I mean, I know why nation-state attackers love them - it's super easy to exploit them, and once you do, you have full access to everything in the user account (including all browser login sessions). But what's the advantage to users?
> I mean, I know why nation-state attackers love them - it's super easy to exploit them, and once you do, you have full access to everything in the user account (including all browser login sessions).
tl;dr: The exploitation was indeed done through apps. The OS itself is harder to exploit, but most apps are not as secure and provide the first foot-in-the-door for the attacker.
I am responding specifically to the claim that once you've exploited an app, you have full access to the user's entire account (which is true to some extent on desktop platforms, but not on mobile OSes by default). I left a comment elsewhere about the kind of attack you're talking about: https://news.ycombinator.com/item?id=22632756
I see. Indeed, I agree it is not super easy to access everything on the mobile.
But I am still convinced that having a myriad of different apps, most of which are developed without real regards to security, makes the attack surface much larger -- e.g. you are likely to find a popular exploitable app that already has legitimate access to user data (such as "all the time" location data, contacts, calendar, ...) - as NSO did with whatsapp.
I mean, I know why nation-state attackers love them - it's super easy to exploit them, and once you do, you have full access to everything in the user account (including all browser login sessions). But what's the advantage to users?