Defining the Attacker: Who's Actually Targeting Your Phone

Every threat model begins with a single question: who is my attacker? Most answers are useless — "hackers," "cybercriminals," or the ever-empty "advanced persistent threat." These labels obscure more than they reveal. If you're building for mobile, you need to map attackers to actual capabilities, not vibes.

Tier 1: The Opportunist

Capabilities: Public exploit kits, phishing-as-a-service, cracked copies of commercial spyware (e.g., old Pegasus builds that leaked).

Motivation: Volume. They don't want you — they want anyone who clicks. Credential harvesting, SMS interception via SS7, SIM swapping through social-engineered carrier support calls.

Relevant defenses: MFA (hardware key > TOTP > SMS), phishing-resistant auth (Passkeys, WebAuthn), carrier PIN on SIM, sms filter apps that block non-contact messages.

Who cares: Everyone. This is the baseline threat. If you're not defended against Tier 1, nothing else matters.

Tier 2: The Targeted Harvester

Capabilities: Custom phishing tailored to you, zero-day acquisition on exploit markets (0.5–2M USD for iOS chains), commercial spyware subscriptions (Pegasus: ~500K/yr per 10 targets).

Motivation: Specific data. Journalists, dissidents, corporate executives, cryptocurrency holders. Attacker has a budget and a buying process.

Relevant defenses: Lockdown Mode (Apple), hardware security keys exclusively, separate "travel phone" that never touches sensitive accounts, network-level monitoring (DNS-over-HTTPS with custom resolver, MITM TLS certificate pinning).

Interesting datum: In 2023, Citizen Lab documented Pegasus infections via iMessage zero-click exploits that required zero user interaction. The attack surface isn't the user — it's the protocol stack.

Tier 3: The Mercenary / State Actor

Capabilities: In-house zero-day discovery, offensive operators with physical access, cellular infrastructure control (IMSI catchers, SS7 redirection), supply chain interdiction.

Motivation: Geopolitical intelligence, corporate espionage, repression. Think NSO Group, Intellexa, or APT groups with dedicated mobile teams (APT-C-23, Transparent Tribe).

Relevant defenses: This tier is existential — no software defense guarantees safety. The playbook is operational security: air-gapped devices, compartmentalization, forensic audits (MVT — Mobile Verification Toolkit), zero trust in the device itself.

"If Tier 3 is your threat model, your phone is a compromised endpoint. You trust the cloud because the device is untrusted."

Tier 0: The User

The most dangerous attacker in mobile security is always the user themselves. Sideloaded APKs, disabled SELinux, rooted phones with exposed ADB, "Just this once" bypass of Lockdown Mode. Your threat model must account for the fact that the human holding the device is its most privileged attacker.

Why This Matters for Mobile

Desktop security assumes a stable network boundary — VPN, firewall, corporate proxy. Mobile has no such luxury. The device roams between cellular towers, coffee shop Wi-Fi, airplane hotspots, and your home network. Each hop is a potential attacker injection point.

An attacker at Tier 2 doesn't need to crack your Signal encryption. They need your phone number to SS7-redirect your SMS 2FA, or your iCloud email to trigger a password reset request to a device they control.

Model tiers hierarchically: defend against T1 as baseline, acknowledge T2 mitigation, accept T3 risk through operational discipline. Anything else is security theater.