Aviation
Electronic flight bags, MRO tablets, ground-ops devices — the industry already demands they live in a closed configuration. HardenedOS gives you the attested-firmware, signed-app-catalog, surveillance-ceiling answer to 14 CFR 91.21 and EASA AIR OPS without the bolted-on MDM tax. Optionally, custom aviation intelligence apps share ADS-B tracks and ops chatter over an end-to-end-encrypted XMPP backbone — no Flightradar24 account between your receiver and your dispatch desk.
The threat surface
Aviation devices are weight-class-zero attack targets — small fleets, high-value payloads, regulated environments. The threats below are the ones we hear from ATA-104-aligned operators and MRO chiefs:
A modified ForeFlight, Jeppesen, or LIDO chart could fly the plane into terrain. Hardware-rooted verified boot + signed-app catalog means the chart binary that loaded is the one your IT signed, not one swapped in via USB at the FBO.
Pilot phones used as 2FA tokens for company portals are SIM-swap targets. LTE-only mode + per-app network gating means a swapped SIM can't be used to receive a 2FA code while the device is locked.
Charging cables at gates and aircraft are uncontrolled. USB data lock at the OS level when the screen is locked — no juice-jacking exfil during a 25-minute turn.
Ramp tablets walk off. Duress PIN wipes irrevocably. Auto-reboot on idle clears decryption keys from RAM. Hardware attestation refuses tier policy on a device whose chain doesn't verify.
Maintenance tablets pulling parts data from MRO systems are pivot points. Required-app catalog locks the install set; tier policy disables sideloading; hardware attestation in heartbeats catches a tampered firmware.
In-flight Wi-Fi is a hostile network. Per-connection MAC randomization, DNS-leak prevention, VPN tunnel enforcement at the OS level — apps can't bypass the corporate VPN onto cabin Wi-Fi.
How HardenedOS responds
Most operators deploy at the Corporate tier with the following adjustments — the /policies UI lets you create them in three minutes:
Required apps: your EFB (ForeFlight Business, Jeppesen, etc.), your dispatch client, your fault-reporting app. Everything else: Optional or blocked. Each APK pinned to its developer signing-cert SHA-256 — DPC verifies on install.
Titan-M2-signed attestation: bootloader state, OS image identity, firmware. Your ops desk refuses policy enforcement on a device whose chain doesn't verify — a compromised tablet stops being a compromised tablet on the next manifest sync.
Charging at the gate doesn't open the data lines. Configurable per device profile so the maintenance-tablet profile can allow USB while it's docked.
Cabin and crew-rest Wi-Fi networks see a fresh MAC every connection; 2G is disabled to neutralize fallback baseband attacks.
Even at the most restrictive policy, no tier — including Government — can silently capture audio, screen-record, log keystrokes, or hide the management UI from the user. Important for crew privacy + union obligations.
See the full feature list for the hardware + memory mitigations underneath.
Field operations
The hardened tablet is half the picture. The other half is what runs on it. HardenedOS pairs with a white-label OMEMO / OTR-Forced XMPP chat platform — same vendor, same management panel — where ADS-B tracks, deviation alerts, dispatch traffic, and crew-rest chat all share one end-to-end encrypted channel. Track data never touches Flightradar24 or any cloud relay.
Aircraft tracks ride inside the encrypted ops channel as structured cards — flight number, altitude, vertical rate, heading, ground speed. Pulled from your own ADS-B receiver, signed end-to-end between dispatch, ramp, and crew. No third-party tracking site between your receiver and your screen.
A flight pushing −4,200 fpm or deviating from the cleared track fires a structured alert into the encrypted ops room. The card shows track, rate, heading, last position. Dispatch sees it the moment the receiver sees it; cross-channel broadcast to ground crew and crew-rest in one tap.
Flight-ops, dispatch, MRO, ground handling — each gets an isolated encrypted XMPP room. A track or ATC notice broadcast across multiple rooms in one tap. Rooms scoped by base, by aircraft type, by region; provisioned from your management panel.
Crew briefings, NOTAM digests, fuel-uplift forms, MEL deferrals, post-flight reports — built as encrypted mini-apps that post structured cards into the same chat. The dispatcher sees the track, the briefing acknowledgment, and the crew chat in one timeline.
XMPP's compact wire format keeps overhead minimal — runs cleanly over cabin Wi-Fi, in-flight broadband, and satcom links where bandwidth and latency both cost. The same chat window works on a flight deck airborne and a duty officer at base.
Ship the tablet, ship the chat — both white-labeled to your support brand, both managed from the same admin console. Provision the EFB and the dispatch chat room in one workflow. Roll branding updates across both at once.
Who deploys this
Scheduled passenger + cargo. Pilot EFBs and cabin-crew comms tablets, often 1,000–10,000 units per fleet. Procurement runs through an avionics integrator who white-labels HardenedOS to their support brand.
Smaller fleets, more direct procurement. The owner/CEO uses the same hardened tablet pattern across crew, dispatch, and (sometimes) the principal. Tier-mix on a single signing chain.
Maintenance and ramp ops. Devices live closer to the airframe, take more abuse, get more lost. Required-app catalog + remote wipe + hardware attestation are the three big asks.
We'll send a small batch of HardenedOS-flashed Pixels under your branding for a one-fleet pilot. Six to ten units, six to twelve weeks, your IT keeps the management panel.