Isn't keeping ADB enabled (most people who do this don't enable it and then promptly disable it) a huge security problem? ADB enabled means an adversary can completely own your device and "back it up" by simply plugging it in.
This is much worse than nagging about "untrusted sources".
No, there's a trust-on-first-use procedure where you have to accept the computer's key on your phone.
Not only is it TOFU but that comment is doubly wrong because you can't really back up much other than the bulk storage directory without adb root (which requires a custom build, which obviates the issue to begin with).
Apple has the same thing, but for some reason added Developer Mode which you must enter on the iPhone first. It’s quite involved, with a restart and 3 confirmation dialogs. That had me wondering why they are suddenly so cautious around this.
>ADB enabled means an adversary can completely own your device and "back it up" by simply plugging it in.
each adb host has to be individually white-listed by an unlocked device. also the current behavior is that it auto forgets any white listed host that hasn't connected within 7 days.
No it's not. Your computer creates a unique ID and you have to accept that on the unlocked phone the first time (or every time if you choose to).
So even when adb is on an attacker can't just plug into your phone and use it. Besides, I just switch it off when I don't use it