Your phone is a battleground
Every smartphone runs a constant, invisible conversation between the apps on it and thousands of servers across the internet. Most of it is invisible to the user. None of it is governed by the organization that issued the device.
That conversation is how a device quietly broadcasts where the operator is and who they are. It's also how adversaries find a way in. And now AI is accelerating both ends of the problem.
"DoD has now confirmed to Congress that foreign adversaries are exploiting commercially available location data to target U.S. military personnel in war zones."
- Sen. Ron Wyden, Rep. Pat Harrigan, and 12 co-signers, letter to the Department of Defense
This is not theoretical. In 2024, an international consortium of journalists used a free sample of commercial location data - 3 billion data points covering 11 million devices - to track 12,313 devices at 11 U.S. military sites in Germany, including off-base movements of the personnel carrying them.
In 2016, a government contractor used the same category of data to track phones from U.S. military bases to a staging area in Syria used by allied special operations forces.
The threat has been known for over a decade. The mitigations recommended by the senators - disabling advertising IDs, removing tracking-friendly browsers, opting out of broker platforms - are useful. But none of them address what apps are actually doing on the device.
Current defenses stop at the boundary of the app
Hardened operating systems, VPNs, permission frameworks, MDMs, firewalls. All do real work. None of them see inside the application.
Once an app is installed on a device in your fleet, it operates as a black box:
- The OS governs what the app asks for
- The network governs what the app talks to
- Nothing governs what the app actually says to its own servers
That blindness is where modern threats live.
Proof: Apple's ATT was supposed to end mobile tracking
In April 2021, Apple launched App Tracking Transparency (ATT) - the "Ask App Not to Track" prompt that gives users a one-tap option to deny apps the ability to follow them across other companies' apps and websites. About 85% of users said no.
The advertising industry was supposed to lose its visibility into mobile users overnight. The immediate market reaction said it would: Meta's stock cratered from $380 to $90 - a 76% drop. The narrative was that mobile surveillance had been defeated at the OS level.
Then Meta's stock recovered roughly 7x to $607, higher than its pre-ATT peak.
The recovery is the proof. If ATT had actually ended tracking, Meta's ad revenue and stock would not have come back. They did because advertisers routed around ATT entirely.
Permission prompts only govern third-party tracking IDs. Apps simply moved to first-party telemetry to generate their own unique identifier: device fingerprints, sensor data, network signatures, and behavioral signals collected by the app itself, sent to its own servers, and never subject to a permission prompt.
The Unplugged DMZ
Borrowed from the military and corporate "demilitarized zone," the Unplugged DMZ is a security checkpoint built directly into every UP Phone. It sits between the apps and the network, embedded inside every app's runtime and the OS framework beneath them, and inspects traffic moving in both directions.
It is the only mobile security capability that operates inside the application itself.
Inbound: zero-click compromise, stopped before execution
The most dangerous incoming threat is the one personnel never see. Pegasus-class spyware arrives disguised as an ordinary file. A photo. A PDF. An audio clip. The recipient does not open it. They do not interact with it. The moment the device's system attempts to process the file, the exploit is executing.
Once inside, the adversary has full access: messages, email, photos, camera, microphone, real-time location, and more.
The DMZ inspects every incoming file before it reaches system memory, operating post-decryption, pre-execution. In the millisecond between decryption and execution, on-device ML models trained on the structural signatures of exploit classes scan the file. Threats are dropped before they run. The administrator is notified. The device stays clean.
For organizations whose personnel operate in environments where targeted spyware deployment is a known threat, this is the difference between a compromised device and a clean one.
Outbound: control what your devices broadcast
The dramatic attack gets headlines. But the everyday exfiltration is the bigger problem.
The first-party problem
Adversaries are not waiting at the third-party tracker. They are buying telemetry that apps send to their own servers. Apps have moved past the advertising ID and GPS toggles. They now reconstruct who and where a device is from their own first-party telemetry: device fingerprints, sensor readings, network signatures, and behavioral signals. No permission governs this. No VPN reroutes it. No MDM blocks it.
The majority of surveillance data leaves the device on the same domains the app legitimately uses to function. Standard tools cannot tell these calls apart from normal traffic.
How the Unplugged DMZ stops it
Operating pre-encryption, inside the application, with full visibility into what each request contains and what each endpoint is for, the DMZ blocks all traffic to data-collection endpoints — third-party and first-party, whether or not they share a domain with functional traffic.
Real-time fleet visibility
The DMZ is not a black box administrators have to trust blindly. A Picture-in-Picture overlay shows interdiction happening live, on any device, in any app. Operators in the field see what their device is no longer broadcasting. Administrators in the operations center see the same activity at the fleet level.
A Privacy Center surfaces what's blocked, what's allowed, and what data the DMZ is actively protecting — per device, per app, per category.
Force protection at the application layer
Every other approach to mobile security works from the outside in. A firewall. A VPN. A blocklist. Layers of defense hoping to catch what gets through.
The Unplugged DMZ works from the inside out — governing the application's activity itself, from inside the app, at runtime, in both directions. A governed space between your device and the world, where nothing crosses without being seen, and nothing leaves without permission.
On devices that look and feel like any other.
See the DMZ in action on your fleet.
Schedule a Demo →