|
|
|
|
|
|
by acdha
2674 days ago
|
|
|
This might seem intuitive but it's wrong unless your phone is really old and unpatched. Modern phones sandbox everything, often encrypted per-application (standard on iOS for many years, becoming common on Android), and they have storage classes which will not be included in backups or easily copied to a computer. You could start to approach that on a laptop — make sure you have FDE enabled, use the operating system's sandboxing features pervasively, store secrets using the TPM, etc. but that's a huge amount of work and the attack surface for apps on your laptop is enormous, especially for developers: how many people using a system like the one described are one unlucky npm install away from sending their TOTP seed to an attacker? The equivalent attack requires a system compromise on a phone (which tend to have 7+ figure USD bounties on iOS). |
|
|
The rate of CVEs an android, combined with the sheer number of manufacturers who are slow about updates or just never deliver any, means that unpatched devices are nothing like the rarity that this statement suggests.