Both cases are worth exploring, especially the second (if mobile gets compromised, you can still get the "signer" to stop signing via some other way).