Using an air-gapped computer or mobile phone as cold storage is a very unsafe practice. In his very exhaustive research, Dr. Mordechai Guri, clearly explains how your private keys can be extracted from them. The research paper can be found here:
https://arxiv.org/pdf/1804.08714.pdfPut briefly, when youre signing and broadcasting your transaction, you would probably need to introduce removable media such as an SD card or USB cable to your air-gapped computer. A virus can then infiltrate your system via the USB, after which it can control and send instructions to a specific component in your computer to export your private keys. One of the surprising ways it can do that is by taking control of the computers fan to extract information from the sound it makes! The output from your computer, be it in the form of light, sound, or radio signal emissions can be picked up to extract your private keys. Android devices are not safe either. They rely on TrustZone, which is susceptible to side-channel attacks, and are hence unsafe to be used as cold storage. The iPhone uses a secure enclave, but it can only be used for Apple functions, requiring you to download a third-party app if use your mobile as a cold wallet.
Check out this interesting article that clearly explains how security can be compromised if you plan on using an air-gapped computer or mobile phone for your crypto:
https://medium.com/cobo-vault/air-gapped-computers-and-phones-vs-hardware-wallets-whats-the-difference-f06790316f03