An increasing number of wearable devices support the execution of multiple third-party applications, increasing the functionality and exibility of these devices. These multiapplication, multi-tenant devices provide users with more options, and application developers with a standard platform. Typical ultra-low-power wearable devices, however, lack the type of hardware memory protection mechanisms - such as Memory Management Units (MMU) - needed to safely separate applications. At best, they provide a Memory Protection Unit (MPU), which allows the user to configure read/write/execute permissions for a few distinct regions of memory. At worst, no hardware memory protection is provided. MPU capabilities vary across hardware platforms, with many shortcomings: (1) the MPU may only support a few distinct memory regions (fewer than one per application), (2) the MPU may not protect all regions of memory, like hardware registers, and (3) MPU protection boundary rules can be arcane, because they depend on opaque hardware implementations. Our key observation is that by supplementing a limited segment MPU with runtime checks, and using compile-time static analysis to explicitly layout applications in memory, we can guarantee application isolation (sandboxing) even on these limited MPUs, with lower overhead than software-only solutions.