Spyware attacks on journalists, human rights defenders, and political dissidents are no longer rare or exotic. In early 2025, WhatsApp notified roughly 90 users — many of them journalists and civil society members across Europe — that they had been targeted by Israeli spyware company Paragon Solutions. Months later, Apple sent threat notifications to a new group of iOS users; forensic analysis confirmed two of them, both journalists, had been hit with Paragon’s Graphite spyware using a zero-click attack, meaning they didn’t even have to tap a link to be compromised. These aren’t isolated incidents. They’re the norm.

For the last 15 years, security researchers have documented countless cases where government hackers have targeted and successfully compromised journalists, human rights defenders, critics, and political opponents. 

These attacks rely on expensive, sophisticated, and stealthy tools that allow their operators to hack into and install spyware on computers, but especially smartphones, which hold virtually all of the data about a person’s daily life. 

Spyware gives its operators virtually full access to the target’s device and data. Government spies can record phone calls, steal chat messages, access photos, and switch on the device’s camera and microphone to record ambient sound and record nearby conversations. Spyware also typically tracks a person’s real-time location.

In response to these attacks, tech giants now provide their users with better defenses. In particular, Apple, Google, and Meta offer opt-in features specifically designed to counter targeted spyware attacks. 

Generally speaking, these features add extra protection, sometimes by turning off or limiting some regular features. It’s a tradeoff, but having used these myself for a long time, I have never found them to be too onerous or annoying to use. 

Tech companies, security researchers who have studied spyware for years, and we at TechCrunch, recommend that you use these features if you suspect you may be a target of government surveillance because of who you are or what you do. Even if you’re not, these security features will keep your data better protected from entering the wrong hands. 

No security measure is perfect, and it’s a constant effort to keep security flaws at bay. Spyware makers find new ways to hack into phones and services, then software makers learn from those attacks and respond. Rinse and repeat. 

But that doesn’t mean these features are not worth using. On the contrary; these features have been proven effective. 

“These features are free, easy to enable, and the best defense we have today against sophisticated spyware,” said Runa Sandvik, a security researcher who has worked to protect journalists and other at-risk communities for more than a decade. “If the features get in the way of something you need to do, you can easily turn them off again — meaning it costs very little to turn them on and try them out.”

Here’s a recap of these features, and how to switch them on. 

Apple’s Lockdown Mode

Apple’s Lockdown Mode is available on all Apple devices, including iPhones. Apple says that when Lockdown Mode is enabled, “your device won’t function like it typically does.” In exchange for this inconvenience, your device will be more secure. 

There is evidence that Lockdown Mode has helped in the past. Citizen Lab found that Lockdown Mode stopped one spyware attack carried out with NSO Group’s Pegasus software. As recently as March, Apple said it has never detected a successful attack on an Apple device with Lockdown Mode enabled.

This is what Lockdown Mode changes on your device when you turn it on:

• Attachments received on iMessage other than some images, video, and audio are blocked by default.
• Links and previews in iMessage are blocked and appear as non-linked web addresses. (You can copy and paste the links into Safari or another browser if you want.)
• Fonts, some images, and some web technologies are blocked when browsing in Safari.
• Incoming FaceTime calls are blocked if you haven’t contacted that person before or in the last 30 days. 
• Screen sharing, content sharing over SharePlay, and Live Photos are unavailable.
• Incoming invitations for Apple services are blocked unless you have previously invited that person.
• The Focus feature “and any related status will not work as expected.”
• Game Center is disabled.
• Location information is stripped when you share photos. 
• “Shared albums are removed from the Photos app, and new Shared Album invitations are blocked.”
• You need to unlock your device to connect it to an accessory or a computer. When connecting a Mac with Apple-made processors to an accessory, the computer needs to be unlocked and you have to approve the connection with your passcode.
• You can’t connect automatically to open or public Wi-Fi networks, and you will be disconnected from any non-secure Wi-Fi networks that you previously connected to before enabling Lockdown Mode. 
• Your phone won’t be able to connect to 2G or 3G cellular networks.
• You can’t install configuration profiles or enroll the device in a Mobile Device Management program.

To switch on Lockdown Mode, go to Settings, then Privacy & Security, and scroll down to Lockdown Mode. Once you enable the feature, your Apple device will restart. 

I have used Lockdown Mode for years. While I noticed some websites being a bit wonky at the beginning, I haven’t noticed that in a while. Also, you can selectively switch off Lockdown Mode for specific websites and apps, without disabling the feature entirely. There are some quirks, but I have gotten used to them, too.

Google’s Advanced Protection Program

Google launched its Advanced Protection Program in 2017. This feature is designed to make your Google account more resilient against malicious hackers of all kinds. 

Advanced Protection Program includes the following features:

• Restricts some third-party services and apps from accessing your Google account, and only with your permission.
• Enables “Deep Gmail Scans,” which scan your incoming emails for phishing attacks and malicious content.
• Enables Google Safe Browsing in Chrome, which warns users navigating to dangerous sites or downloading dangerous files. 
• On Android, you can only install apps and games from legitimate app stores.
• If someone tries to log into your account, Google takes extra steps to verify it’s really you.

To turn on Advanced Protection, go to its official page and click “Get Started.” This will prompt you to log into your Google account. Follow the instructions there. 

First, you will need to add a physical security key (or a software passkey) as an additional verification factor apart from your passwords. You will also need to add a recovery phone and a recovery email to your account, or use a backup passkey or security key. 

Android’s Advanced Protection Mode

Introduced last year and likely inspired by Apple’s Lockdown Mode, Android’s Advanced Protection Mode brings similar defenses to Google’s mobile operating system.

Android’s Advanced Protection Mode provides the following security features:

• Enables Google Play Protect, which guards against malware and unwanted apps, and checks all apps for “harmful behavior.”
• Apps from unknown sources cannot be installed, and updates from previously installed apps from unknown sources will be blocked from running.
• Enables Memory Tagging Extension (MTE) on supported devices. MTE is a hardware-enforced feature that protects against certain types of vulnerabilities. 
• The device locks automatically if it detects suspicious activity “indicative of theft,” such as sudden and fast movement. This is based on data from the device’s motion sensors, Wi-Fi, and Bluetooth. 
• The device locks automatically if it goes offline for a prolonged period. 
• The device automatically reboots if the phone has been locked for 72 hours, making it harder to extract data using law enforcement tools designed to unlock phones, such as devices made by Cellebrite.
• When the device is locked, USB connections are blocked.
• Google scans for “unwanted and potentially harmful messages.”
• Links sent via the Messages app from unknown users will be flagged. 
• Connection to 2G networks is blocked.
• Google will identify spam callers. 
• You will be able to screen incoming calls and decline spam calls automatically. (Available only in certain regions.)
• Enables Android Safe Browsing, which protects against malicious websites.
• Chrome will automatically enforce HTTPS encryption for all sites.
• Some JavaScript functions are turned off, reducing the browser’s attack surface for potential weaknesses.
• You can also enable Intrusion Logging, an optional feature that helps researchers investigate spyware attacks. 

To enable Advanced Protection Mode on your Android device, go to Settings, then Security and Privacy, and under Other Settings, tap Advanced Protection, then tap Device Protection. 

WhatsApp’s Strict Account Settings

WhatsApp is used by more than 3 billion people, including those in the crosshairs of resourceful government agencies. 

The demand for hacking tools that target WhatsApp is so high demand that exploits can cost millions of dollars — and they work. In 2019, WhatsApp caught a hacking campaign by NSO Group that targeted around 1,200 users. Early last year, WhatsApp caught another spy operation that ensnared around 90 users in Europe. 

In response, earlier this year, WhatsApp launched Strict Account Settings, an opt-in feature that switches on some privacy and security controls depending on the operating system.

On Android and iOS, Strict Account Settings turns on the following features:

• Two-step verification.
• Security notifications, which alert users when a contact has changed their phone or reinstalled WhatsApp, or if an attacker takes control of their account. 
• Blocks attachments and media (pictures and videos) from unknown senders by default.
• Link previews are turned off.
• Calls from unknown numbers are silenced.
• Your IP address is hidden in calls.
• Your profile information and activity, such as when you were last seen online, your profile photo, and About information, are hidden from people who are not your contacts or members of a pre-established group. 
• Only contacts or members of a pre-established group can add you to a group chat.

To switch the feature on, use your primary device and go to Settings, then Privacy, then scroll down to Advanced and turn it on.