Armadillo Phone 2 is designed with a 'zero-trust' mentality: every component is assumed to be compromised. This includes the hardware, software, network and even our staff. We never have access to your data.


Armadillo Phone's software is hardened at every layer to prevent attacks. Unsafe software from Google and others has been removed from Android. Deniable encryption protects you if you're forced to surrender your password. A simple interface prevents you from making privacy mistakes.


You can use our public network or your own private Armadillo Server. This allows you to host your communications on your own network. End-to-end encryption protects your data if an Armadillo Server is hacked. Armadillo Phones bypass firewalls and censorship.


We chose the Pixel 3A for Armadillo Phone 2 because of its excellent security features such as verified boot, million dollar bug bounties and the 'Titan M' security chip. Armadillo staff can physically remove your cameras or microphones. Shipments use tamper-evident packaging, to detect if your parcel was opened during delivery.





Security patches from newer versions of the Linux kernel have been backported to Armadillo Phone. These include FORTIFY-SOURCE-STRING-STRING, HARDEN-BRANCH-PREDICTOR, INIT-ON-FREE-DEFAULT-ON, INIT-ON-ALLOC-DEFAULT-ON, INIT-STACK-ALL, BUG-ON-DATA-CORRUPTION and many more. Entropy for kernel userspace ASLR has been increased to mitigate memory corruption exploits.


Android's build process has been strengthened, including improvements for stack probes, bounds checking, frame pointers and automatic variable initialization. The compiler toolchain and libc have been hardened. The malloc implementation has been replaced with hardened_malloc, which is further tuned to enhance security and increase quarantine space. Cross-user interactions have been blocked at the framework level, to prevent leaks.


Historically, the Android media stack has been very vulnerable, so Armadillo has hardened it to resist attacks. The oldest, least used and riskiest codecs have been removed ( such as H263 and software codecs ). "Scudo", which is the hardened memory allocator for Android codecs, has been expanded in scope and hardened. The mediadrmserver and drmserver have been removed. MMS auto-retrieval is permanently disabled to mitigate remote attacks.


TLS multiplexing prevents leaking protocol metadata and bypasses firewalls. Network time is synchronized using TLS, instead of NTP. Name resolution is done using DoT ( DNS over TLS ), instead of plaintext DNS. TLS session tickets are disabled to prevent tracking across connections. The browser is only enabled in low security mode. Through software security policies, you can disable networks like Wi-Fi, cellular or Bluetooth.

Share your VPN connection with devices connected to your Armadillo Phone's hotspot, turning your Armadillo Phone into a hardware VPN.


Armadillo OS has improved Android's storage encryption by encrypting the metadata of each user separately. So even if your Armadillo's hardware security is compromised, revealing a user's password won't affect the security of other users metadata.

Armadillo doesn't require a primary user to unlock the phone before the rest can be unlocked. Instead, all users are treated as secondary users and the primary user is permanently disabled.

On first boot, a random amount of "fake users" are generated with a random amount of data, to help prevent attackers from detecting real users.

Scrypt KDF work factors have been strengthened ( from 15:3:1 to 19:4:1 ) to resist bruteforcing.


Unsafe software components have been removed to prevent vulnerabilities. This includes tracking software used by Google and third-parties. Dangerous permissions (like internet or location access) given to the Camera and Contacts apps have been removed. Safe default settings have been set, such as requiring strong passwords, hiding notification content and disabling biometrics. If your Armadillo Phone is remotely wiped, it won't indicate it's erasing your data. Enabling developer options has been disabled. The ability to toggle Wi-Fi, Bluetooth or airplane mode from a locked phone has been disabled.