←back to thread

About the security content of iOS 15.8.5 and iPadOS 15.8.5

(support.apple.com)
328 points jerlam | 4 comments | 17 Sep 25 00:34 UTC | HN request time: 0.199s | source
Show context
joecool1029 ◴[17 Sep 25 03:07 UTC] No.45271165[source]
Might as well say it since nobody else commented about it, but modem/soc vendors are huge limiting factor on longterm android support. Qualcomm maintains these updates for only a few years, basically nothing earlier than around 2020-2021 gets kernel driver or modem updates.

Of course it's still up to phone manufacturer to integrate these changes, but it puts an effective security support timeline on even 3rd party ROM's like lineageos. They can cherrypick, but it's not as secure once that support ends.

Apple has almost everything in-house (except until recently, modems). So they have a ton of flexibility in continuing to provide updates.

replies(7): >>45271246 #>>45271373 #>>45271509 #>>45271512 #>>45271695 #>>45271719 #>>45271849 #
1. treesknees ◴[17 Sep 25 03:37 UTC] No.45271373[source]
My problem with this argument is many of these types of CVEs have nothing to do with baseband firmware or drivers or anything else controlled by Broadcom. Google could still patch security issues in the parts of the system most exposed to attackers, namely the libraries and apps in the OS itself.

I’d be more afraid of a zero day image parsing bug in messages, where I could be exploited with a drive-by spam text or hyperlinked image, than some theoretical baseband attack by someone in a privileged cell network system.

replies(3): >>45273167 #>>45273616 #>>45273932 #
2. lloeki ◴[17 Sep 25 08:08 UTC] No.45273167[source]
The problem is that baseband or whatever drivers are made in kernel trees that are essentially forks of the kernel at a certain point in time.

This means that any fix needs to be backported to that special tree, irrespective of whether the Broadcom code is impacted, which may prove challenging when you end up having not just one but many trees, each at slightly different levels of outdatedness.

The approach clearly does not scale.

The solution would be for Broadcom to be diligent and forward port their tree to current mainline or current LTS at a minimum but they won't do that.

See how the RPi kernel is generally stuck at a special old version (e.g 6.6 for pi4, which is quite reasonably a LTS but then there's 6.12 as LTS already)

3. saagarjha ◴[17 Sep 25 09:25 UTC] No.45273616[source]
They do; many of the system apps and libraries are updated via the Google Play Store.
4. jeroenhd ◴[17 Sep 25 10:15 UTC] No.45273932[source]
That's part of the reason why Google is pulling more and more stuff out of AOSP and into Google Play.

They started with the WebViews that vendors refused to update leading to all kinds of exploitation. These days, system components like the bytecode runtime and the Bluetooth stack can be updated by Google, unless the manufacturer actively prevents Google from doing that.

Firmware remains an issue, and IOMMU protections aren't all that great on every single device, but more and more Android internals get maintained by Google these days.

As for messages, there is always a risk in the pipeline between modem and the system service, but the Messages app is just another app you can update through Google Play or whatever store you prefer. Same with the dialer app and plenty of other apps. The super-integrated components that make for preferred exploitation targets on iOS aren't set up the same way on Android (not that Android doesn't have other attack vectors, of course).