Just adding my 2 cents to this discussion. I think it doesn't matter what sort of spyware potentially exists somewhere out there for some phone, what matters is whether it is on your phone.
This isn't really about the security of OpenPGP either but about a fundamental trust in the things we use both hardware and software. I can recommend this video from 36C3 that talks about hardware security (spoilers: its absolutely non trivial and nigh impossible to verify): https://www.youtube.com/watch?v=Hzb37RyagCQ It's also about threat models that you as the user of software (that you trust does its job correctly) are trying to protect against. If an attacker having root access to your device is part of a threat you want to defend against your only choice is to use a (hopefully) known good device that performs the encryption/decryption for you. If you are only interested in end to end encryption where the message might be intercepted in transit or verification of signatures then OpenPGP does its job pretty damn well still. There is not a single encryption algorithm that can't be defeated by simply having full access to the device it is running on. Now we can talk about mitigations that exist for the threat model where the device you are using to read/send messages is compromised and I think the recommendations in this thread are pretty sound. I personally have been using OpenKeychain and a Yubikey via NFC. That means that while any message that I have decrypted might be compromised the keys used to decrypt are still secure (under the assumption that Yubikeys are as secure as advertised, see the video above). For me this is secure enough. For you it might not be. I think that in general users of software should be aware that the environment their software is running in is a threat vector, if you do not trust it or you only trust it so far then only keep information you can afford to get compromised in it. If you are a person under close government watch, live in an authoritarian regime or are a dissident I would of course recommend to use an airgapped device. If you are working for a company with important trade secrets you hopefully don't have access to those on your phone anyway. If you are a normal person not defending against any sort of advanced persistent threat I think a smartphone still offers decent (enough) security in day to day use for non-sensitive information. And then there is of course still: https://xkcd.com/538/ In the end it all comes down to: How much effort is the attacker going to spend on you? That determines how much effort you need to spend to protect yourself against them. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
