Wednesday saw the official launch of Apple’s iOS version 7, the operating system behind the iPhone, iPad and iPod Touch. But as with some previous updates, there’s a bit of a sting in the tail.
I’ve complained about Apple’s security support in the past, in the context of desktops. When it comes to phones and tablets, things appear even worse. Apple have never, to the best of my knowledge, issued any official statement about security support for versions of iOS, but all past evidence has suggested that once a new major version is released, support for earlier versions ceases entirely. There is certainly no reason to believe that things are any different with iOS 7.
What won’t run iOS7?
iOS 7 will run on all current Apple phones and tablets, as one might expect, and many older devices – as far back as the iPad 2 and iPhone 4. Support for the venerable iPhone 3GS has finally been terminated, probably on the grounds that its 256MB RAM is insufficient for the demands of the new release. The 3GS was released in June 2009, long enough ago that many who purchased it will have by now gone through at least one phone upgrade cycle. Nevertheless, it remained a current Apple product until the iPhone 5 released a year ago.
With the iPod Touch, things are a little different. While the iPhone 4 has 512MB RAM, the fourth-generation iPod Touch, which released around the same time, comes with half that; consequently it is not supported by iOS 7. This is a product which Apple officially discontinued just four months ago.
It doesn’t even end there. Recently-discontinued models can frequently be found on the Refurbished Store. While I found nothing yesterday on the UK store, on the US store, they had five different models of 4th generation iPod Touch available. Complete, it is claimed, with one-year warranty:
I’m no lawyer, and I’ve not seen the small print that comes with these devices, but I’d like to know the legal position if Apple refuse to fix known security vulnerabilities under the warranty.
Apple have done similar things with iOS devices in the past. For instance, software support for the iPhone 3G was suddenly dropped in March 2011, about 32 months after its initial release, and 8 months after they ceased selling it. Support for the original iPad was dropped with the release of iOS 6 a year ago, eighteen months after the product was discontinued.
What are the risks?
How dangerous is it to run an unsupported operating system on a mobile device? As is so often the case in the world of security, it depends.
New iOS releases typically fix a large number of vulnerabilities, and iOS 7 is no exception. It is likely that Apple has known of many of these for months but prefer to bundle updates together, unless there is a pressing reason to issue them earlier (such as widespread exploitation in the wild).
Windows desktops remain the target of choice for malware authors, but other platforms do get attacked, as with the OS X Flashback virus. And as time progresses, the population of vulnerable devices increases. While ardent Apple fans may rush out to get the latest Apple products, many older devices will get sold on or given to friends and family. It may be difficult to produce successful, profitable malware for iOS, but that’s not to say it’s impossible, and if something major does strike, antivirus is not going to save users. Malware for Android certainly exists in spite of the hugely fragmented version base. With iOS, one can be sure of tens of millions of devices still running iOS6 (or earlier), some of which will be used for activities such as online banking or credit card purchasing, which are of particular interest to criminals.
Personally, I’d want to minimise the amount of my personal data (and indeed anyone else’s) exposed to an unsupported system, and handle anything sensitive on a fully-featured desktop or laptop computer, at the expense of convenience. Others may judge the risks differently, but I do wonder just how many users are even aware?
What should one buy and when?
If going down the Apple i-device route, then without any official end-of-support announcements, all one can do is try and predict the time to buy which is likely to give the longest period of support. Watch out for new products offering a significant performance increase (for instance a doubling of internal RAM – not to be confused with the gigabytes of flash storage), or with a significant architectural change (for instance, the new 5S is the first with a 64-bit processor). Buy the latest model, soon after its release. Last year’s model may still be available for less money, but will probably lose support at least a year earlier.
It’s worth briefly noting that things are different in the Android world. Multiple major releases of Android are simultaneously supported, which is good news. Less so is the reliance in many cases on the handset manufacturer and (frequently) your chosen carrier in order to get updates. Often users are lucky to receive any updates whatsoever, especially out of the initial contract period. Android malware is widespread even if much of it is relatively benign.
What should Apple be doing?
I don’t expect Apple to be able to support all devices forever. Clearly the need to support old devices should not stand in the way of innovation and improvement. There are overheads to supporting multiple releases simultaneously, in terms of managing security patches (although many will be common to multiple releases), and in running an app store where not all apps will run on an older release. These are not insoluble problems, especially to such a wealthy company, but ultimately a business will want to see a return on such an investment.
Where is the return in supporting older devices? Consumers have already bought them. An unsupported device may still provide revenue for Apple through purchases of music, video and apps, but if the user will purchase those irrespective of support, why bother with the expense? If the consumer does encounter problems, persuade them to buy a shiny new device. As long as consumers are unaware of the risks, are aware but accept the risks, or are aware and promptly buy a new i-Device, the incentive isn’t there. What will hit them is bad publicity. That surrounding Flashback did result in some changes with regard to security support for OS X, and we note that occasionally, but not consistently, security updates still appear for Snow Leopard as well as for Lion and Mountain Lion. It may take a comparable outbreak on iOS to get Apple to change their attitude to the platform, and sooner or later, such an outbreak is likely to hit.
What I would like to see is a commitment to providing an operating system with full security support for a minimum period of time for every device. For mobile devices, perhaps four years after initial release, and two years after last sale, and for desktops and laptops, seven years from initial release and five years after last sale.
But I won’t wait up.