commercial spyware.

The operating system is the target.

Pegasus, Predator, Graphite, and their successors are not designed to attack your messaging app. They are designed to attack iOS and Android themselves — the operating systems that every app, including Signal, runs on top of. Once an implant achieves kernel-level access, application-layer encryption becomes largely academic. The spyware captures data before it is encrypted or after it is decrypted, at the OS level, where it has full visibility.

This is also why the mode-switching behavior that seems like a reasonable operational compromise is, in high-threat environments, a significant security risk. Lockdown Mode and Advanced Protection are preventive measures. They must be active before an attack occurs. They have no ability to detect or evict an existing infection. If a device was compromised during a window when the mode was disabled — a common occurrence given the friction these modes introduce — and the user then re-enables the mode, the implant is already inside. Mode-switching does not reset that. Commercial spyware is specifically engineered to persist across reboots, updates, and state changes. 

For personnel operating under persistent advanced threat, the logical conclusion is that the mode must never be disabled. Which means accepting all the usability restrictions permanently. Which means the "one phone" solution has become operationally equivalent to carrying a purpose-built device — except with a general-purpose OS underneath that seven iOS zero-days in 2025 alone demonstrate remains an active and productive target for exploit developers.

A Different Architecture

The Sotera SecurePhone approaches this problem from a different starting point. Rather than asking how to harden a general-purpose smartphone against sophisticated attacks, the design question was: what does a device look like if security is the architecture constraint everything else follows from?

The answer looks different from a consumer device in ways that matter.

The operating system is Green Hills Software Integrity 178B — a real-time operating system with an EAL 6+ certification, the highest of any commercially available OS, with over twenty years of deployment in military avionics, U.S. nuclear command systems, and NASA infrastructure, and no known vulnerabilities as of this writing. This is not a general-purpose OS that has been hardened. It was never designed to be a general-purpose OS. Commercial spyware operators — NSO Group, Intellexa, Paragon — invest their engineering resources in iOS and Android exploits because that is where the installed base is. Integrity 178B is not a target of existing commercial spyware exploit toolkits. 

The network architecture eliminates the attack surface that zero-click exploits depend on. The device exposes no open listening ports and no inbound-connectable services. Every network connection is initiated outbound by the device. Inbound calls and messages are delivered by notifying the device through its existing outbound connection to Sotera's servers, which the device then pulls through that channel. There is no exposed surface for a zero-click exploit to reach. This was confirmed by Netragard during independent penetration testing.

The Right Question

The debate between a hardened consumer smartphone and a purpose-built government secure phone is sometimes framed as a convenience trade-off. It is not. It is a question about what you are actually trying to protect, and what level of assurance you require.

For organizations where sensitive communications represent intelligence targets, where the adversary has nation-state resources, commercial spyware infrastructure, and a demonstrated history of successfully compromising fully updated iPhones and Android devices, the question is not which phone is more convenient. The question is whether the architecture underneath your security controls was designed to resist the threat you face.

Hardening is not architecture. Reducing attack surface is not eliminating it. And a mode you can switch off, is not a security guarantee.

To understand the full technical architecture of the Sotera SecurePhone, including encryption specifications, OS certification details, supply chain provenance controls, and independent validation findings, you can request our technical whitepaper.