When we disassembled a similar case on the protection side for a media organization, the picture was painfully familiar: the corporate SIEM did not see mobile traffic, MDM checked only the OS version, and the journalist went with a iPhone work without Lockdown Mode. Three anomalous DNS requestions to domains that are not in any public fide – and it became clear that the device was handed over. The discovery took four hours of manual picking at the mitmproxy and Wireshark, although the correlation rule in the SIEM would fit in ten lines.
Threat model: from stalkerware to commercial spyware
Before climbing into mobile hardening, you need to fix the threat model. The market of surveillance tools for mobile devices is not conspiracy, but a documented industry with price lists.
NSO Group with Pegasus is the loudest, but not the only player. According to Citizen Lab and Amnesty Tech, Intellexa is behind the Predator platform and a series of mobile zero-day exploits. In a report by Citizen Lab, Sweet QuaDreams (2023) describes how QuaDream used invisible invitations to the iCloud calendar to pour spyware on the iPhone. Zerodium openly offered seven-digit amounts in USD for the zero-click chain for the iPhone - here the entire market economy is in the palm of your hand.
Physical access is a separate story. Working with Cellebrite UFED on the protection side, I see that it is pulled out of there: a full keychain dump, geolocation history, deleted messages, application data. For a threat model, an activist, a journalist or lawyer is a direct scenario - the withdrawal of the device at the border or during detention. GrapheneOS and iOS with Lockdown Mode confront this differently, and the difference is fundamental.
GrapheneOS - security at the operating system level
GrapheneOS is a hardened version of Android based on AOSP. The difference from the stock Android is not that here the famous bugs are faster. Every vendor does this. GrapheneOS is working to survive in a collision with vulnerabilities that have not yet been found. This is a quote from the official documentation of the project, and it accurately reflects the engineering philosophy: exploit mitigation instead of depending on the patch cycle.
The Core, Outluted Memissions and Attack Surel Reduction
According to the official features of the official page GrapheneOS, this is what really protects against zero-click exploits and Pegasus-like tools:
Hardened kernel and allocator of memory. Hardened Malloc hits the heap memory corruption, a class of vulnerabilities that still dominates serious mobile exploits. Hardened libc adds protection against memory corruption at the standard library level.
Attack surface reduction. NFC, Bluetooth, UWB are offline by default. USB periphery with a blocked screen is controlled granularly: Charging-only or a complete shutdown of the port. iOS USB restriction Red Mode does about the same, but with fewer options. To protect against Cellbrite-like tools, this is critical: if the device is locked and restarted, the USB port is silent on a physical level.
Exploit MILAC: Boiled boot verified with rollback protection (the device does not roll back to the old versions), ASLR, stack canaries to detect bufferflow overflow, zero-on-free hard inened_malloc - erase the released heap-allocacizations that kills use-after-free and leaks through the uninitialized memory. The Pixel runs Hardware Memory Tagging Extension (MTE), which catches entire classes of memory corruption bugs hardware. It’s not marketing, it’s a real mechanism in silicon.
After reboot, the device in the First Unlock (BFU) state: the data is encrypted and not available for physical withdrawal. Duress PIN/Password - When you enter a special code, the encryption keys of all profiles are destroyed in the Titan M2 (Pixel 6+) / Titan M (Pixel 3–5). The data becomes undecipherable without factory reset.
Sandboxed Google Play and permission control
Google Play Services here works as a regular sandboxed application, not as privileged system components. Architecturally, this means:
• Network permission toggle blocks direct and indirect network access for each application
• Sensors permission toggle monitors access to the camera, microphone, sensors
• Storage Scopes creates the illusion of full access to the storage, although the application sees only the permitted data
• Contact Scopes Shows Empty Default Contact List
For mobile privacy, the result is as follows: even the installed Google applications do not climb into the data of other applications without the explicit user’s permission.
GrapheneOS restrictions - you need to know them before installation:
• It works exclusively on Google Pixel. The reason is the requirements for verified boot with custom AVB keys, Titan M2, hardware MTE (Tensor G3+ / Pixel 8+; earlier Pixel running without MTE) and long-term security updates. On devices without relockable bootloader hardened-model collapses
• Banking applications that depend on SafetyNet and Play Integrity may refuse to work. This is pain, and so far there is no way of workaround
• Requires conscious customization - for mass corporate deployment without preparation is not suitable
Lockdown Mode on iPhone - what Apple closes and where holes
Lockdown Mode is essentially an open recognition of Apple: high-risk users need a different mobile security profile. According to Alcazar Security, when the iPhone is turned on, it ceases to behave like a regular iPhone:
• Blocks many types of attachments in messages
• Removes Link Preview Preview
• Limits complex web functions (including JIT compilation in WebKit)
• Blocks incoming invitations to services from unfamiliar contacts
• Disables 2G and 3G
• Blocks the installation of configuration profiles
Apple also made the BlastDoor – a mechanism for isolating and validating untrusted content in messages before it hits sensitive parts of the system. This increases the cost of developing a reliable spyware for the iPhone. But the device does not make the device invulnerable.
Where Lockdown Mode does not save:
In February 2025, Apple disabled the possibility of enabling Advanced Data Protection (APD) for new iCloud users in the UK - under government pressure under the Investigatory Powers Act. Existing users were asked to disable the ADP voluntarily. Result: iCloud backups, photos, notes, and files of the affected users returned to standard encryption, in which Apple owns the keys. iMessage and FaceTime remained under the E2EE, but cloud data became available on government queries. For SOC, there is a practical lesson: the security of cloud backups is not only a technical, but also a legal one.
Another problem: Lockdown Mode is a single switch. You can not disable 2G, but leave the preview of the links. If the mode is too rigid for everyday tasks, the user turns it off as a whole. The defense is reset.
GrapheneOS vs iOS Lockdown Mode: trade-off for corporate SOC
According to Alcazar Security, the optimal configuration for high-risk users: two devices. GrapheneOS on Pixel for sensitive tasks, a separate iPhone for everyday use. For the corporate SOC, this is another endpoint for monitoring, but sensitive operations are isolated.
Practical Checklist of Mobile Hardening
The checklist can be transferred to the sysadmina or included in the corporate BYOD policy. Reference to frameworks: NIST CSF v2.0 (ID.AM-01, PR.AA-01), OWASP MASVS (MASVS-STORAGE, MASVS-AUTH).
Adjustments to the environment: ADB (Android Debug Bridge) for Android checks, Apple Configurator 2 or MDM profile for iOS, access to SIEM for the correlation setting.
Basic level - all corporate devices
1. Full-divice encryption: enabled by default on Android 10+ and iOS when installing a password - verify through MDM
2. Password: minimum 6 characters alphanumeric (not 4-digit PIN). GrapheneOS supports up to 128 characters
3. Auto-lock: 30 seconds of inactivity or less
4. Prohibition of installation from third-party sources. Android 8+ check: adb shell dumpsys package | grep -A1 'REQUEST_INSTALL_PACKAGES'(discovers packages with installation permission; alternatively: Settings → Apps → Special access → Install unknown apps)
5. USB-debugging is disabled: checking through MDM compliance policy or UI (Settings → Developer options). When auditing an 0.000-devices with ADB: adb shell settings get global adb_enabled- value 0
6. Auto Update of OS and Applications included
7. Biometrics + password (compliates OWASP MASVS-AUTH), not just biometrics
Increased Level - High-Picte Users
1. GrapheneOS: auto reboot with a timer of 12 hours
2. GrapheneOS: sensors permission is disabled by default for all applications
3. GrapheneOS: separate profiles - Owner (installation), Daily (work), Banking (separate password)
4. iOS: Lockdown Mode activated
5. Bluetooth, Wi-Fi, NFC: disable when unused; on GrapheneOS - auto disconnection by timer 2 minutes
6. VPN on each profile (exclusion - banking, where VPN trigger fraud detection)
7. Cloud backups are shut down or replaced by local encrypted
Corporate level - MDM + SIEM
1. MDM with verification: OS version, availability of jailbreak/root, list of applications (NIST CSF ID.AM-01)
2. MDM policy banning unauthorized sources of applications
3. Integration of MDM-Alerants into corporate SIEM (NIST CSF DE.A.-01)
4. Documentation of protection measures for devices processing PD (FZ-152, Art. 7 - confidentiality of personal data). Leakage through a compromised mobile device - a direct path to the operator's responsibility
Threat model: from stalkerware to commercial spyware
Before climbing into mobile hardening, you need to fix the threat model. The market of surveillance tools for mobile devices is not conspiracy, but a documented industry with price lists.
NSO Group with Pegasus is the loudest, but not the only player. According to Citizen Lab and Amnesty Tech, Intellexa is behind the Predator platform and a series of mobile zero-day exploits. In a report by Citizen Lab, Sweet QuaDreams (2023) describes how QuaDream used invisible invitations to the iCloud calendar to pour spyware on the iPhone. Zerodium openly offered seven-digit amounts in USD for the zero-click chain for the iPhone - here the entire market economy is in the palm of your hand.
Physical access is a separate story. Working with Cellebrite UFED on the protection side, I see that it is pulled out of there: a full keychain dump, geolocation history, deleted messages, application data. For a threat model, an activist, a journalist or lawyer is a direct scenario - the withdrawal of the device at the border or during detention. GrapheneOS and iOS with Lockdown Mode confront this differently, and the difference is fundamental.
GrapheneOS - security at the operating system level
GrapheneOS is a hardened version of Android based on AOSP. The difference from the stock Android is not that here the famous bugs are faster. Every vendor does this. GrapheneOS is working to survive in a collision with vulnerabilities that have not yet been found. This is a quote from the official documentation of the project, and it accurately reflects the engineering philosophy: exploit mitigation instead of depending on the patch cycle.
The Core, Outluted Memissions and Attack Surel Reduction
According to the official features of the official page GrapheneOS, this is what really protects against zero-click exploits and Pegasus-like tools:
Hardened kernel and allocator of memory. Hardened Malloc hits the heap memory corruption, a class of vulnerabilities that still dominates serious mobile exploits. Hardened libc adds protection against memory corruption at the standard library level.
Attack surface reduction. NFC, Bluetooth, UWB are offline by default. USB periphery with a blocked screen is controlled granularly: Charging-only or a complete shutdown of the port. iOS USB restriction Red Mode does about the same, but with fewer options. To protect against Cellbrite-like tools, this is critical: if the device is locked and restarted, the USB port is silent on a physical level.
Exploit MILAC: Boiled boot verified with rollback protection (the device does not roll back to the old versions), ASLR, stack canaries to detect bufferflow overflow, zero-on-free hard inened_malloc - erase the released heap-allocacizations that kills use-after-free and leaks through the uninitialized memory. The Pixel runs Hardware Memory Tagging Extension (MTE), which catches entire classes of memory corruption bugs hardware. It’s not marketing, it’s a real mechanism in silicon.
After reboot, the device in the First Unlock (BFU) state: the data is encrypted and not available for physical withdrawal. Duress PIN/Password - When you enter a special code, the encryption keys of all profiles are destroyed in the Titan M2 (Pixel 6+) / Titan M (Pixel 3–5). The data becomes undecipherable without factory reset.
Sandboxed Google Play and permission control
Google Play Services here works as a regular sandboxed application, not as privileged system components. Architecturally, this means:
• Network permission toggle blocks direct and indirect network access for each application
• Sensors permission toggle monitors access to the camera, microphone, sensors
• Storage Scopes creates the illusion of full access to the storage, although the application sees only the permitted data
• Contact Scopes Shows Empty Default Contact List
For mobile privacy, the result is as follows: even the installed Google applications do not climb into the data of other applications without the explicit user’s permission.
GrapheneOS restrictions - you need to know them before installation:
• It works exclusively on Google Pixel. The reason is the requirements for verified boot with custom AVB keys, Titan M2, hardware MTE (Tensor G3+ / Pixel 8+; earlier Pixel running without MTE) and long-term security updates. On devices without relockable bootloader hardened-model collapses
• Banking applications that depend on SafetyNet and Play Integrity may refuse to work. This is pain, and so far there is no way of workaround
• Requires conscious customization - for mass corporate deployment without preparation is not suitable
Lockdown Mode on iPhone - what Apple closes and where holes
Lockdown Mode is essentially an open recognition of Apple: high-risk users need a different mobile security profile. According to Alcazar Security, when the iPhone is turned on, it ceases to behave like a regular iPhone:
• Blocks many types of attachments in messages
• Removes Link Preview Preview
• Limits complex web functions (including JIT compilation in WebKit)
• Blocks incoming invitations to services from unfamiliar contacts
• Disables 2G and 3G
• Blocks the installation of configuration profiles
Apple also made the BlastDoor – a mechanism for isolating and validating untrusted content in messages before it hits sensitive parts of the system. This increases the cost of developing a reliable spyware for the iPhone. But the device does not make the device invulnerable.
Where Lockdown Mode does not save:
In February 2025, Apple disabled the possibility of enabling Advanced Data Protection (APD) for new iCloud users in the UK - under government pressure under the Investigatory Powers Act. Existing users were asked to disable the ADP voluntarily. Result: iCloud backups, photos, notes, and files of the affected users returned to standard encryption, in which Apple owns the keys. iMessage and FaceTime remained under the E2EE, but cloud data became available on government queries. For SOC, there is a practical lesson: the security of cloud backups is not only a technical, but also a legal one.
Another problem: Lockdown Mode is a single switch. You can not disable 2G, but leave the preview of the links. If the mode is too rigid for everyday tasks, the user turns it off as a whole. The defense is reset.
GrapheneOS vs iOS Lockdown Mode: trade-off for corporate SOC
According to Alcazar Security, the optimal configuration for high-risk users: two devices. GrapheneOS on Pixel for sensitive tasks, a separate iPhone for everyday use. For the corporate SOC, this is another endpoint for monitoring, but sensitive operations are isolated.
Practical Checklist of Mobile Hardening
The checklist can be transferred to the sysadmina or included in the corporate BYOD policy. Reference to frameworks: NIST CSF v2.0 (ID.AM-01, PR.AA-01), OWASP MASVS (MASVS-STORAGE, MASVS-AUTH).
Adjustments to the environment: ADB (Android Debug Bridge) for Android checks, Apple Configurator 2 or MDM profile for iOS, access to SIEM for the correlation setting.
Basic level - all corporate devices
1. Full-divice encryption: enabled by default on Android 10+ and iOS when installing a password - verify through MDM
2. Password: minimum 6 characters alphanumeric (not 4-digit PIN). GrapheneOS supports up to 128 characters
3. Auto-lock: 30 seconds of inactivity or less
4. Prohibition of installation from third-party sources. Android 8+ check: adb shell dumpsys package | grep -A1 'REQUEST_INSTALL_PACKAGES'(discovers packages with installation permission; alternatively: Settings → Apps → Special access → Install unknown apps)
5. USB-debugging is disabled: checking through MDM compliance policy or UI (Settings → Developer options). When auditing an 0.000-devices with ADB: adb shell settings get global adb_enabled- value 0
6. Auto Update of OS and Applications included
7. Biometrics + password (compliates OWASP MASVS-AUTH), not just biometrics
Increased Level - High-Picte Users
1. GrapheneOS: auto reboot with a timer of 12 hours
2. GrapheneOS: sensors permission is disabled by default for all applications
3. GrapheneOS: separate profiles - Owner (installation), Daily (work), Banking (separate password)
4. iOS: Lockdown Mode activated
5. Bluetooth, Wi-Fi, NFC: disable when unused; on GrapheneOS - auto disconnection by timer 2 minutes
6. VPN on each profile (exclusion - banking, where VPN trigger fraud detection)
7. Cloud backups are shut down or replaced by local encrypted
Corporate level - MDM + SIEM
1. MDM with verification: OS version, availability of jailbreak/root, list of applications (NIST CSF ID.AM-01)
2. MDM policy banning unauthorized sources of applications
3. Integration of MDM-Alerants into corporate SIEM (NIST CSF DE.A.-01)
4. Documentation of protection measures for devices processing PD (FZ-152, Art. 7 - confidentiality of personal data). Leakage through a compromised mobile device - a direct path to the operator's responsibility
