Track record for Apple when it comes to iOS/iPadOS updates has been impressive, but once they stop updating their device it becomes more vulnerable than their android counterpart for basic Internet browsing just because Apple doesn't update Safari via AppStore and doesn't allow any other browser engine.
Case in point : Google Project Zero's latest iOS Exploit chains on webkit shows how easy it was(*is?) for an iOS user to fall victim to browser vulnerabilities by just visiting a website.[1]
The exploits covered targeted only 64-bit, so technically devices < iPhone5S which were not part of the update cycle wasn't mentioned in the GPZ research. But many of the exploit chains did use public jailbreak exploits and Semi-unthethered jailbreaks exist for 32-bit iOS devices running up to iOS 10.3.3.
I don't know whether complete exploit chain as detailed in the project zero wasn't possible for 32-bit devices or the attackers just didn't care about those devices. It is safe to assume, they are vulnerable.
Where as a 7 year old android device can still download Firefox for Android with latest security updates.
In any case, I don't think there can be any opposing arguments on the side of security for Apple not updating Safari via AppStore or now allowing proper 3rd party browsers.
> In any case, I don't think there can be any opposing arguments on the side of security for Apple not updating Safari via AppStore or now allowing proper 3rd party browsers.
Third party browsers entitled with dynamic codesigning poke a huge hole in Apple's security model for iOS devices.
> it's extra work to decouple the browser with the OS.
It is expected of a company which boasts about security and privacy of its users as a premium selling point, although it is questionable now[1]. Besides, MacOS has been receiving Safari updates separately.
Also android has been decoupling several system services with every iteration now, soon crucial system services would be updated from PlayStore and so even if the manufacturer doesn't ship OS updates, important services would stay updated.
There is a bit of nuance here. IE today still isn’t decoupled from Windows. MS has been shoving it into an ever smaller corner of Windows but IE is the OS provided webview for a lot of old crusty applications that needed to render HTML.
What they’re talking about is IE the OS component didn’t mean that IE the user-facing general-purpose browser had to be the default.
And it’s still true 15 years later. They still haven’t been able to decouple IE for all the random crap that uses it. They’ve shoved the user facing interface into a dark corner hoping everyone forgets about it but it’s still there.
Do you mean the ability to dynamically allocate executable memory? That's not necessary for shipping a browser engine (though performance would suffer, as that's how all modern JS VMs work, via jitting JS to machine code).
Yes. It's not necessary for a browser engine to do this, of course, but AFAIK the best interpreters can only approach or barely match simple templating JITs so you're probably not going to be able to write a competitive browser without this.
From that page: ”Without such protection, a program can write (as data) CPU instructions in an area of memory intended for data and then arrange to run (as executable) those instructions. This can be dangerous if the writer of the memory is malicious.”
JIT compilers are collateral damage to that mitigation; they have to write bytes to memory and then make the CPU run those bytes as code, and W^X doesn’t allow that.
Think about what a JIT compiler means: it's allocating memory, writing to it, and then executing it. That's also what malware does so if you give third parties access to that functionality you have the immediate problem that the number of people who can make a mistake which gives native code execution goes up dramatically and that any attempts to restrict it in the future will risk breaking previously-working apps — think about how many years Adobe was able to slack because nobody wanted to break Flash even though it was a huge source of security bugs affecting most people on the Internet.
Apple's security model for iOS, as far as I can tell, is to be able to analyze all executable code in applications at review time. Being able to dynamically generate code does not work with this policy.
Apple libraries use private APIs but developers must not use them directly. If you allow developers to execute arbitrary bytes, they can submit app which does not call private API but will be able to call them later after approve. JavaScript is safe, because it can't call C API, but arbitrary JIT engine is not.
Sandboxing a JIT compiler is impossible to do perfectly, so there will always be the possibility of a sandbox escape, allowing the device to be jailbroken; but alsio for bad actors to take control of the device.
> But many of the exploit chains did use public jailbreak exploits and Semi-unthethered jailbreaks exist for 32-bit iOS devices running up to iOS 10.3.3.
Apple released iOS 10.3.4 on July 22, 2019 for iPhone 5 and iPad 4g.[1] So it's not completely unheard of for Apple to release iOS updates after officially dropping iOS support for old devices. From the Apple website:[2]
> iOS 10.3.4 addresses an issue that could impact GPS location performance and could cause system date and time to be incorrect. This update is recommended for all users.
I wonder if this update quietly fixed these exploit changes.
Unlikely, if it was a security update then iPhone5C should have received it as well. iPhone5C didn't receive 10.3.4 update because its GPS hardware supposedly was an updated one than the iPhone5.
Also, Google Project Zero article(link in parent comment) gives the clear timeline of the attacks and that the exploits were updated to mitigate patches with every new OS updates; so even if 10.3.4 had security patches older devices still might be vulnerable to later attacks.
What Android phone released in 2013 is still getting security updates of any kind? You make it seem like Google and the manufacturers all update their phones consistently.
Yes, if you want a hackable system that you can root/jailbreak and run any combination of hardware & OS & browser and keep 7+ year old devices running, you're better off on Android. I don't think anybody would disagree with that.
> In any case, I don't think there can be any opposing arguments on the side of security for Apple not updating Safari via AppStore
I don't really follow. It's not about just updating it via the AppStore, it would also require making all future changes to Safari compatible with old hardware and old versions of iOS. They have a pretty impressive track record lately of supporting devices up to 5 or 6 years old, but they can't support everything forever. The security argument for it is that almost nobody is using these devices anymore, so their resources are better spent securing systems that have more users.
Sorta, the actual browser chrome is provided by the 3rd party but the underlying rendering and JS engine are required to be the OS provided facilities (i.e. Safari)
Apple’s security model is that Apple has to be able to inspect and review all the code you’re app is going to run. There is a special exception for JS provided that you run it though Apple’s interpreter.
Browsers are caught in the crossfire of a much broader rule that applications can not run code that Apple can’t see. They don’t sign anything that allows for arbitrary or semi-arbitrary code to be downloaded externally and run in principle. Apps get around this by using JS but you aren’t, as a rule, supposed to expose native API’s to your JS code.
I agree, but apple has made an exception for coding apps to run arbitrary code for some years now.
So, it doesn't make any sense for Apple to not allow 3rd party browsers apart from its intention for a walled garden even if it means compromising security for its users.
This was loosened in June 2017. Now apps can can download and run any interpreted code, using any interpreter. It’s not restricted to coding apps or user-written code.
In the developer agreement, the second paragraph of section 3.3.2 gives special permission to programming environments, but that’s for executable code, which won’t work on iOS anyway.
Case in point : Google Project Zero's latest iOS Exploit chains on webkit shows how easy it was(*is?) for an iOS user to fall victim to browser vulnerabilities by just visiting a website.[1]
The exploits covered targeted only 64-bit, so technically devices < iPhone5S which were not part of the update cycle wasn't mentioned in the GPZ research. But many of the exploit chains did use public jailbreak exploits and Semi-unthethered jailbreaks exist for 32-bit iOS devices running up to iOS 10.3.3.
I don't know whether complete exploit chain as detailed in the project zero wasn't possible for 32-bit devices or the attackers just didn't care about those devices. It is safe to assume, they are vulnerable.
Where as a 7 year old android device can still download Firefox for Android with latest security updates.
In any case, I don't think there can be any opposing arguments on the side of security for Apple not updating Safari via AppStore or now allowing proper 3rd party browsers.
[1]: https://googleprojectzero.blogspot.com/2019/08/a-very-deep-d...