[m45t3r]

Yeah, sure. Let me put millions to compromise a supply chain and get access to what thousands of people are sending on their WhatsApp accounts /s.

There is a reason why any type of security analysis needs to depend on your treat model. Unless the target is worth it, it doesn't make sense to do what you described.

Instead, millions of people lose a option of doing their screen repairs for cheap. And of course, Apple will have access to more money as always. But sure, security...

[dpkonofa]

What are you on about? All you'd need to do is find the place where your target is going and either bribe the teenager behind the counter or, depending on the value of the target, compromise the distributor from wherever the parts are coming. This is neither expensive nor difficult to do.

[m45t3r]

> All you'd need to do is find the place where your target is going and either bribe the teenager behind the counter or, depending on the value of the target, compromise the distributor from wherever the parts are coming. This is neither expensive nor difficult to do.

Sure you won't find strange that your smartphone disappear and appear later on, probably turned off (or at least asking for password) because I can't imagine someone doing this procedure with it powered on.

BTW, if you're really a so important target that your life depends on your phone not being tapped, you probably at this point would just throw away your phone and buying another, even if it is completely secure (that I am sure it iPhones isn't). I can imagine many other ways of compromising your privacy just by adding a small GPS tracker or something similar, and this way I don't even need to have access to the original hardware.

Now, of course only a small handful of people needs that amount of security. For most people, having hardware-level encryption of the data contents is fine, of course with trusted path with the bio-metric sensors so a just swap of parts doesn't give access to all its data. This level of security is available in any Android/iPhone. Anything else is just justification to allow Apples to earn even more money.

[zepto]

> only a small handful of people needs that amount of security

Everyone is vulnerable to fraud, identity theft, blackmail etc. Everyone needs a secure device.

If your argument is that insecure devices are ok for most people, you’ve already lost.

[m45t3r]

> If your argument is that insecure devices are ok for most people, you’ve already lost.

Quoting things out-of-context is really bad.

What I meant for that amount of security is the kinda of security where if you lose your device from your sight consider it already compromised. People that needs that amount of security will not be better with the Apple's new security theater.

Android devices are sufficient secure if they're up-to-date (this is not always true, sadly). iPhone devices are secure when they're up-to-date (more likely) and not suffering from the 0-day exploit of the week (that is happening more and more frequently). Arguably every iPhone user would be much better if Apple started to take software security more seriously, but they prefer to increase their profits by making screen repairs harder "in name of security".

Just to make it clear: you don't need to have "Apple certificated repair shops" replace the screen to have secure bio-metrics. The Google Pixel 6 shows this, you can change the screen, this will disable the bio-metrics until the device is re-calibrated (that doesn't need special hardware). Once re-calibrated the device will wipe itself, so there is no security issue here [1].

But even still, this is probably too much. 0-days seems to be so bountiful those days that buying a 0-day seems to be much cheaper than doing custom hardware, even when the hardware itself is not authenticated. Still, if you're gonna do it, do as Google at least.

[1]: https://www.gsmarena.com/google_quietly_releases_a_fingerpri...