1) this was not reported in the context of any bug bounty[0], and the total conversation between me and Apple is 4 emails (1: hello do you plan to fix this? 2: can you reproduce this on the newest ios17? 3: no. 4: if you are able to reproduce it on ios17 let us know)
2) exfiltration is obviously possible, I’m not sure why I would even need to specify that any page is able to read its own contents using JavaScript
3) the iPhone 6s and 15.8 are still seemingly supported by Apple.
You didn’t answer the biggest question: being able to read /etc/passwd does not imply being able to read any of the sensitive files listed under “What files could somebody steal? Well, there’s always:”. Did you actually test any of those?
I only tested passwd at the time and I don’t currently have access to the 6s to test the other files. I can report back whenever I get access to that phone again.
It,'s always a fun and interesting read when your posts hit HN.
How much time would you estimate goes into researching? And do you have any pointers for someone which want to dip their toes into this vast sea of exploration?
This wasn't really my "finding" per-se (the original vulnerability was from June, after all), it was just something that came into my eyes and I thought it would be interesting to discuss the implications and some perceptions I have based on it.
>And do you have any pointers for someone which want to dip their toes into this vast sea of exploration?
Can you expand on what you mean by this exactly? I got into security by accident when I was a child and have never followed any type of routine when it comes to learning.
Probably the only pointer that may help is: take something that you know and use often (some piece of software) and ask "what if?" or "why can't I or someone do X?" ¯\_(ツ)_/¯
In the context of their blog post, it's assumed that the reader has some knowledge of web technologies — if you can print data to your own webpage, you can also exfiltrate it.
It's not reasonable to expect the author to explain _every_ underlying technology involved since that was likely not the scope of the post.
Welcome to HN, in as gentle a way possible I refute this statement
> Apple continues to support nearly-decade-old devices like the iPhone 6S, which and iOS 15.8 is still powering those devices, seemingly with official Apple support, with the latest update from October the 25th, which addressed some security vulnerabilities.
With: try to update your Apple Watch with a device running the latest iOS 16
And yet, I am still unable to update my Apple Watch with the latest iOS 16. iOS 17 is now required. iOS 17 is also required to rent a movie on my Apple TV.
So, to the author's assertion that "Apple does a good job supporting old hardware", they may give some security patches but interoperability between current and previous versions is seemingly deliberately broken.
Any model more than 5 years old (Xr and Xs) are essentially not being updated and not secure. So an iPhone 1, 3, 5, 6, 7, 8 and X are all not secure and most people who use the iPhone are totally aware of this.
It's like writing an article that Windows 7 is insecure and Microsoft isn't patching it. This is essentially their policy in most cases.
This is about the browser, not the OS. The unique thing about apple is that they tie the browser to the OS. So you won't even get application updates, which is quite surprising for anyone that has ever touched a computer.
I understand your point, but I just think the headline.... "No new iPhone? No secure iOS" is misleading, because iPhone xR and xS, iPhone 11, iPhone 12, iPhone 13 and iPhone 14 models are all not new iPhones, but they receive secure iOS updates. The headline suggests only brand new iPhones are secure, but when you click they are talking about deprecated devices more than 5 years old that most users know do not receive updates just like Microsoft/Android or any other vendor, Apple explicitly stated they won't update these devices and most users are aware of this fact.
IIRC the browser is a part of the system because the engine is used everywhere in the system. For a long time in iOS it was WebKit that rendered attributed strings for instance.
Windows and Android both come with a "built-in" browser:
Windows still ships Internet Explorer for rendering some old components, although I think they are moving to Edge (chromium) based web view. I can't find a better source right now, but something to start with: https://www.reddit.com/r/Windows11/comments/11n79xc/why_does...
I have been a developer and nerd since 25 years, and I always expected that Apple also patches some previous versions. E.g. around a week ago they released both iOS 17.2.1 and iOS 16.7.4: https://support.apple.com/en-us/HT201222
So why should I assume that latest iOS 16 isn't completely patched? I think it's a shame to say at least that Apple has no public policy of how which OS versions are supported and which are not, it's just guesswork. Whereas I definitely know how long Microsoft supports Windows versions, e.g. Windows 10 until October 14th, 2025: https://learn.microsoft.com/en-us/lifecycle/products/windows...
It's not completely patched. Stop assuming. I've always assumed that Apple or Google or Microsoft consider three factors for deprecated devices or software: 1. Severity of Issue, 2. Expected work required to fix issue, 3. Number of users involved
I think if something is a relatively easy fix and high severity that they will fix it. I don't think they view security updates as a tool to force people to buy new products. The low hanging fruit for large numbers of users gets fixed. The underlying software however, should not be trusted or viewed as secure.
Even though these applications are bundled with the operating system, they are probably separate code bases and if they believe the patch can be accomplished across the versions with minimal work like fixing the same line of code in the old version it probably goes out. If they have to do a major overhall of the old operating system and port the new browser version to the old software, it probably doesn't.
This is addressed in the second paragraph of the article. The iPhone 6S had an OS update in October 2023 (iOS 15.8) which included a security fix for a different issue. The Chromium security issue was fixed in June 2023.
> Any model more than 5 years old (Xr and Xs) are essentially not being updated and not secure. So an iPhone 1, 3, 5, 6, 7, 8 and X are all not secure and most people who use the iPhone are totally aware of this.
That reads very much like X's are not supported. The 2nd sentence even says it explicitly.
It’s made more confusing by the fact that the comment omits all the S models from the list of unsupported models (along with the iPhone 4 for some reason).
So at a glance one could assume that the XS is lumped in with the X just like the 6S is lumped in with the 6.
/etc/passwd is the same on every device because it is in the system image, which is world readable. I don't think this exploit can be used to read the call history database as the author implies because it is outside of the sandbox profile.
They provided a complete exploit. It's only about 50 lines long. If you want to know if it works with other files it's pretty trivial to see for yourself.
Yeah the author goes a bit far in their hypotheticals, straight into fantasy.
Also not sure I agree with the implication that Apple shouldn’t publish which vulnerabilities they’ve patched (the only logical conclusion because the alternative, patching every version in perpetuity, is unrealistic).
Apple, in my opinion, does a very good job of supporting old devices. Buying an iPhone and keeping it for 6 years is a great strategy and when amortising the cost of the phone over those 6 years, it's price competitive with Android.
I do wish legislators forced Apple and Google to give users a path to install an alternative OS on their device. That would enable old iPhones(and Androids) to have their lifetime extended further.
> I do wish legislators forced Apple and Google to give users a path to install an alternative OS on their device.
All Google phones allow installation of alternative OSes (and are pretty much the only phones that allow resigning the boot loader so they're still secure - which is why they're chosen by projects like GrapheneOS). Why do you think they need to be forced into anything? You can buy a Pixel right now and run an alternative OS.
I interpret their comment as suggesting that Apple should adopt a similar approach, and that Google, as a platform owner, should mandate this requirement for licensing Android™ (not AOSP) to other OEMs (I've had several phones whose bootloader couldn't be unlocked), and for this to be a practice enshrined by law for any other such companies that could operate in a similar position.
I think the biggest problem is in the alternative OS. Non-official OSes typically are unstable that I personally find not worth the time given phone is quite important piece of communication. As others have already mentioned, certain lines and brands, such as One Plus, Google Pixels, etc have unlockable bootloader so people are free to install custom OSes.
I've been installing alternative ROMs on my android phones for almost 15 years. Never did I have any stability issues, on the contrary: the community ROMs often did a much better job than the official ones in terms of battery management, etc.
Not trying to contradict what your say, but my experience from a few years ago was:
* If you don't use a super popular model, you would have very few choices for custom ROMs
* Often custom ROMs are still at the mercy of original manufacturer for certain hardware support -- e.g. they need to release "base AOSP image" or something like that
* Custom ROMs often had random things not working, e.g. NFC not functional or cell/WiFi signal weaker than stock ROM
* Some come with certain crappy preinstalled apps. Sure you can remove them, but still annoying
* Battling SafetyNet was a cat-and-mouse game which I gave up
* Browsing xda-developers forum and following the latest reply of a 10-page, 200-post thread like back in the early 2000s was the only way to get updates of a certain ROM. OTA updates were mostly out of the question
* ... and many more added to this
I don't know how much has changed, hopefully a lot. I don't doubt if you have a phone of a popular model, you can find a custom ROM that does not make compromises and is much cleaner and better than the stock ROM. But these days I simply don't have any time for tasking the risk and messing with these things and worry WiFi might not work in some cases.
Yeah I know some devices already support this, the point of forcing it via legislation would be for those that don't.
I think this is also the answer to "the app store question". It feels unfair to force Apple to change a core value proposition by forcing them to allow side loading, but in the spirit of "It's my device" it should be possible to install an OS that makes a different tradeoff e.g. Android
>Buying an iPhone and keeping it for 6 years is a great strategy and when amortising the cost of the phone over those 6 years, it's price competitive with Android.
What's stopping you from keeping your Android 6 years making it an event better value? Most people I know don't throw away their Androids after 3 years but keep them as long as iPhones. Basically until it breaks/dies. So far I don't know anyone who got hacked and suffered damages for using an Android that stopped getting updates.
Shorter patch cycles - at least historically, I haven't kept pace with the Android ecosystem. That said, with Android you can use a different OS and keep the device secured
Sure, but like I said, people don't throw away their phones once they get stop getting SW patches the same way they don't throw away their ancient Macbooks with glowing Apple logos just because Apple stopped pushing OS updates years ago, because most non-HN people have no idea what patches are and they keep their phone and laptop as long as it still works and the battery lasts.
Obsession with zero day patches and security hypochondria is mostly a HN/tech-workers thing as if they're under attack by state actors using Pegasus. The average joe doesn't care not is he very likely to be impacted, unless using Android Jellybean or something, since most malware in the wild out to get them is script kiddie level not state-actor level.
And anyway, someone correct me if I'm wrong, but from my knowledge and experience with Android security, most Android critical vulns that can impact the day to day security of the Average Joe are covered by updating Google Play services and Chrome or whatever browser you use as those are the main attack surfaces for (non state sponsored) malware based on what people do with their phones, and those services keep getting updates from Google long after the manufacturers stopped pushing OS updates.
Please don't twist my words. I never said anything about recommending such a lifestyle to people. All I said was, using older devices without SW support, is the reality for a lot of people if you care to leave the tech bubble and see what devices people actually use, especially the not well off ones. Yes, a lot of people keep using their older device and they haven't got hacked. How do you get them to stop using their older devices, if they're happy with them and see no obvious threat and don't want to buy a new one?
Here's a though exercise: Most people use their device for browsing the web and messaging people, right? So as long as you keep your Play Services, browser and messenger apps up to date, how will malware get to the outdated layers of your OS to PWN you? Especially that modern web browsers and Andorid use sandboxing for apps and web tabs. I'm talking about realistic documented scenarios from the wild that have happened and are likely to repeat again, not state actors or scenarios from research labs where they hack you through the firmware vulns of the baseband modem.
Like I said, I'm not recommending you still use unpatched devices, but the realistic risk from using an Andorid device that stopped getting updates a year or so is relatively minimal in practice, otherwise there would be mass hacks and credential thefts left and right on a daily basis considering how many unpatched Android phones are out there.
Not when you can load an OS like Calyx [0], GrapheneOS [1] or LineageOS [2]. In this context the iPhone ends up the true "hope for the best" option. The original Pixel / Pixel XL (2016.10.04) can still run the latest LineageOS with current patches [3].
I was responding to the parent who recommended using unpatched, out of support Android.
People who’re comfortable (or can be bothered) installing alternative OSes on their phones have an entirely different view on device obsolescence. Statistically they’re also a rounding error in the total mobile-using population.
> Statistically they’re also a rounding error in the total mobile-using population.
Understood, but that has no bearing on the point being argued. You have no control over Apple IOS hardware after Apple stops supporting it. The fact that there is that "rounding error" is good for everyone as it is a force against closing that ecosystem which currently exists. It matters.
Well android patching after 3 years is pretty new thing compared to Apple policy. Apple was and is keeping security updates for very long time with major updates on top of that for iOS.
Not knowing someone does not mean they will not be hacked or already has not been by downloading some app from the store.
Yes, Apple is supporting older devices, but has made my SE 2020 nearly unusable (slow as hell, horrible UI bugs when typing) after updating to iOS 17. Everything worked perfectly until then. It seems as though Apple wants me to buy a more expensive phone. A friend had the exact same problem and now upgraded to a newer model.
No real change is going to happen. Out of all the mobile phone users out there, likely no more than 0.1% will ever consider installing alternative OS on their phone, even if allowed by law. Just look at the size of the custom ROM community in Android and real world impact.
I’d be very curious to see HOW they contacted Apple. Depending on if you’re reaching out to security or just filing a standard radar I’d expect a very different answer.
Also, was it reported to the WebKit team? If that is where the bug is, perhaps that’s who should be taking the report?
It can make a big difference who reads the ticket. I might see something come in and think oh yeah that'll take me 5 min to fix and I'll just do it, but if someone else unknowledgeable about the feature sees it, or a PM... it might get closed as won't fix at best or just rot for 10 years.
This bug touches nothing hardware specific. In alternative timeline where mobile OSes arent fisher price parodies of proper operating systems, they could push the same image to all iphones and have a proper hardware abstraction layer take care of the specific details.
There is nothing fundamentally incompatible about the last couple of generation of iphones. ARMv8 CPU, PowerVR derived GPU. If the mobile computing space weren't driven by greed, this would be a non issue.
A Sandy Bridge era intel machine deployed in 2011 is easily capable of running the latest Linux, BSD or win10. And in the case of the first two, I'd wager it will continue to be viable for the foreseeable future.
It’s not economical to support devices used by less than 1% of the user base. Linux only manages it because community members step up to support older architectures. And sometimes when no one steps up the architectures are removed.
Supporting all of these is work. It makes development of new features harder, because it has to account for quirks of older hardware. Older hardware is also harder to get in the hands of developers and harder to test on. That’s why Linux has dropped support for 386, 486, IA-64 and other architectures.
There’s no point saying trillion dollar corporation etc. It comes down to some basic fact - phones must be built with SoCs, that’s the easiest way. The PC way doesn’t work at scale. Now that we are on SoCs you have to draw the line on support somewhere. Just because the costs imposed on future development aren’t obvious to us doesn’t mean they don’t exist.
I think 5 years minimum (and sometimes more) of OS updates is pretty good, FWIW.
It’s absolutely economical. Apple only has to support a tiny number of devices that they themselves manufactured, they have the easiest job in the world.
Think about how many devices Microsoft has to support in Windows, it’s orders of magnitude more.
Apple doesn’t want to support older devices because they don’t see a benefit to themselves.
5 years of support is pitifully short. Pretty much everything I own lasts longer than 5 years, my phone is one of the things I have to replace most often, not because the hardware is broken, but because it stops receiving updates.
> New devices = New components = New Firmware = The updates have to stop sometime
So how does microsoft do it? My PC is about the same age yet it is still supported. And not even barely, but without a hitch.
> Apple is an OEM for most parts on their board, if upstream support ends for the components on the board then its game over as far as firmware updates goes.
But this is not an issue with a chip's firmware. Do you believe apple can't compile code for their 10 year old hardware or how do you think this happens?
>And its certainly NOT economical to keep stuff running forever. Look at OpenBSD and Theo famously begging for money to keep his basement of antique equipment running at enormous expense !
If OpenBSD can do it on a budget that's pocket change for Apple, with much more diverse hardware which they have no control over, then Apple definitely can do it.
Is it really bullshit? Lenovo manages hundreds of laptop models via fwupd, and those work just fine after they lose OEM support. I've got a Thinkpad from 2009 that still gets modern Linux patches (to say nothing of my 2006 PowerBook running Arch/Plasma 5).
Compared to what Apple makes off hardware and service revenue, the cost of opening iBoot and providing basic firmware support would be almost nothing. It's so economical that the volunteers at Asahi were capable of replacing the missing bits via black-box reverse engineering. You want to tell me that Apple is incapable of releasing that firmware themselves? On a technical forum?
> Compared to what Apple makes off hardware and service revenue
Really I wish people would wake up and stop with this bullshit.
Do the other manufacturers do anywhere near as much R&D as Apple does ? NO ! (2023: Lenovo 2bn vs Apple 29bn).
Do the other manufacturers maintain their own OS across multiple hardware platforms ? NO !
Its easy to sit in your armchair and spout crap about "well, Lenovo does it !". Well, the OS on your Lenovo is Windows or Linux. And the parts in your plastic Lenovo are almost certainly 100% off-the-shelf commodity parts.
Meanwhile Apple's R&D is what brings you, for example, the unmatched Apple Silicon chips, which everyone except the die-hard Apple bashers agree are genuinely industry leading.
Really, you've just proven my point. If Lenovo can support their hundreds/thousands of devices on a shoestring budget, Apple can support their few dozen devices easily. They've already written the device drivers and documented their non-commodity hardware, there's no technical reason it won't run other OSes.
I almost feel like you don't actually know what you're arguing against. An optionally-open bootloader is practically free to implement, and releasing driver code (or at least hardware docs) would mostly be an IP-related decision, not an effort-gated one. As-is, it feels like you're defending Apple's right to enforce petty limitations and be lazy with their trillion-dollar IP. It should be obvious why we (former Apple customers, some of us) disagree.
Lmao Apple R&D. Don't know what they're spending it on since they almost always adopt technologies that have already been developed + proven in the market.
So Apple Spends 29bn R&D every year, over many years and ends up developing...a really good version of (if not currently the best, sure) version of an ARM chip, a pre-existing architecture with which they are already intensely familiar? Wow, they're sure being real efficient with those funds.
I believe a lot of their performance gains pretty much just come down to larger die size than most ARM CPUs, making an SoC and colocating memory etc all on the same die, wrangling some of TMSC's newest most transistor dense and power efficient nodes. M1 Ultra=114b, 64 core graviton3=55b, hell people are even building stuff like https://www.jeffgeerling.com/blog/2023/everything-ive-learne....
Apple went for a bunch of easy wins tbh. Why doesn't every other computer manufacturer do it? Well Apple is a $1T company; they control so many aspects of their products, OS, software etc so very easy for them to offer this. It would require a concerted effort on the part of so many companies involved in the ecosystems of non-Apple products to make a transition the same way Apple did.
>It’s not economical to support devices used by less than 1% of the user base. Linux only manages it because community members step up to support older architectures. And sometimes when no one steps up the architectures are removed.
Again, bugs are this are not hardware specific. You are not supporting "devices". You are supporting the OS which all of them run. Ideally (I'm not familiar with OSX/iOS internals) all they have to do is push out an update that contains the newly fixed libwebkit.so or whatever. They control everything on their own platform so they don't even have to deal with glibc breaking backcompat like we have to in the GNU/Linux world.
If they can't figure out a way to make changes like this universal across devices, it's either deliberate negligence or incompetence.
You're a special kind of clown claiming that it is not economical white Apple profits are somewhere between 20% and 26%. They could build an update, they just prefer making more money.
Shrug. That's their problem. Or it should be, at least.
Don't sell crap you can't support for a decent amount of time. Stop ruining this planet we live on by creating immense amounts of e-waste every few years.
We both know your argument is dishonest or at least naive, though. They could easily support updates if they want to. But it's about money. This way they are forcing people to buy a new phone every few years. It's clever, shame about the planet.
Dishonest? You're saying I'm lying to support a trillion dollar corporation I have no financial stake in and never have? Is such an accusation really in the spirit of this forum?
I will say that certain comparisons (eg. "The PC way doesn’t work at scale") are objectively wrong. Even Apple uses the PC model internally, despite not having an open bootloader or really supporting UEFI anymore. AFAIK, the XNU kernel even uses the same DeviceTree layout as Linux for supporting ARM SOCs. Apple hasn't really broken any new ground that can't be re-covered by modern operating systems.
Also, your claim that it's "not economical" is entirely unproven and arguably false. iPhones are still architecturally supported by Linux and will continue to be for a while (even longer on BSD). Other Apple products (eg. Apple Silicon) received community driver support entirely from donations and volunteer time. There's no reason to assume that iPhones lack community interest, especially since Apple has never given the iPhone community the same leverage they had on Mac.
If that's the sum of both arguments, then you're mostly just leveraging FOMO to support an unproven concept. At best you're jumping the gun, at worst you're twisting the facts to preclude discussion of open iPhone software alternatives.
Apple still sells previous phones as lesser, but still not very affordable, models. The iPhone 7 was released in September 2016 and discontinued in September 2019. It is also on iOS 15.8 so presumably also vulnerable to this. That would be about 4 years of security updates. Not the worst but not beating what e.g. Google promises for Pixel phones now.
I use a Pixel 4a as a second phone and consider Google’s approach to be rubbish…
3 years worth of updates is pretty shit… my son’s iPhone 5c got updates for over 5 years (and I think there were some security issues they patched after that even)
At the moment I’ve got a perfectly usable Pixel 4a that I’m going to have to replace as it’s not secure enough for work related stuff anymore
You can't seriously give Apple shit for this and at the same time praise Google. iPhones have, pretty consistently since the 5 or so, received 5 or 6 years worth of OS updates since the phone's release whereas with Android phones you'll receive 2. Only after years of complaining is Google finally promising to support it for longer. And that doesn't cover Samsung, etc...
> We can and should praise Google for improving things, and use their new strong points to push Apple into improving too.
Over a decade of Nexus then Pixel devices being flashable has not moved any needle of Apple doing the same. Google promising 7 years is in line with Apple's 10 year track record of providing 6-8 years of updates, so it's more like Google aligning with Apple, not Google pushing Apple.
Still, a vague† promise in a blog post or keynote address is not going to fit the bill, at the very least it should be in the EULA or other contractually enforceable document, otherwise the promise is worth nothing.
Ideally I wish software would be treated as with e.g automotive or washing machine manufacturers, who in the EU have a legal requirement to provide parts for 10 years.
† I mean the promise is clearly worded but bears no weight, especially when pitted against Google's track record over the last decade of making grand announcements then puling the rug down the road.
Especially that a 10 years old phone was very weak in terms of hardware, we haven’t reached a more plateaus era back then. It’s much easier to update a phone in the last 5 years for 10 years, than doing the same in a 5 years earlier window frame.
But Android also lets you run custom builds, and my 2016 phone runs the latest OS. Sure not everyone does this, but unlike iOS I can take care of it myself.
> my 2016 phone runs the latest OS. Sure not everyone does this, but unlike iOS I can take care of it myself.
"not everyone" is an understatement.
That's a solution for you (and the dozens - dozens! - of people doing the same), in practice it is not for 99% of Android users, therefore, again in practice, there's a huge fleet of devices with out-of-date software out there.
> But Android also lets you run custom builds
That's not even counting that:
- many Android manufacturers make it non-trivial† to root/unlock/flash a build and/or make it blow a warranty fuse, and that's if it's even possible at all.
- usually the camera goes ape shit, and often loudspeaker audio quality too.
- unless you relock the bootloader it immediately compromises security and makes bootloader updates nontrivial as unlocking again clears the device.
Mind you, this is a fine, intellectually satisfying strategy for you and me to be able to flash open builds, but it's by and large an extremely fringe strategy, and it's been shown over a decade that it's staying that way.
† Often involving downloading random flashing tools from obscure forums, that run only on Windows, some of these being one shot and requiring to plug in magic numbers corresponding to your exact device, and if you screw it up the device is bricked (e.g Samsung). Or the unlocking is on a low-write-count chip and once you exceed that limit the device is bricked (e.g OnePlus). I know, I've been there, bricked a few, recovered only one through JTAG.
Does it really let you run custom builds when it zeroes out proprietary firmware blobs on many models, turning your fancy camera into a shitty basic one? Or what about the million proprietary blobs you would need for full functionality — will those also get patched?
Yes, but that is only one component of a modern phone. Basebands and system bootloaders, among other firmwares, don't receive updates. Those are regularly attacked.
Personally I don’t think Apple’s level of support is incredibly bad when you take a look at the used device market. Even with Apple’s famously high resale values, depreciation on smartphones is huge.
Don’t buy brand new old phones new from Apple, they’re a ripoff. If you buy either an iPhone 12 or 13 used for $250-350 you can basically plan on a $50 a year budget to have a smartphone that always has the latest OS judging by their expected remaining lifespans.
I think the big flaw with the status quo is e-waste more than cost to the consumer. I think an iPhone 6S or 7 are incredibly slow and outdated devices for today’s usage but in 5 years I don’t think we will be able to say the same thing about an iPhone 12 or 13. Smartphone hardware is far more mature now than it was even 6 generations deep into the iPhone product line.
We should be able to replace batteries for $20 and replace things like broken screens for not much more, and Apple should be enthusiastic about it considering how services are their bread and butter moving forward. Apple should be happy to produce fewer phones and keep more consumer dollars allocated toward the purchase of high margin digital goods.
You can yes, but the rumor is that Apple is focusing on adding them directly to your device, and if they integrate it deeply in the OS, then it will require the chips to run it. I’m sure you will be able to run old devices but without the latest Siri for example.
I still use a 6s and a fist Gen. se, I won’t say they’re terribly slow. It’s the apps, the modern apps, that make the device too slow. If you use not so many, it works quite very well. The only downside that the OS is not updated any longer. Although I got a security update recently, weeks ago.
Not yet, I believe. Revenue from iPhone sales is still quite fundamental to Apple‘s success, it‘s more than triple the revenue from all services combined (not including Google‘s search engine deal).
The 2020 SE is available from a wide variety of sources for 200USD (still new in box); it'll be supported until 2027. The 2022 SE is 400USD, supported until 2029.
By comparison the Android phones at this price point functionally went out of support 2 years before they even existed- not only is there zero support for them, but they ship with outdated OS versions to begin with. And no, "but I can go to XDA and get a shitty ROM at the cost of my camera" doesn't count as support.
You had a strong first paragraph, but your second is going too far. A Pixel 6a is $349 and supported until 2027. A galaxy A15 is $175 and supported until the end of 2028 or early 2029. The full feature updates don't go quite as far, but they're still offered for multiple years into the future.
While Google promises, Apple actually has a decade long track record of updating older phones for 5 or more years. We don’t know if Google will actually follow through on their promises or the execs in charge in 5 years will feel differently. But I personally bet $1000 that the iPhone 13 will get 5 years of OS updates minimum.
Google is not promising this out of the goodness of their heart. They're just getting ahead of what the EU is planning to mandate [0], and doing that to get some good marketing while they're at it.
So, while Google's track record leaves a lot to be desired, in this, I think they'll keep their promise, either because they actually care, or because the EU will force them to. Either way, we, the end users, will benefit from it.
And this will apply to all electronic device makers. That's probably why Samsung also increased their updates policy to five years as well.
>Google is not promising this out of the goodness of their heart. They're just getting ahead of what the EU is planning to mandate
If that was the case then why did Google exceed the requirement by 2 years? Additionally, Google is providing 7 years of OS upgrades and 7 years of security updates. Google could have easily just do what they did with the Pixel 7 and offer 3 years of OS upgrades and 5 years of security updates, thus, meeting these EU requirement of 5 years of updates. So to claim that Google offering an industry leading 7 years of OS upgrades and 7 years of security updates is not out of the "goodness of their heart" is being disingenuous IMO.
Do you really think the cost of the class action lawsuit and settlement and the bad publicity for not adhering to their 7 years of support would not exponentially exceed the cost of a team of engineers tasked with supporting updates for their Pixel phones?
As for "promises" - why hasn't any other OEM matched or exceeded Google? Apple should have been the first one to step up the very next day.
Google doesn’t have enough e-fuses to update the pixel phones for seven years, the marketing department is incompetent and didn’t talk to literally the only engineers they should have.
It's fine for a vendor to completely abandon 10 year old hardware but if you can still pay 30% App Store tax/pay for iCloud/etc, the security fixes should be backported as well. The current situation is charging full price for inferior (or maybe even dangerous) product: Apple wants to have its cake and eat it too.
I don't totally follow this argument. the 30% app store commission, iCloud subscription, etc. does not only fund security fixes for the OS and core services. I don't think the average consumer thinks that's what they're paying for either. waiving the fee for EOL'd devices would create a perverse incentive of its own.
I do wish apple would follow google's example and commit to a service lifetime upfront, but other than that, I don't object to their model. in practice, it vastly exceeds the level of support for any android phone other than the pixel 8, and we have yet to see whether google actually follows through on that.
Also it means that at some point, Apple would have to actively block some legacy devices from using iCloud, app store, apple music, any app with subscrpitions etc which would effectively make the device pretty useless.
App Store purchases aren't tied to a particular device; you can buy an app on an old device and keep using it when you get a newer device. Do you have a coherent, reasonable suggestion for how Apple could modify their business model without completely breaking it, or are you just desperate to shoehorn complaints about the App Store fees into the conversation?
Easy: offer a discount if purchase is made on an unsupported device, just like how grocery stores offer discounts for food that's about to expire.
I don't think there is a real concern about app store economics collapsing, the app marketplace business is very lucrative. We can see this in related cases: you can avoid certain iOS taxes by purchasing your subscriptions on the web: Twitter Blue is $11 on iOS and $8 on the web. Spotify used to be $12.99 for iOS sign-ups and $9.99 on the web.
Why should users pay full bundled iOS tax that supports security updates, if they are getting none?
> Why should users pay full bundled iOS tax that supports security updates,
I don't think I've ever seen someone express the expectation that Apple's App Store fees are for the purpose of supporting iOS development and maintenance. Mostly I've seen and heard the expectation that those fees are connected to running the App Store itself (payment processing, hosting, app review, etc.) and beyond that, vague profiteering. iOS itself isn't a subscription service, and Apple seems quite happy to sell you devices even if you don't spend money in the App Store. So you seem to be stretching a bit by attributing those fees to iOS maintenance and then turning around to say that unsupported iOS versions should get a discount on the fees for any services that still work.
Your purchases carry forward to newer devices, no? If nothing else, people would keep an older device just to make purchases and then install it on their newer iPhone.
They're not charging you, the user that 30%. They're charging the developer. Yes that does trickle down to you in the developer's pricing, but, in this instance, a phone no longer receiving security updates is not an inferior product from the point of view of the transaction in question.
What does this mean? The App Store fees are paid by the developers / vendors. Are you saying they should pay less proportionate to the number of times their apps are downloaded to older devices?
I think it’s a completely valid point. Apple is still making (potentially a lot) of money off these old devices yet isn’t willing to fully support them. It seems very unethical.
I agree. Clearly Apple should do the only ethical thing and immediately ban all unsupported devices from new App Store purchases.
When Apple announces this (very ethical) policy change, I expect you to full-throatedly defend Apple from the mass shrieking cries of "but muh planned obsolescence!!" Right? Right?? ;-)
In fact, one could argue it's also "very unethical" for Apple to (negligently) allow someone to use a potentially unsafe or hackable product. To be maximally ethical, Apple should be remotely bricking any Apple device the day it loses security support. Better to be on the safe ("ethical") side and remote wipe too, to protect people's data privacy.
Can you see how Argument From I Merely Assert XYZ Is Unethical Then Demand Some Arbitrary Relief can quickly break down?
So theoretically - and I tried this a couple of years ago - I could still download the “last compatible version” of an app if it’s available on the store for my old 2010 iPad 1st generation running iOS 5.
This device had 256Mb RAM and 400Mhz 32 bit processor. Should Apple still support this with security updates?
It’s an issue of expectations. If Apple advertises security support then it’s fraudulent to not deliver it; on the other hand, if they advertise an EOL date, then I’d agree there’s no reasonable expectation of security updates. But what they actually do is neither, they communicate very little, supporting some past iOS versions fully and others to degrees that only they know, resulting in them profiting off a reputation for backporting security updates while not actually binding themselves to deliver it, or, often, doing so.
Like the battery issue, I feel the whole issue is communication. Apple needs to communicate when they EOL OS versions. You don’t otherwise know it, partly because EOL OS’s, including this phone’s, still get security updates, just not all of them.
They do communicate it in every major release, including which devices are supported. Many major vendors release security updates for EOL devices when doing so would greatly increase the security posture of those devices and comes at little to no cost to the vendor. Notably Cisco, Microsoft, Apple, and Samsung come to mind.
Is the implication that once a device is EOL that a vendor should never release an update for that device again?
They only communicate it after the fact, when the new OS is impending release. There’s no way to know at time of purchase how many years your device will be supported.
I feel like Apple changed the dynamics of smartphone market from company-issued devices like BlackBerry to BYO with the iPhone essentially on purpose so they don’t get stuck providing decades of enterprise support promises like companies like Microsoft.
Companies purchasing bulk orders of hardware probably wouldn’t tolerate a vendor unwilling to make any sort of concrete support promise for the contract. But a company who employs iPhone users can basically put the responsibility on the user and simply block access to non-compliant devices.
> Is the implication that once a device is EOL that a vendor should never release an update for that device again?
It seems typical for vendors use "EOL" to refer to end of support life, not merely discontinuing sales of the produce. Most notably, that's how Microsoft generally frames EOL for major Windows releases, hence expectation of jumps in PC sales corresponding to EOL of XP, 7, and 10.
They communicate OS version device compatibility, I’m talking about communicating OS version EOL. For example, Windows 10 EOL is 2025-10-14, and we know this years in advance. For Apple, not only do we not get advance notice, we don’t even know when it’s already happened.
No, I’m not implying there’s something wrong with shipping the occasional update to EOL devices.
Correct. The issue is it is not commonly known that Apple isn't actually backporting fixes for exploits while it has been claiming to update the phones: this is earth-shaking[^1] news
[^1] It would be completely reasonable to say "Earth-shaking? Really? You expect security backports for a decade?" I've been in mobile my whole career, iOS for 7 years, starting from jailbreaking the original iPhone, then worked on Android itself for 7 years. I am sure significant decisions were made assuming this was the case.
Google no longer offers security patches directly, but since you control the phone sufficiently to install your own OS, the community can come together and keep security updates flowing. You could do it yourself if you wanted.
Apple devices make this sort of community maintainership effectively impossible.
I know this means practically nothing since only nerds can actually install a third-party ROM, so for the general populace only the "default" security patch window matters, but for the hacker news crowd it seems like it might be a meaningful difference.
But it is effectively impossible on Android as well. Let's ignore for a minute the fact that practically no one can install a custom ROM.
The bigger problem is that a huge bunch of software running on the phone is fully proprietary and closed source, and there are many many different versions for different phones around - making it virtually impossible to do any meaningful reverse engineering. So sure, your main OS may be up to date, but the baseband OS and virtually all of the device drivers will be left vulnerable, and they have just as much if not more access to the data on your device.
It's all well and good to say "oh you can just install a custom ROM". But you (and many here) can do that. Because you're technically inclined. But the vast majority have users have no idea what the hell you're talking about. They barely know what a security update is or what version of Android they're using, let alone being able to find, choose, and install a ROM.
Can we just choose to stop suggesting it as a legitimate solution cause outside of this bubble, it absolutely is not.
people don't know how to install Windows either. In theory they could go to a shop to update their phone like their are doing with Windows but the reality is that nobody cares about updating their phone.
Is the only standard to which we hold one company whatever the other does? Is there no room for higher principles here, in your view? The competition between consumer brands is all that matters?
Huh, it can be totally earth shaking or completely normal depending on time and place. In current market place of smartphones it is more towards earth shaking than normal.
You don't have to agree but resell value of older iPhone being much-much higher than Android tells customer values the support and quality of iPhone.
Some iOS 15 phones like the 5S/SE have no newer comparable phones which makes upgrading difficult. Oh dear, I suppose not browsing the web is another option.
A 4-inch screen size that allows the phone to be used single-handed with ease anywhere on the screen, which I’m using to write this comment right now. It’s uncompromising in battery longevity when considering its size, too. First-gen SE is the best phone Apple ever made. The newer SE are terrible.
As someone that went from 5S to 2016 SE to 2020 SE which is my current phone, I've been very satisfied with the 2020 SE.
With each phone I have always taken steps to reduce battery usage, disabled background refresh, and manually turn on low power mode after charging every single time.
Not sure if you're doing it manually from the settings, but you can create a Shortcut that enables low power mode. I have a little icon that I press, but there might be an even better way (automatically trigger on unplug? IDK)
Is your hand large enough to handle the phone one-handed and touch anywhere on the screen with ease without risking a drop? If not, do you use some kind of magnet finger-ring case or similar case?
The more recent SE models are iPhone 8 bodies with upgraded internals (being an iPhone 11 and 13 inside, respectively) and Apple no longer offers a Mini version of their newer phones (not that the A16 and A17 are significant improvements on the A15, but still).
And the Mini is still larger than the first SE by about a half inch in either direction; the 8 (and the newer phones) add another half inch on top of that.
Of course, the problem with using a first-gen SE today is that because information density on mobile is abysmal, the added vertical space has been very welcome to app developers (who also might not test on the smallest screens). So while the smaller phones were ergonomically far superior to the larger ones, and this is to a point true for the Minis as well, that's since been "balanced" by inherently worse UI/UX on said phones.
It's worrying to me since it's often kids who get the hand-me-down phones. I don't think they are going to know how vulnerable their data is. Surely Apple could at least let a community compile latest security updates, if they don't wanna invest their many riches in it? People often can't afford newer phones, and their data is vulnerable.
Apple doesn't patch every security hole in older iOS versions. I don't know what the criteria is, but my guess is if it's a major security hole, or an easily backported one, they'll do it, but if it's super minor or not backportable, they won't.
Would be great to get Linux running on and driver coverage for all of the system-on-chip of these devices. Talent exists for this but they are busy with their jobs or more interesting problems.
Moving the photos and videos to a hard rive is a pain usb is buggy, icloud is useless. Cheaper iphones have very little storage and there is no ssd slot either. It means, when the phone is full you have to buy a new one. If you want to update (assuming updates are available) you have to do hours of manual photo and video deletion to make space for the update.
If they really wanted to update phones that are full they could move the images/video to their server until the update is done.
I think a lot of people here are missing an important point here that Apple has always been fairly ambiguous about what their level of support is for older devices beyond major feature updates.
If it weren't for a friend giving me his old iPhone XS as thanks for a favor, I'd probably still be using my old iPhone 6s--and I would not have worried about it from a security perspective purely because (as the article notes) Apple is still releasing security fixes for iOS 15. I'd feel differently if Apple had publicly stated that all iOS 15 security fixes from now on will be on a minimum effort basis only.
My laptop is older than that and I have no problem getting updates. Turns out tightly coupling hardware and software for general computing devices is not such a great idea for users or the environment.
Apple straight-up disallows MacOS updates on plenty of Macs that could easily update, too. I'd even argue they're worse than Microsoft about it; I heard about Opencore Legacy Patcher looooong before I knew people were modifying Windows 11 images to get a working install.
> you can argue that it's "easy" to install Linux on it
In my experience, the average Linux install wizard is less technically involved than the MacOS one. So yeah, maybe I would argue that.
Moot point. Both Microsoft and Apple expected the user to install their own OS in the past, and the world didn't explode because of it. If stuff like UEFI and bootloader unlocking was standard again, OS installation would be easy as plugging in a dongle and rebooting.
Plus, you still haven't touched the central point; tightly coupled software and hardware creates more e-waste. What people do today doesn't matter if they're never presented a serious alternative; if ignorance was a basis for removing functionality there would be nothing left of the modern smartphone.
Apple fans would say tightly coupled software and software is why Apple products are better than competitors. I don't fully agree but I can see the point.
They may be right. If that same system has proven harms though (or even simple conflicts-of-interest), Apple might have to find a new business model. The whole "we own your app store, we own your payment processor" shtick has really raised eyebrows in the international markets.
> iOS 15.8 is still powering those devices, seemingly with official Apple support, with the latest update from October the 25th, which addressed some security vulnerabilities.
> In reality, however, Apple seems to only be addressing some security issues in its older supported devices.
The author is surprised, reasonably IMO, that if a device is getting security updates, you are still exposed to known vulnerabilities.
For a tech competent user this is worse than clearly being out of support in which case you would retire the device.
This is true for pretty much every vendor. Security fixes do not all get backported to every previous version of something. Newer iPhone do not just run the latest version of iOS, but they are more secure from a hardware perspective too.
Apple only publishes all iOS and macOS updates to the latest version of their operating systems. They release important updates to older operating systems (which is better than much of their competition!) but not all vulnerabilities are fixed for old versions.
You'll probably always be safe from remote code execution on supported versions of iOS/macOS, but exploits like these aren't always fixed. Unfortunately, you can't install an alternative browser engine on iOS/iPadOS, so I guess you should expect all websites to be able to read all of your cookies just in case.
And how's that more difficult than the loading page (exploit.svg) doing a GET/POST request to some server, after <xmp><xsl:copy-of select="document('exploit.php')"/></xmp> was loaded?
The attack assumes that the victim is visiting an attacker-controlled web server.
If the attacker can put secret data in the DOM within the victim's browser, the attacker can also add JS on the same page that POSTs the DOM contents to the server once they're populated with secrets.
Vulnerabilitity research without doing the work to productize exploits is good and productive, let's not normalize the opposite expectation. It's a chilling effect.
If I prove I got a shell prompt on a remote device without any authentication, do I then need to show that I can execute arbitrary code? Or is it clearly implied?
If the page body can read a file, then it can just execute an XmlHttpRequest to send that data to the origin server, which is the attacker in this scenario. This is just how the web works, nothing more to say about it, and no need to prove it.
I don't see how. Apple is choosing to not patch known vulnerabilities on hardware sold new less than 3 years ago. Hardware they're happy to charge for repairs on.
That is why I am an android dude, you will always find a random ROM on xda with the latest android security patch and sometimes even the latest android version on devices 10+ years old even if the manufacturer has stopped supporting it a while ago.
Not going to lie, if I were trying to infect some devices, it might be through “porting” unofficial “patches” (that no one will ever realistically inspect) for 10+ year old, out-of-support devices whose users have allowed root access.
XDA works a lot on reputation and realistically you will infect like 1k phones none of which will be high value targets. I don't see the motivation. Those maintainers do quite a lot of work to backport patches every week/month and offer OTA. Also I dont enable root when flashing, that is not required at all.
Wait... so because you don't want to be infected because you're using an out of date OS, you load OS patches of questionable provenance, but you're not worried about that since nobody would bother to infect you anyway? Why not skip a few steps there and just run an out of date OS?
Every device running an old OS is vulnerable, so it's better to throw the dice on an aftermarket ROM.
Edit: Though to keep things fair, it must be said that that particular argument only really applies to old devices. If you have a new device (or rather, one still getting regular security updates from the vendor) and a trustworthy vendor, a person could reasonably argue for staying on the stock ROM.
think about it the other way: if someone who happens to use random ROM happens to be a target of a state security agency of course it would be trivial to infect and the other 999 users would be collateral damage.
If state security agency is your model threat you'll be hard pressed to stay secure even with an airgap. If it's wholesale worm-like attacks you'll be way ahead of the curve by using a niche ROM from a god-forsaken site compared to any slightly out-of-date OEM distro.
Realistically, if someone makes a fringe rom that may be downloaded a few thousand times, how many people are going to bother checking for nefarious exploits hidden in there?
I hate that I wrote that lol. It reeks of the kind of cybersecurity whataboutism that leads to people inconveniencing the SHIT out of themselves for the sake of security.
That was bad phrasing, there is karma on XDA and trusted name reputation (evolution x, pixel experience, lineage os). So it is not a random ROM from a random dev. And you always have the source for those builds.
What about the binary blob drivers that can’t be patched and are one of the leading attack vectors? Just look at all of the Qualcomm monthly patches alone . Unless all of your binaries, that have no source, are up to date you’ll never be secure on any XDA rom.
To answer three questions:
1) this was not reported in the context of any bug bounty[0], and the total conversation between me and Apple is 4 emails (1: hello do you plan to fix this? 2: can you reproduce this on the newest ios17? 3: no. 4: if you are able to reproduce it on ios17 let us know)
2) exfiltration is obviously possible, I’m not sure why I would even need to specify that any page is able to read its own contents using JavaScript
3) the iPhone 6s and 15.8 are still seemingly supported by Apple.
[0] and you won’t find me on any bug bounty websites except for where I try to get contact with humans, see https://joshua.hu/slack-is-broken-with-noscript