Author Topic: What happens when Apple stops supporting a phone, still ok to buy one?  (Read 8357 times)

GuitarStv

  • Senior Mustachian
  • ********
  • Posts: 23128
  • Age: 42
  • Location: Toronto, Ontario, Canada
I didn't comment on their stores making false claims about hardware because I have nothing to say on it.  I'm not even going to try to defend it.

Though it's hardly limited to Apple.  Try taking a brand new, out of the box computer to Geek Squad and see what they want to fix.

I don't claim that it's limited to Apple.  It's just a bigger problem with them because (as I've outlined) Apple is extremely anti-competitive around repairs . . . so there are few places you can go to other than the Apple store to get something fixed.



And I don't know any details of them working with DHS to seize screens.  Presumably they weren't OEM screens, but I simply don't know any details of that, so I have no opinion on it.

It's not possible to buy OEM Apple parts unless you sign an agreement with Apple limiting the type of repairs you're authorized to do and then pay them a fee to become an 'Apple Authorized Service Provider'.  Because of this, virtually all non-apple places that will do repair use non-OEM parts.


So who makes a phone you consider acceptable?

I don't own a cell phone.  However, Apples shit business practices put me off ever owning another one of their products some years ago (after buying an iPad 2 and later having it irreparably crippled by an iOS update - immediately after the update the device was unusable slow and it was not possible to roll back).  It would appear that they have continued down the same path ever since.

MilesTeg

  • Handlebar Stache
  • *****
  • Posts: 1363
Need to get a new phone and the prices on the iPhone 6 are good but I think that is because apple will no longer be supporting them.   What does this mean? Will the phone still work and be usable time to come or are they basically doomed to not work soon?

Would I be better off getting a new model?

You won't get security updates, which is only problematic if you believe in the fantasy that you can do things securely on a mobile device (or really, any general purpose device). Get the 6, don't use it to access financial or medical data, take/store naughty photos ;) or other things that necessitate good security. The latter is true regardless of what phone/tablet or other mobile device you buy. Always assume your mobile device is compromised; use it accordingly. There is no system that is fully secure, but mobile systems are particularly bad due to design choices, frequent connection to insecure networks, and hardware limitations (yes, even Apple/iOS is swiss cheese security wise).

The only way you can have a reasonably secure device is to have a dedicated device/system that is rigorously maintained and used ONLY for that purpose. For example, a VM, system-on-a-stick, or laptop that is only turned on/attached to a network for maintenance and for accessing your bank (or whatever). No other websites, no other applications, etc.
While I agree with your paranoia here in general, do you really think an up-to-date iOS device is less secure than an up-to-date Windows 10 PC?  All else being equal (you're not a dingus using the McDonald's Wifi (with either type of device) to check on your investments), I can't imagine them being much different from each other security-wise.

Absolutely. For a couple of reasons:

* Android and iOS are entirely consumer focused. Desktop O/Ss, while also consumer based, share the same codebase as their server O/S variants. Windows 10 has the same core code as windows server 2016, Ubuntu has the same code code as Red Hat Enterprise, etc. Even MacOS has roots in BSD. This means there is a lot more scrutiny of the security of those machines.

* More than that, the design and usage model of mobile platforms is fundamentally flawed from a security perspective. Every app you install is collecting information about you and storing that information on remote systems. Often including your actual user data (images, documents, etc.) This means that the potential attack 'surface area' is not just your device, but all the machines that are collecting data on you and the connections made to transfer all that juicy data. This is pretty much your hacker (and spook) wet dream come true. It's the digital equivalent of leaving all your windows and doors open and posting your bank account information on a sign in your front yard with a 'please dont look at this' note.

* On current mobile devices, you don't control the device, Apple/Samsung/Google/etc. do. You have to illicitly hack your device to gain that control. This means you have exactly zero security because you don't control the device.

To be fair, Microsoft is moving Windows in this direction too, but its not nearly as bad (yet).
« Last Edit: June 07, 2019, 02:48:41 PM by MilesTeg »

Syonyk

  • Magnum Stache
  • ******
  • Posts: 4610
    • Syonyk's Project Blog
Android and iOS are entirely consumer focused. Desktop O/Ss, while also consumer based, share the same codebase as their server O/S variants. Windows 10 has the same core code as windows server 2016, Ubuntu has the same code code as Red Hat Enterprise, etc. Even MacOS has roots in BSD. This means there is a lot more scrutiny of the security of those machines.

Android is based on the same Linux kernel that Ubuntu and RHEL use.  iOS is using the same XNU kernel that OS X is - and you can go poke around the source of that too, if you want.  https://github.com/apple/darwin-xnu

Windows phones... well, both users are probably fine, being a small target set and all.  I'm not actually sure what kernel they use on those devices.  Windows CE or a stripped down NT kernel, probably.

OS X/iOS local kernel exploits are pretty rare, Linux local kernel exploits exist but are reasonably rare, Windows is actually a ton better than it used to be and has hypervisor based separation for desktop use in certain configurations, so I don't quite see your point here.

Quote
More than that, the design and usage model of mobile platforms is fundamentally flawed from a security perspective. Every app you install is collecting information about you and storing that information on remote systems.

Some do, some don't, though it's hard to tell.  Fortunately, permissions are getting better, with both iOS and Android allowing you to deny permissions to apps, or (at least on Android) fake them out with false data (though that may be one of the third party forks, I haven't used Android in the past couple years - Cyanogen?).

Quote
Often including your actual user data (images, documents, etc.) This means that the potential attack 'surface area' is not just your device, but all the machines that are collecting data on you and the connections made to transfer all that juicy data. This is pretty much your hacker (and spook) wet dream come true. It's the digital equivalent of leaving all your windows and doors open and posting your bank account information on a sign in your front yard with a 'please dont look at this' note.

For apps that upload stuff, yes, but locally, they have far more isolation between application spaces than a typical desktop OS.  If something is running as a user on Windows/Linux/OS X, it generally has permissions to just about all the user data.  Android and iOS enforce far more separation, and an application can't just go rooting around in the files of other applications.

If you don't want to install applications that upload crap to the cloud, don't install them, or don't give them permissions.

Quote
* On current mobile devices, you don't control the device, Apple/Samsung/Google/etc. do. You have to illicitly hack your device to gain that control. This means you have exactly zero security because you don't control the device.

You're aware of the Android malware that checks to see if a device is rooted, and if so, uses that access to gain more permissions and be more evil, right?

Claiming it's "zero security" because the user doesn't have the ability to run any code they want is a nonsense claim.  I actually think the whole "open computing" experiment has failed, badly.  If a computer can run anything, it'll rapidly end up running malware of some variety or other.  Locked down devices running signed code are significantly more secure, because malicious code can't move laterally as easily as on a Windows/Linux/OS X desktop.

ChromeOS is the best model I know of for secure web access, though I'd trust an updated iOS device far more than I would Android or any desktop.

Daley

  • Magnum Stache
  • ******
  • Posts: 4825
  • Location: Cow country. Moo.
  • Still kickin', I guess.
Windows phones... well, both users are probably fine, being a small target set and all.  I'm not actually sure what kernel they use on those devices.  Windows CE or a stripped down NT kernel, probably.

Hey now, there's still literally DOZENS of us, and we're still getting security updates through at least the end of the year.

As for the kernel, yes it's NT. The platform is locked down as tight as W10S is unless you enable developer mode, and you have the added benefit of it being ARM-based, and not willing/able to run either x86 binaries or much of anything outside of the MS store. Ironically, the app gap has stayed stable with the rise of PWAs despite the abandonment of the platform and UWP by some programmers.

More than that, the design and usage model of mobile platforms is fundamentally flawed from a security perspective. Every app you install is collecting information about you and storing that information on remote systems.

Some do, some don't, though it's hard to tell.  Fortunately, permissions are getting better, with both iOS and Android allowing you to deny permissions to apps, or (at least on Android) fake them out with false data (though that may be one of the third party forks, I haven't used Android in the past couple years - Cyanogen?).

I gotta admit, stuff like this makes me sad. The fact that Apple and Google are both still playing catch-up on this front (and many others) with a nearly dead OS that hasn't had new hardware released in over three years - excuse the Wileyfox. Windows Phone, we lost you too soon.

*tips a 40*
« Last Edit: June 07, 2019, 06:40:08 PM by Daley »

Syonyk

  • Magnum Stache
  • ******
  • Posts: 4610
    • Syonyk's Project Blog
As for the kernel, yes it's NT. The platform is locked down as tight as W10S is unless you enable developer mode, and you have the added benefit of it being ARM-based, and not willing/able to run either x86 binaries or much of anything outside of the MS store. Ironically, the app gap has stayed stable with the rise of PWAs despite the abandonment of the platform and UWP by some programmers.

I don't think ARM is specifically more or less secure than x86, though at this point I would trust simpler ARM cores over Intel x86 chips...  seriously, disable hyperthreading.

I do have a number of light ARM desktops I use.  The Raspberry Pi 3 is a simple enough core that it doesn't do speculation, so... rather immune to a large category of recent attacks/ways of leaking data.

I gotta admit, stuff like this makes me sad. The fact that Apple and Google are both still playing catch-up on this front (and many others) with a nearly dead OS that hasn't had new hardware released in over three years - excuse the Wileyfox. Windows Phone, we lost you too soon.

Apple and Google have both been aggressively walking back the freedoms they gave to app developers in terms of just about everything, because they gave the app developers quite a bit of freedom, which was promptly abused for evil.  So now you see the ability to eliminate an app's notification permissions, and the various Screen Time/etc - which are basically the OS devs apologizing for how evil apps became (in terms of just weaponized psychology and addictiveness).

Daley

  • Magnum Stache
  • ******
  • Posts: 4825
  • Location: Cow country. Moo.
  • Still kickin', I guess.
As for the kernel, yes it's NT. The platform is locked down as tight as W10S is unless you enable developer mode, and you have the added benefit of it being ARM-based, and not willing/able to run either x86 binaries or much of anything outside of the MS store. Ironically, the app gap has stayed stable with the rise of PWAs despite the abandonment of the platform and UWP by some programmers.

I don't think ARM is specifically more or less secure than x86, though at this point I would trust simpler ARM cores over Intel x86 chips...  seriously, disable hyperthreading.

Didn't mention ARM thinking beyond the reduction of attack surface that ditching Windows' System32 provides. Good points regarding x86, though. Seriously, people, disable your virtual processor cores.

I gotta admit, stuff like this makes me sad. The fact that Apple and Google are both still playing catch-up on this front (and many others) with a nearly dead OS that hasn't had new hardware released in over three years - excuse the Wileyfox. Windows Phone, we lost you too soon.

Apple and Google have both been aggressively walking back the freedoms they gave to app developers in terms of just about everything, because they gave the app developers quite a bit of freedom, which was promptly abused for evil.  So now you see the ability to eliminate an app's notification permissions, and the various Screen Time/etc - which are basically the OS devs apologizing for how evil apps became (in terms of just weaponized psychology and addictiveness).

You realize you're scraping at the very reason why Windows Phone had the "app gap" in the first place. MS never gave them the freedom and latitude to datamine and exploit the crap out of their phone's end users like Apple and Google did, and even in the areas where they did, they still gave the end user the power to disable nearly all those abilities in the OS privacy settings four years ago, and the app developers could just pound sand if they didn't like it. Again, we lost Windows Phone too soon... and it doesn't help that MS just can't seem to get their act together with ARM.

Syonyk

  • Magnum Stache
  • ******
  • Posts: 4610
    • Syonyk's Project Blog
Didn't mention ARM thinking beyond the reduction of attack surface that ditching Windows' System32 provides. Good points regarding x86, though. Seriously, people, disable your virtual processor cores.

Yeah. :/  They're that broken.

On the plus side (and faintly on topic), I got an old netbook running again.  It's got hyperthreading, but is using a weird Atom chip that has no speculative execution, so should be immune to all this nonsense.

https://syonyk.blogspot.com/2019/06/clank-reviving-ancient-netbook-iphone-6s-rear-lens-repair.html

It's kind of a gutless wonder in terms of CPU (it's marginally faster than a Raspberry Pi 3B+), but eBay helped me out and it's got 8GB of RAM and a nice SSD.  Dual booting Win10/Ubuntu 19.04. :)

... and for the ultra paranoid, it has a physical cover for the webcam, and a hardware wireless disable button.  It's a wonderful little netbook!

Quote
You realize you're scraping at the very reason why Windows Phone had the "app gap" in the first place.

I'm not actually familiar with Windows Phone at all.  I've used iOS and Android extensively, but I've never owned a Windows Phone device, or know anyone who used one (closely enough that we talked about it).

Fundamentally, I don't think ARM changes anything.  It's not Intel, and it has different quirks, but as soon as you try to push the core performance (as Apple has done in their recent chips), you start opening yourself to speculative exploits.  That phones tend to only run one thing at a time helps here dramatically, and I'm sure Apple is quite aware of the issues and is making sure their newer designs don't have the same sort of problems in the cores (I don't think they do hyperthreading on their mobile chips either), but... enh.

Then I spend a solid day outside, working with a 75 year old tractor I expect will out-live me, a 30 year old string trimmer that could really use a set of piston rings (or valve guides - haven't decided which, probably won't bother replacing them as long as it runs), a miter saw, a hand saw, lumber, sun, and a nice breeze... and remember that there's life outside the internet.