If you’re a journalist, human rights defender, or anyone who speaks up against power, your phone is a target. And it’s probably worse than you think.
In early 2025, WhatsApp alerted roughly 90 users, many of them journalists and civil society members across Europe, that they’d been hit with Paragon Solutions’ spyware. Months later, Apple sent threat notifications to iOS users who’d been compromised by the same company’s Graphite tool using zero-click attacks, meaning they didn’t need to click anything. They were hacked anyway.
These aren’t anomalies. Over the last 15 years, security researchers have documented countless cases where government hackers successfully compromised journalists, critics, and political opponents. The tools are expensive, sophisticated, and terrifyingly effective. Spyware gives attackers virtually full access to your device, your location, your photos, your messages, and even your camera and microphone. It’s total surveillance.
But there’s something you can actually do about it.
The Defense That Works
Tech giants including Apple, Google, and Meta now offer opt-in security features specifically built to counter targeted spyware attacks. They’re free. They’re relatively easy to turn on. And unlike most cybersecurity advice, these actually work.
The catch? They come with tradeoffs. Some features limit how your device normally functions. Websites might break occasionally. App compatibility can be finicky. But according to Runa Sandvik, a security researcher who’s spent over a decade protecting journalists and at-risk communities, the benefit outweighs the pain. “These features are free, easy to enable, and the best defense we have today against sophisticated spyware,” Sandvik told TechCrunch. “If the features get in the way of something you need to do, you can easily turn them off again, meaning it costs very little to turn them on and try them out.”
No security measure is perfect. Spyware makers find new exploits, software makers patch them, and the cycle repeats. But that’s exactly why these defenses matter. They’re not a perfect fortress. They’re a moving target that actually slows down attackers.
Apple’s Lockdown Mode
If you’re on iOS, Apple’s Lockdown Mode is your first line of defense.
When enabled, your device behaves differently. Some websites get finicky. Certain features get restricted. The tradeoff is real, but the protection is measurable. Citizen Lab found that Lockdown Mode stopped a spyware attack using NSO Group’s notorious Pegasus software. As recently as March, Apple said it has never detected a successful attack on a device with Lockdown Mode enabled.
To turn it on, go to Settings, then Privacy & Security, scroll down to Lockdown Mode, and enable it. Your device will restart.
Here’s what changes when you flip the switch: attachments in Mail, Messages, and third-party apps get restricted. Device connections to USB and wired networks get disabled. Incoming FaceTime calls from unknown contacts are blocked. Web browsing gets limited to a more secure, but sometimes slower, experience. Some productivity features get dialed back.
If you’ve used it for any length of time, you learn to work around the quirks. You can even selectively turn it off for specific apps and websites without disabling the entire feature. It’s not perfect, but I’ve used it for years and stopped noticing the friction.
Google’s Layered Approach
Google offers two distinct protections depending on your device. The Advanced Protection Program, launched in 2017, secures your Google account itself. You’ll need to add a physical security key or software passkey as a second factor, plus a recovery phone and email. It’s more friction than standard two-factor authentication, but it makes your account substantially harder to breach.
To enable it, head to the Advanced Protection Program’s official page, click “Get Started,” and follow the setup instructions.
For Android users, Google launched Advanced Protection Mode last year, likely inspired by Apple’s Lockdown Mode. It brings similar protections to the mobile OS itself, strengthening your device against spyware and malicious apps. Go to Settings, then Security and Privacy, then under Other Settings tap Advanced Protection, and select Device Protection.
Neither is mandatory. Both are worth trying if you’re in any line of work that might attract government surveillance.
WhatsApp’s Newest Shield
WhatsApp, used by over 3 billion people, has become such a high-value target that exploits for hacking it cost millions of dollars on the black market. In 2019, WhatsApp caught an NSO Group campaign targeting around 1,200 users. Early last year, another spy operation ensnared roughly 90 users in Europe.
This year, WhatsApp launched Strict Account Settings, an opt-in feature that tightens privacy and security controls on both Android and iOS. On both platforms, it disables link previews in chats, limits who can see when you’re online, restricts who can see your profile photo and “last seen” timestamp, and prevents others from adding you to groups without your approval.
To enable it, open WhatsApp, go to Settings, then Privacy, scroll to Advanced, and turn it on.
The Real Question
So should you use these features? The honest answer depends on your risk profile. If you’re a journalist covering corruption, a human rights defender documenting abuses, a political dissident, or anyone else who’s made enemies of powerful institutions, yes. Absolutely. The cost is minimal compared to the threat.
But here’s the uncomfortable truth: the fact that we need these specialized security modes at all reveals something about the current state of technology. We’ve built devices and platforms so complex and so valuable that governments have decided they’re worth hacking. We’re essentially telling ordinary people to adopt fortress-mode operations just to have a reasonable chance of privacy. That’s not normal. It’s not okay. And it’s becoming the baseline expectation for anyone who operates in contested political or social spaces.
The features work. Use them. But remember that you’re adapting to a broken system, not solving the underlying problem.
