About the security content of iOS 15.8.5 and iPadOS 15.8.5

Bunch of negativity on Apple UI recently, but you gotta give Apple credit for supporting really old phones. Google Pixel, forget about it lol

Pixels 8 and later get 7 years. Not as good as Apple but reasonable.

Pixels 6-7 got 5 years. I'd say that's on the low end of okay.

For "lol" you have to go back to 2021 or earlier. Or look at some of Motorola's offerings.

My Pixel XL here works great for scrolling at night. I'm skeptical of the "no more system updates" boogeyman; I'd love some case studies or anecdotes about the real-world threats that using an old devices exposes me to.

I left Android at the Nexus 5 after years of buying every Nexus phone. The deal breaker: Despite staying on official ROMs, Google broke audio in video recording such that all my vacation videos with a special friend ended up with garbled audio. My mistake for trusting Google updates right before my trip. You'd think for their reference phone they would test a primary feature like video recording for regressions? Apparently not.

My friend at the time had an iPhone 5, I noticed her phone worked without issue while my Nexus 5 was constantly draining its battery.

I finally bought an Apple device and 11 years later never looked back. Finally said goodbye to Windows & Linux as well. I presume this is how many Apple conversions happen.

Back when Pixel came out I used to argue with a friend because it supposedly had a better camera: I'd always point out that the Pixel phone has its own Wikipedia article describing all its issues: https://en.wikipedia.org/wiki/Pixel_(1st_generation)#Issues

Its been like 12 years since the G1? They are still playing games till this day. Give it a rest already.

I have a functional Pixel 3XL that when flashed with one of the few modern Android ROMs available for it feels pretty fine to use for the most part… better than a lot of brand new low end Android devices, if I’m being honest. Too bad it’s not supported any more.

> Pixels 8 and later get 7 years.

looks like Pixel 8 was released October 2023, so not even 2 years ago. not sure I'd put much stock in what Google says about support after <30% of the stated time.

> Pixels 6-7 got 5 years.

looks like Pixel 6 was released October 2021, so not even 4 years ago.

The phones and the policies haven't been out long enough to see if Google actually releases updates at five years. The Pixel 6 will drop out of support in a year, so we'll see!

I remember when Google broke 911 calling, and decided it was ok to wait for the next maintenance patch to fix it. People could have died, but Google just couldn't hurry up and release an emergency patch.

Remember when the CEO of Google testified before Congress that if they were allowed to purchase DoubleClick and enter the advertising market that they wouldn't link your use of Google services with your advertising profile?

I'll believe Google's promises after they keep them, not before.

I'm reading this now on a Pixel 2XL. It runs reasonably well, though I've currently got a few too many apps running in the background crapping it up. It's asinine that Google dropped support for this model so quickly, and I really have no faith in them at all anymore. 7 years is what it should have always been.

> Pixels 8 and later get 7 years. Not as good as Apple but reasonable.

I had 3 pixels over the years. all 3 died after 1-2 years tops. And repairability is zero. absolutely would not recommend if you're a digital nomad. meanwhile my iphone 14 is still going strong. Battery life has gone down but still acceptable.

I just had my iphone 12 mini battery replaced. This thing performs as well as the day I bought it. It will be a sad day when I have to "upgrade".

I used to be on android, but after the Samsung Galaxy S3 started fucking with my settings in updates I went to Apple and have been on iPhones ever since. Specifically what sticks in my memory the most was an update that reset the shortcuts on the bottom menu bar to default and locked it so it was no longer possible to customize it. At the time I used none of those default apps.

Actually, similar reason that I ended up abandoning Windows for Linux on my home desktop (I had been using Linux on work computers for years at that point). Windows 10 kept changing my settings back to default after every major update and it was infuriating. I would have gone for a mac if there were better support for games.

It's legally binding.

> Pixels 8 and later get 7 years. Not as good as Apple but reasonable

7 to 10 years is a 50% increase. Diminishing marginal returns dents that. But it still represents huge quantities of metal and resources.

So, up until 3-4 years ago (around the time of iPhone 13), you couldn't buy a Pixel phone with more than 3 years of security updates? Lol indeed.

> I'd love some case studies or anecdotes about the real-world threats that using an old devices exposes me to.

The Apple patch in the OP is in regards to a zero-interaction exploit that compromised the device to install spyware etc.

> Impact: Processing a malicious image file may result in memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.

"got" as in announced to be given. Not as in the 5 years of support is already done.

I went back and forth over years right up until google was caught tracking people even with the feature disabled.

It’s honestly kind of sad. Google could still print money without the endless spying but they just can’t help themselves

Apparently it still isn't fixed

https://www.androidauthority.com/google-pixel-10-911-calling...

> It’s honestly kind of sad. Google could still print money without the endless spying…

They literally couldn’t.

911 calling issues have been a persistent problem for Pixel devices.

> specific targeted individuals.

Isnt this exactly the point? Most people who aren't the target of state intelligence agencies have little to worry about from using an older phone.

Exactly, that IS Google’s business model.

All of those phones should have been within warranty and swiftly replaced.

It's still supported by lineageos. It's just the installer doesn't do major version bumps, you have to manually reflash to higher versions.

If Graphene can do it, why can't they?

Those exploits trickle down to less sophisticated actors as they become known.

> The deal breaker: Despite staying on official ROMs, Google broke audio in video recording such that all my vacation videos with a special friend ended up with garbled audio.

For me it was also the Nexus 5.

It just lost many of my photos, of our firstborn child.

Unrecoverable. Gone. And so was I from the Android-platform.

Early pixel models comes with unlimited google photos feature etc. I think maintaining is more of a lost revenue to google than patching cost. If customos devs can do it on donation so can google. Probably a reason for google to obselete them and a reason for us to keep alive and running it as long as possible.

I still see few custom roms spoofing as early pixel models to enable unlimited google photos.

How is that even legal.

Yeah everyone seems to have horror stories that pushed them to Apple, and of course there are some more minor horror stories from Apple too but they just don’t reach the same height for most users

It’s not unreasonable to blame google for this reliability issue, but this is also a little bit on the user who didn’t appropriately back up their important data to a different device/service/building/account.

While quite frightening, how could you even test this? You can't just make test calls to 911, can you?

(I'm actually somewhat interested in the answer... I have a use-case, and the seeming inability to test is a bit worrying)

It can both be true that it’s good to get security updates for old devices, and that you might have no issues using an old phone personally. It doesn’t make it a boogeyman. Things can be two things.

Haven't tried it myself, but this official-seeming website suggests that you can schedule a test call ahead of time with your local 911 call center.

https://www.911.gov/calling-911/frequently-asked-questions/#...

You can schedule a 911 test call. "Test calls can be scheduled by contacting your local 911 call center via its non-emergency phone number." [0] More info here:[1]

[0] https://www.911.gov/calling-911/frequently-asked-questions/ [1] https://www.nasna911.org/home

We really should be requiring these types of things to be bonded, i.e., if Google says that, they have to bond all company owned stock and all executive stock options and compensations against it.

Same for politicians; they make a claim, they have to sign a bond against all their assets that they’ll do it after the election.

Like a cease and desist letter, but inverted. Persist and insist, perhaps?

They could use Google Photos to store them off the phone, but…

https://www.reddit.com/r/googlephotos/comments/xsn9ij/people...

Pixel 4a… announced Aug 2020… EOL’d Jan 2022… updates stopped Aug / Nov 2023

Android is abandonware IMV

Yes, and Pixel 6 is still supported for at least another year. I'm not sure what your point is.

> Pixels 8 and later get 7 years. Not as good as Apple but reasonable.

Pixel 8 gets 7 years of OS updates, not security updates. That's actually more than the 5-6 years that Apple commits to.

The camera clicked, but they were never saved. Hard to back that up, really.

They can, they just don't want to add more engineering hours to that I imagine

I'm pretty sure Google can buy a femtocell to simulate local mobile network of their own.

That's the idea, but I'm not seeing it

Maybe that's because of the boogeyman being feared and so people update enough to make such attacks not common enough to be worth it, so once we stop fearing it... but idk. So far it hasn't mattered to have devices with Bluetooth vulnerabilities at hacker conferences of all places

FWIW in my experience upgrading Android versions works, mostly, as long as you remember to uninstall the old Google Play services and then install the new ones.

However, without a tested migration path, it may break your phone and make you factory reset + reflash the ROM if it doesn't work out, and there's nobody you can turn to or blame when that goes wrong. There's no official support, but that doesn't mean it'll never work.

Testing migration paths is a massive pain, especially when you're upgrading a whole bunch of parts all at once, and volunteers have more fun and frankly more important things to work on.

Realistically, your malware exposure risk has three parts:

- The apps you run get exploited and your outdated OS can't protect you - An app you install exploits your OS - Someone attacks a system component and exploits your OS

The first risk can be mitigated mostly by just updating your browser/email client/webview engine/etc, which Google supports long past an OS version's lifetime. Android apps typically get updated for five or six versions behind the latest one.

The second attack vector is always a risk (0days do exist), but probably won't harm you if you have a set of trusted apps. There's always the risk of a supply chain attack, but I haven't heard of that in practice outside of cracked apps or that shitty spamware you find on Google Play.

The third vector probably won't affect you either because most system components aren't directly exposed. iOS has a history of getting exploited through simple MMS messages but on Android those processes are harder to exploit (and can often be updated years later through Google Play if you use the Google ones).

There was a huge flaw in Google's Bluetooth stack which pretty much allowed RCE on any phone with Bluetooth enabled. If your phone hasn't been patched against that, you have to be careful about leaving Bluetooth oh. Same goes for WiFi, but those bugs are harder to exploit.

There's a risk, but in practice millions to billions of people use outdated Android versions and malware strains abusing that fact aren't very common, especially not if you don't install weird third party apps from shady sources.

Part of the challenge of exploiting Android devices in practice is that there are endless combinations of firmware versions+device models+system app versions+kernels. iOS, on the other hand, generally has a handful of models, often running predictable software stacks because of Apple's decent track record when it comes to software updates.

Android exploitations does exist: various spyware companies use remote attack vectors, including WhatsApp or MMS like on iOS, to deploy targeted exploit chains to their victims. In practice, that's a risk to journalists, human rights activists, and other people The Government Doesn't Like Very Much (any government, really). Outdated phones are also easily dumped by law enforcement, so if you do anything that could be considered illegal, better not take your phone across international borders.

Given that 5 years of support is now the minimum required for devices to be sold in the EU, Apple is now on the lower end of the range compared to companies like Google and Samsung.

Apple may have done better in the past, but these other manufacturers are making stronger legally binding claims than Apple.

They're legally required to in the EU.

their point is that it has not yet taken place, so shouldn't be talked about using past tense

Phone makers (and even their supply chain partners) operate their own in-building cell networks with carrier-type hardware, and extensive debugging and observability, including simulation of multiple towers and location.

It wouldn’t get you 100% E2{ for 911 testing, but it does let you develop and test the stack extensively before taking it to the real world and scheduled testing coordinated with 911 call centers.

From first sale, right? The interesting date to me is years of support from last sale—when a company would still sell you a device as new.