Armadillo Phone 2 combines our custom hardware, operating system, applications and network into one simple solution: the most secure smartphone you can buy.


We chose the Pixel 3A as the starting point for Armadillo Phone 2 because of its strong hardware security features like guaranteed security updates, verified boot and the Titan M security chip. The Pixel 3A has hardware ( called an "IOMMU" ) to isolate the operating system from the cellular radio and other vulnerable components. Armadillo Phones are inspected and shipped with tamper-evident seals, so you can detect if your package was opened during delivery. You can choose to have the cameras or microphones physically removed from your Armadillo Phone.


  • Armadillo Chat: High-security instant messaging.
  • Control: Manage other Armadillo Phones.
  • Install: Safely download new apps.
  • Radio Sentinel: Prevent cellular attacks.
  • RAM Sentinel: Prevent forensic attacks.
  • Theft Sentinel: Prevent theft.


Armadillo Phone’s simple interface doesn’t allow you to put yourself at risk. The software has been hardened to prevent vulnerabilities that could compromise other phones. You can create multiple users and login by entering their password instead. If you’re forced to unlock your Armadillo Phone, you can login as a different user without an attacker noticing. Use incognito mode for temporary high-risk activity that's erased when you logout. The Network Activity Indicator shows how much data is being transferred over the network. The Privacy Indicator shows active cameras and microphones.


  • Armadillo Armor: A case that blocks your cameras and microphones. LEARN MORE
  • Armadillo Beacon: Syncs with the Theft Sentinel app to prevent theft.
  • Armadillo Pouch: A small bag to place your devices inside that blocks all signals, including Wi-Fi, cellular, Bluetooth and GPS. LEARN MORE
  • Armadillo SIM: International 4G SIM card.




Security patches from newer versions of the [Linux kernel] have been backported to Armadillo Phone. These include FORTIFY-SOURCE-STRING-STRING, HARDEN-BRANCH-PREDICTOR, INIT-ON-FREE-DEFAULT-ON, INIT-ON-ALLOC-DEFAULT-ON, INIT-STACK-ALL, BUG-ON-DATA-CORRUPTION and many more. Entropy for kernel userspace ASLR has been increased to mitigate memory corruption exploits.


Android's build process has been strengthened, including improvements for stack probes, bounds checking, frame pointers and automatic variable initialization. The compiler toolchain and libc have been hardened. The malloc implementation has been replaced with hardened_malloc, which is further tuned to enhance security and increase quarantine space. Cross-user interactions have been blocked at the framework level, to prevent leaking information about other users.


Historically, the Android media stack has been very vulnerable, so Armadillo has hardened it to resist attacks. The oldest, least used and riskiest codecs have been removed ( such as H263 and software codecs ). "Scudo", which is the hardened memory allocator for Android codecs, has been expanded in scope and hardened. The mediadrmserver and drmserver have been removed. MMS auto-retrieval is permanently disabled to mitigate remote attacks.


TLS multiplexing prevents leaking protocol metadata and bypasses firewalls. Network time is synchronized using TLS, instead of NTP. Name resolution is done using DoT ( DNS over TLS ), instead of plaintext DNS. TLS session tickets are disabled to prevent tracking across connections. The browser is only enabled in low security mode. Through software security policies, you can disable networks like Wi-Fi, cellular or Bluetooth.

Share your VPN connection with devices connected to your Armadillo Phone's hotspot, turning your Armadillo Phone into a hardware VPN.


Armadillo OS has improved Android's storage encryption by encrypting the metadata of each user separately. So even if your Armadillo's hardware security is compromised, revealing a user's password won't affect the security of other users metadata.

Armadillo doesn't require a primary user to unlock the phone before the rest can be unlocked. Instead, all users are treated as secondary users and the primary user is permanently disabled.

On first boot, a random amount of "fake users" are generated with a random amount of data, to help prevent attackers from detecting real users.

Scrypt KDF work factors have been strengthened ( from 15:3:1 to 19:4:1 ) to resist bruteforcing.


Unsafe software components have been removed to prevent vulnerabilities. This includes tracking software used by Google, manufacturers and third-parties. Dangerous permissions (like internet or location access) given to the Camera and Contacts apps have been removed. Safe default settings have been set, including requiring strong passwords and hiding notification content. If your Armadillo Phone is remotely wiped, it won't indicate it's erasing your data. Biometrics have been disabled. The UI for enabling developer options has been disabled. The ability to toggle Wi-Fi, Bluetooth or airplane mode from a locked phone has also been disabled.