Bunch of negativity on Apple UI recently, but you gotta give Apple credit for supporting really old phones. Google Pixel, forget about it lol
replies(5):
The Apple patch in the OP is in regards to a zero-interaction exploit that compromised the device to install spyware etc.
> Impact: Processing a malicious image file may result in memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.
Isnt this exactly the point? Most people who aren't the target of state intelligence agencies have little to worry about from using an older phone.
Maybe that's because of the boogeyman being feared and so people update enough to make such attacks not common enough to be worth it, so once we stop fearing it... but idk. So far it hasn't mattered to have devices with Bluetooth vulnerabilities at hacker conferences of all places
- The apps you run get exploited and your outdated OS can't protect you - An app you install exploits your OS - Someone attacks a system component and exploits your OS
The first risk can be mitigated mostly by just updating your browser/email client/webview engine/etc, which Google supports long past an OS version's lifetime. Android apps typically get updated for five or six versions behind the latest one.
The second attack vector is always a risk (0days do exist), but probably won't harm you if you have a set of trusted apps. There's always the risk of a supply chain attack, but I haven't heard of that in practice outside of cracked apps or that shitty spamware you find on Google Play.
The third vector probably won't affect you either because most system components aren't directly exposed. iOS has a history of getting exploited through simple MMS messages but on Android those processes are harder to exploit (and can often be updated years later through Google Play if you use the Google ones).
There was a huge flaw in Google's Bluetooth stack which pretty much allowed RCE on any phone with Bluetooth enabled. If your phone hasn't been patched against that, you have to be careful about leaving Bluetooth oh. Same goes for WiFi, but those bugs are harder to exploit.
There's a risk, but in practice millions to billions of people use outdated Android versions and malware strains abusing that fact aren't very common, especially not if you don't install weird third party apps from shady sources.
Part of the challenge of exploiting Android devices in practice is that there are endless combinations of firmware versions+device models+system app versions+kernels. iOS, on the other hand, generally has a handful of models, often running predictable software stacks because of Apple's decent track record when it comes to software updates.
Android exploitations does exist: various spyware companies use remote attack vectors, including WhatsApp or MMS like on iOS, to deploy targeted exploit chains to their victims. In practice, that's a risk to journalists, human rights activists, and other people The Government Doesn't Like Very Much (any government, really). Outdated phones are also easily dumped by law enforcement, so if you do anything that could be considered illegal, better not take your phone across international borders.