as a mobile dev this is a weird thing to internalize. you build your whole security model on "trust the platform" and there's not much you can do if the OS itself is compromised. you can encrypt at rest, minimize permissions, avoid caching sensitive data, but at some point you're just hoping the OS underneath you isn't pwned.

the KSIMET through BLASTPASS progression is sobering. it's basically a new chain every year.