This article examines how the smartphone contributes to the co-production of security through an analysis of Covid-19 contact-tracing apps. Building on existing research in security studies that mobilizes the science and technology concept of co-production, the article proposes the notion of ‘appropriation’ as a concrete way of extending our understanding of the public/private co-production of security. Appropriation highlights how consumer technology may be repurposed for security and shows how private-sector actors that own consumer technology not only influence, but actively condition the co-production of security. Bringing new, typically commercial, concerns to bear on security practices, appropriation also has the effect of complicating conventional understandings of the relationship between liberty and security. Focusing on the NHS Covid-19 app and its contentious relationship with Google/Apple’s framework for digital contact-tracing, the article demonstrates how the smartphone enables private-sector actors to gain influence in the security domain. Google and Apple used their control over smartphone technology to compel the British health authorities to adopt a less effective but more privacy-preserving approach than they originally intended, and thus enforced a seemingly liberal response to an exceptional political situation.