These special phone and app features can help protect you from spyware

Spyware attacks on journalists, human rights defenders and political dissidents are now common. In early 2025, WhatsApp notified approximately 90 users – many of them journalists and civil society members from across Europe – that they had been targeted by Israeli spyware company Paragon Solutions. Months later, Apple sent threat notifications to a new group of iOS users; forensic analysis confirmed that two of them, both journalists, were affected by Paragon’s Graphite spyware using a zero-click attack, meaning they did not even need to tap a link to be compromised. These are not isolated incidents. They are ideal.

Over the past 15 years, security researchers have documented countless cases where government hackers have targeted and successfully compromised journalists, human rights defenders, critics, and political opponents.

These attacks rely on expensive, sophisticated, and covert tools that allow their operators to hack and install spyware on computers, but especially smartphones, which hold almost all the data about a person’s daily life.

Spyware gives its operators virtually complete access to the target’s device and data. Government spies can record phone calls, steal chat messages, access photos, and switch on a device’s camera and microphone to record ambient sound and nearby conversations. Spyware typically also tracks a person’s real-time location.

In response to these attacks, the tech giant now offers better security to its users. In particular, Apple, Google and Meta offer opt-in features specifically designed to counter targeted spyware attacks.

Generally, these features add additional security, sometimes by turning off or limiting some regular features. It’s a compromise, but after using these for a long time, I never found them too difficult or annoying to use.

Tech companies, security researchers who have studied spyware for years, and we at TechCrunch recommend using these features if you suspect you may be the target of government surveillance because of who you are or what you do. Even if you’re not, these security features will better protect your data from being misused.

No security measure is perfect, and ongoing efforts are made to address security vulnerabilities. Spyware makers find new ways to hack phones and services, then software makers learn from those attacks and respond. Rinse and repeat.

But that doesn’t mean these features aren’t worth using. On the contrary, these features have proved effective.

“These features are free, easy to enable, and are the best defence we have today against sophisticated spyware,” said security researcher Runa Sandvik, who has worked to protect journalists and other at-risk communities for more than a decade. “If features get in the way of something you’re doing, you can easily turn them off again – meaning it costs a lot less to turn them on and try them out.”

Here’s a summary of these features and how to turn them on.

Apple’s lockdown mode

Apple’s Lockdown Mode is available on all Apple devices, including iPhones. Apple says that when Lockdown Mode is enabled, “your device will not operate as it normally does”. In exchange for this inconvenience, your device will be more secure.

There is evidence that lockdown modes have helped in the past. Citizen Lab found that lockdown mode stopped a spyware attack carried out with NSO Group’s Pegasus software. As recently as March, Apple said it had never detected a successful attack on an Apple device with Lockdown Mode enabled.

What is this lockdown mode? Changes on your device when you turn it on:

• Attachments received on iMessage are blocked by default except for some images, videos, and audios.
• Links and previews in iMessage are blocked and appear as non-linked web addresses. (You can copy and paste the link into Safari or any other browser if you prefer.)
• Fonts, some images, and some web technologies are blocked when browsing in Safari.
• Incoming FaceTime calls are blocked if you haven’t contacted that person before or in the last 30 days.
• Screen sharing, sharing content on SharePlay, and Live Photos are not available.
• Incoming invitations to Apple services will be blocked unless you’ve invited the person first.
• The focus feature, along with any related conditions, will not work as expected.
• Game Center is disabled.
• Location information is stripped away when you share photos.
• “Shared album photos are removed from the Photos app, and new shared album invitations are blocked.”
• You must unlock your device to connect it to an accessory or computer. When connecting a Mac with an Apple-made processor to an accessory, the computer needs to be unlocked and you must approve the connection with your passcode.
• You can’t automatically connect to open or public Wi-Fi networks, and you’ll be disconnected from any non-secure Wi-Fi networks you previously connected to before enabling Lockdown Mode.
• Your phone will not be able to connect to 2G or 3G cellular networks.
• You cannot install a configuration profile or enrol the device in the Mobile Device Management program.

To switch to lockdown mode, go to Settings, then Privacy & Security and scroll down to Lockdown mode. Once you enable the feature, your Apple device will restart.

I’ve used lockdown mode for years. Although I noticed that some of the websites were a little glitchy in the beginning, I haven’t paid attention to that for a while. Additionally, you can turn off lockdown mode selectively for specific websites and apps without disabling the feature completely. There are some quirks, but I’ve also got used to them.

Google’s Advanced Security Program

Google launched its Advanced Security Program in 2017. This feature helps make your Google account more resilient against all types of malicious hackers.

The Advanced Security programme includes the following features:

• Restricts some third-party services and apps from accessing your Google Account, but only with your permission.
• Enables “Deep Gmail Scan,” which scans your incoming emails for phishing attacks and malicious content.
• Google enables Safe Browsing in Chrome, which warns users who navigate to dangerous sites or download dangerous files.
• On Android, you can only install apps and games from legitimate app stores.
• If someone tries to log into your account, Google takes extra steps to verify that it’s really you.

To turn on advanced security, go to its official page and click “Get Started”. This will prompt you to log in to your Google account. Follow the instructions given there.

First, you’ll need to add a physical security key (or a software passkey) as an additional verification factor in addition to your password. You’ll also need to add a recovery phone number and a recovery email address to your account or use a backup passkey or security key.

Android Advanced Security Mode

started last year And possibly inspired by Apple’s lockdown mode, Android Advanced Security Mode brings similar security to Google’s mobile operating systems.

Android’s Advanced Security Mode provides the following security features:

• Enables Google Play Protect, which protects against malware and unwanted apps and checks all apps for “harmful behaviour”.
• Apps cannot be installed from unknown sources, and updates to apps already installed from unknown sources will be prevented from running.
• Enables Memory Tagging Extension (MTE) on supported devices. MTE is a hardware-enforced feature that protects against certain types of vulnerabilities.
• The device automatically locks if it detects suspicious activity “indicating theft”, such as sudden and rapid movement. It is based on data from the device’s motion sensor, Wi-Fi and Bluetooth.
• The device automatically locks when offline for a long period of time.
• The device automatically reboots if the phone has been locked for 72 hours, making it harder to extract data using law enforcement tools designed to unlock phones, such as the one made by Cellebrite.
• When the device is locked, USB connections are blocked.
• Google scans for “unwanted and potentially harmful messages”.
• Links sent through the Messages app by unknown users will be flagged.
• Connection to the 2G network is blocked.
• Google will identify spam callers.
• You will be able to screen incoming calls and reject spam calls automatically. (Available only in some areas.)
• Android enables safe browsing, which protects against malicious websites.
• Chrome will automatically enforce HTTPS encryption for all sites.
• Some JavaScript functions have been disabled, reducing the browser’s attack surface for potential vulnerabilities.
• You can also enable intrusion logging, which is an optional feature that helps researchers investigate spyware attacks.

To enable Advanced Security mode on your Android device, go to Settings, then Security & Privacy, and under Other Settings, tap Advanced Security, then tap Device Security.

WhatsApp’s strict account settings

More than 3 billion people, including those in resourceful government agencies, use WhatsApp.

The demand for hacking tools targeting WhatsApp is so high that these exploits can cost millions of dollars – and they work. In 2019, WhatsApp caught a hacking campaign by NSO Group, which targeted around 1,200 users. Early last year, a spying operation caught WhatsApp in its net, ensnaring around 90 users in Europe.

In response, WhatsApp launched strict account settings earlier this year, including an opt-in feature that activates certain privacy and security controls depending on the operating system.

On Android and iOS, the Strict Account setting turns on the following features:

• Two-Step Verification.
• safety notices which alert users when a contact has changed their phone or reinstalled WhatsApp, or if an attacker takes control of their account.
• Blocks attachments and media (images and videos) from unknown senders by default.
• Link previews are closed.
• Calls from unknown numbers are silenced.
• Your IP address is hidden in the call.
• Your profile information and activity, such as when you were last seen online, your profile photo and information about yourself, are hidden from people who are not your contacts or members of a pre-established group.
• Only contacts or members of a pre-established group can add you to a group chat.

To turn on the feature, use your primary device, go to Settings, then Privacy, scroll down to Advanced, and turn it on.