Dateline a few hours ago...
Tom's Guide gave a synopses of security researcher's frank comments.
<
https://www.tomsguide.com/news/mobile-auth-app-hack-rsa20>
"Security researcher says to 'stop buying' Samsung phones"
'[German phone hacker] Karsten Nohl showed that Samsung was faking
device updates last year' Turner said. 'Stop buying their stuff.'"
"The only form of two-factor authentication without security problems
right now, Turner said, is a hardware security key such as a Yubikey
or Google Titan key"
"Fingerprint readers are biometric toys."
"Asked about biometric authentication such as fingerprint readers and
facial recognition, Weidman said that it's 'better than nothing when
used in addition to passwords.'"
"'"You don't want the risk associated with 32-bit iOS,' said Turner,
adding that you should use only iPhones that can run iOS 13."
"And don't think iOS devices are safer than Android ones - they're not.
There are just as many known exploits for either one"
"'We charge three times as much for an Android pentest than we charge
for an iOS one' Turner said, referring to an exercise in which hackers
are paid by a company to try to penetrate the company's security.
'Fully patched Android is more difficult to go after'"
"The iPhone's Secure Enclave offers some additional security, but the
authenticator apps aren't using those elements, said Weidman.
iOS is still good, but Android's [security-enhanced] SELinux is
the bane of [the] existence [of] someone who's building exploits."
"The problem is that if an attacker or a piece of mobile malware
can get into the kernel of iOS or Android, then it can do anything
it wants, including presenting fake authenticator-app screens."
"Apps like Google Authenticator are only as safe as the devices
they run on"
"'What could possibly go wrong when installing a user-mode application
with sensitive cryptographic key materials on a platform with kernel
vulnerabilities?' Turner asked rhetorically."
--
Two kinds of people are on Usenet: Those who add value & those who can't.