I left Android at the Nexus 5 after years of buying every Nexus phone. The deal breaker: Despite staying on official ROMs, Google broke audio in video recording such that all my vacation videos with a special friend ended up with garbled audio. My mistake for trusting Google updates right before my trip. You'd think for their reference phone they would test a primary feature like video recording for regressions? Apparently not.
My friend at the time had an iPhone 5, I noticed her phone worked without issue while my Nexus 5 was constantly draining its battery.
I finally bought an Apple device and 11 years later never looked back. Finally said goodbye to Windows & Linux as well. I presume this is how many Apple conversions happen.
Back when Pixel came out I used to argue with a friend because it supposedly had a better camera: I'd always point out that the Pixel phone has its own Wikipedia article describing all its issues: https://en.wikipedia.org/wiki/Pixel_(1st_generation)#Issues
Its been like 12 years since the G1? They are still playing games till this day. Give it a rest already.
I remember when Google broke 911 calling, and decided it was ok to wait for the next maintenance patch to fix it. People could have died, but Google just couldn't hurry up and release an emergency patch.
You can schedule a 911 test call. "Test calls can be scheduled by contacting your local 911 call center via its non-emergency phone number." [0] More info here:[1]
Phone makers (and even their supply chain partners) operate their own in-building cell networks with carrier-type hardware, and extensive debugging and observability, including simulation of multiple towers and location.
It wouldn’t get you 100% E2{ for 911 testing, but it does let you develop and test the stack extensively before taking it to the real world and scheduled testing coordinated with 911 call centers.
I used to be on android, but after the Samsung Galaxy S3 started fucking with my settings in updates I went to Apple and have been on iPhones ever since. Specifically what sticks in my memory the most was an update that reset the shortcuts on the bottom menu bar to default and locked it so it was no longer possible to customize it. At the time I used none of those default apps.
Actually, similar reason that I ended up abandoning Windows for Linux on my home desktop (I had been using Linux on work computers for years at that point). Windows 10 kept changing my settings back to default after every major update and it was infuriating. I would have gone for a mac if there were better support for games.
> The deal breaker: Despite staying on official ROMs, Google broke audio in video recording such that all my vacation videos with a special friend ended up with garbled audio.
For me it was also the Nexus 5.
It just lost many of my photos, of our firstborn child.
Unrecoverable. Gone. And so was I from the Android-platform.
It’s not unreasonable to blame google for this reliability issue, but this is also a little bit on the user who didn’t appropriately back up their important data to a different device/service/building/account.
Yeah everyone seems to have horror stories that pushed them to Apple, and of course there are some more minor horror stories from Apple too but they just don’t reach the same height for most users
Remember when the CEO of Google testified before Congress that if they were allowed to purchase DoubleClick and enter the advertising market that they wouldn't link your use of Google services with your advertising profile?
I'll believe Google's promises after they keep them, not before.
We really should be requiring these types of things to be bonded, i.e., if Google says that, they have to bond all company owned stock and all executive stock options and compensations against it.
Same for politicians; they make a claim, they have to sign a bond against all their assets that they’ll do it after the election.
> Pixels 8 and later get 7 years. Not as good as Apple but reasonable.
I had 3 pixels over the years. all 3 died after 1-2 years tops. And repairability is zero. absolutely would not recommend if you're a digital nomad. meanwhile my iphone 14 is still going strong. Battery life has gone down but still acceptable.
looks like Pixel 8 was released October 2023, so not even 2 years ago. not sure I'd put much stock in what Google says about support after <30% of the stated time.
> Pixels 6-7 got 5 years.
looks like Pixel 6 was released October 2021, so not even 4 years ago.
I'm reading this now on a Pixel 2XL. It runs reasonably well, though I've currently got a few too many apps running in the background crapping it up. It's asinine that Google dropped support for this model so quickly, and I really have no faith in them at all anymore. 7 years is what it should have always been.
Early pixel models comes with unlimited google photos feature etc. I think maintaining is more of a lost revenue to google than patching cost. If customos devs can do it on donation so can google.
Probably a reason for google to obselete them and a reason for us to keep alive and running it as long as possible.
I still see few custom roms spoofing as early pixel models to enable unlimited google photos.
The phones and the policies haven't been out long enough to see if Google actually releases updates at five years. The Pixel 6 will drop out of support in a year, so we'll see!
I have a functional Pixel 3XL that when flashed with one of the few modern Android ROMs available for it feels pretty fine to use for the most part… better than a lot of brand new low end Android devices, if I’m being honest. Too bad it’s not supported any more.
FWIW in my experience upgrading Android versions works, mostly, as long as you remember to uninstall the old Google Play services and then install the new ones.
However, without a tested migration path, it may break your phone and make you factory reset + reflash the ROM if it doesn't work out, and there's nobody you can turn to or blame when that goes wrong. There's no official support, but that doesn't mean it'll never work.
Testing migration paths is a massive pain, especially when you're upgrading a whole bunch of parts all at once, and volunteers have more fun and frankly more important things to work on.
My Pixel XL here works great for scrolling at night. I'm skeptical of the "no more system updates" boogeyman; I'd love some case studies or anecdotes about the real-world threats that using an old devices exposes me to.
> I'd love some case studies or anecdotes about the real-world threats that using an old devices exposes me to.
The Apple patch in the OP is in regards to a zero-interaction exploit that compromised the device to install spyware etc.
> Impact: Processing a malicious image file may result in memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.
Maybe that's because of the boogeyman being feared and so people update enough to make such attacks not common enough to be worth it, so once we stop fearing it... but idk. So far it hasn't mattered to have devices with Bluetooth vulnerabilities at hacker conferences of all places
Realistically, your malware exposure risk has three parts:
- The apps you run get exploited and your outdated OS can't protect you
- An app you install exploits your OS
- Someone attacks a system component and exploits your OS
The first risk can be mitigated mostly by just updating your browser/email client/webview engine/etc, which Google supports long past an OS version's lifetime. Android apps typically get updated for five or six versions behind the latest one.
The second attack vector is always a risk (0days do exist), but probably won't harm you if you have a set of trusted apps. There's always the risk of a supply chain attack, but I haven't heard of that in practice outside of cracked apps or that shitty spamware you find on Google Play.
The third vector probably won't affect you either because most system components aren't directly exposed. iOS has a history of getting exploited through simple MMS messages but on Android those processes are harder to exploit (and can often be updated years later through Google Play if you use the Google ones).
There was a huge flaw in Google's Bluetooth stack which pretty much allowed RCE on any phone with Bluetooth enabled. If your phone hasn't been patched against that, you have to be careful about leaving Bluetooth oh. Same goes for WiFi, but those bugs are harder to exploit.
There's a risk, but in practice millions to billions of people use outdated Android versions and malware strains abusing that fact aren't very common, especially not if you don't install weird third party apps from shady sources.
Part of the challenge of exploiting Android devices in practice is that there are endless combinations of firmware versions+device models+system app versions+kernels. iOS, on the other hand, generally has a handful of models, often running predictable software stacks because of Apple's decent track record when it comes to software updates.
Android exploitations does exist: various spyware companies use remote attack vectors, including WhatsApp or MMS like on iOS, to deploy targeted exploit chains to their victims. In practice, that's a risk to journalists, human rights activists, and other people The Government Doesn't Like Very Much (any government, really). Outdated phones are also easily dumped by law enforcement, so if you do anything that could be considered illegal, better not take your phone across international borders.
It can both be true that it’s good to get security updates for old devices, and that you might have no issues using an old phone personally. It doesn’t make it a boogeyman. Things can be two things.
Given that 5 years of support is now the minimum required for devices to be sold in the EU, Apple is now on the lower end of the range compared to companies like Google and Samsung.
Apple may have done better in the past, but these other manufacturers are making stronger legally binding claims than Apple.
Not surprised. I met with Samsung for work purposes to buy hundreds of phone, and the best they could do with their flagship phones was offer 3 years of security updates. This was around 2019. Apple, who didn't meet with us, was around 6 years from our estimate.
From a ROI, for corporate phones, Apple iPhones had a longer lifespan, which is why we bought hundreds of iPhones, and not Androids.
On a personal note, I had the Nexus S, the Nexus 5, and they all died a horrible death either from lack of updates, or just having the physical button break, and the microphone stop working.
And let us not speak of Sony Xperia Z5, which all of sudden removed their fingerprint sensor due to a North American patent problem. They also broke their bluetooth audio so that song names STOPPED being displayed. That was all in a span of less than 3 years.
Never again Sony Android phones.
At that point, I got fed up of custom ROMS and joined the "iPhone, it just works" group and moved on.
"it just works" is the biggest lie they sell. It works only insofar as you use what 95+% of people use. Step outside and not only is it a big gamble, you've also got no way to debug anything. It's a world of walls and limitations with no Windows in sight
You seem to have hit all the bad luck and concluded (fairly) that anything but Apple must be bad. I seem to have hit all the bad luck on the Apple side. The device I got from work ran out of updates after fewer years than I privately use my Android, and not before the touchscreen partially broke, various apps had software issues that didn't manifest on other (identical) phones, the battery went bad, and certain OS features like hotspot didn't work half the time you tried to turn them on. I've simply never had these issues on Android, and if e.g. an app doesn't work, I can just wipe its data. On iOS there's no such button; it's not something you should need because in 95+% of cases "it just works" and so they don't let you. It's not your device
Currently I'm trying to help an Apple user whose email client broke, both on iOS and macOS, with unexplainable "could not connect" behavior that no other user is seeing (Windows, Android, and Linux all represented). It differs whether they use mobile data or WiFi, but in different ways on different OSes and email clients. Sometimes IMAP works partially (connecting, fetching mail, but not loading folders). I'll probably have to travel 90 minutes each way to see what I can debug on their device. They're tech savvy and we're both perplexed by the different behaviors but there isn't much you can see on iOS so we had given up on mobile email. Now that it's happening on macOS as well suddenly, maybe we can figure something out
It's just not a vendor I'd want to work with myself because there keep being major issues with very limited ways of fixing them. I'm sure most of the functions "just work", just like most Android phones "just work" and you hit a bad apple with that Sony device. At least on Sony you can install a different OS if the issues are major enough that people put in the effort of making one
Might as well say it since nobody else commented about it, but modem/soc vendors are huge limiting factor on longterm android support. Qualcomm maintains these updates for only a few years, basically nothing earlier than around 2020-2021 gets kernel driver or modem updates.
Of course it's still up to phone manufacturer to integrate these changes, but it puts an effective security support timeline on even 3rd party ROM's like lineageos. They can cherrypick, but it's not as secure once that support ends.
Apple has almost everything in-house (except until recently, modems). So they have a ton of flexibility in continuing to provide updates.
My problem with this argument is many of these types of CVEs have nothing to do with baseband firmware or drivers or anything else controlled by Broadcom. Google could still patch security issues in the parts of the system most exposed to attackers, namely the libraries and apps in the OS itself.
I’d be more afraid of a zero day image parsing bug in messages, where I could be exploited with a drive-by spam text or hyperlinked image, than some theoretical baseband attack by someone in a privileged cell network system.
That's part of the reason why Google is pulling more and more stuff out of AOSP and into Google Play.
They started with the WebViews that vendors refused to update leading to all kinds of exploitation. These days, system components like the bytecode runtime and the Bluetooth stack can be updated by Google, unless the manufacturer actively prevents Google from doing that.
Firmware remains an issue, and IOMMU protections aren't all that great on every single device, but more and more Android internals get maintained by Google these days.
As for messages, there is always a risk in the pipeline between modem and the system service, but the Messages app is just another app you can update through Google Play or whatever store you prefer. Same with the dialer app and plenty of other apps. The super-integrated components that make for preferred exploitation targets on iOS aren't set up the same way on Android (not that Android doesn't have other attack vectors, of course).
The problem is that baseband or whatever drivers are made in kernel trees that are essentially forks of the kernel at a certain point in time.
This means that any fix needs to be backported
to that special tree, irrespective of whether the Broadcom code is impacted, which may prove challenging when you end up having not just one but many trees, each at slightly different levels of outdatedness.
The approach clearly does not scale.
The solution would be for Broadcom to be diligent and forward port their tree to current mainline or current LTS at a minimum but they won't do that.
See how the RPi kernel is generally stuck at a special old version (e.g 6.6 for pi4, which is quite reasonably a LTS but then there's 6.12 as LTS already)
That’s great for you. But it doesn’t make a difference to the other 99.999999% of users who only install whatever is available from automatic system updates.
It’s the equivalent of saying in response to a political issue that affects all of society - doesn’t really affect me because I flew to my private island. We’re happy for you, but how does that advance the conversation?
Which is insane if you think about it. 20 year old NICs are still supported by the kernel. Hardware drivers should be GPLd, no ifs and no buts. As if having closed source drivers gave OEMs a competitive advantage, it's basically all for planned obsolescence
I believe the hardware drivers usually are GPL, the problem is that they are... at best, they are downstream patches that require ongoing work to port to newer kernel versions (since Linux doesn't do stable ABIs or APIs for drivers).
Apple depends on Qualcomm just like everyone else (except for the new iPhone Air)... so this really doesn't seem like a valid excuse for Android manufacturers.
They don't though (also the 16e has in-house apple modem, I have no idea what the fate of the intel modems was). The majority of other vendors' designs get full qualcomm soc's with dsp, modem, security processor firmwares.
Apple literally has the scale to go to Qualcomm and buy slightly customized variants (the X71, for instance). And those modems are integrated with their custom Apple designed chips. I don't see any other vendor able to do that.
People who might be targeted by nation state actors should really be running a phone that’s on the latest OS. It wouldn’t cost that much to not use a 9 year old phone. If you’re remotely afraid of your government, you can afford a phone released within the last 5 years. It’s worth it!
I've always wondered, if you can't hack your main target's phone, but their kid has an old iPhone you can hack and maybe bug (let's just say you can for the argument's sake), you sure as hell do it right?
Scary thought but I think it's reasonable to be concerned that not just a given sensitive target is directly at risk, but those around them as well.
I wouldn't expect a Kazakh artist/activist to have the money for the latest and greatest iPhone. Nor would I expect an activist against an industrial plant on the US side of the Mexican border to need to worry about nation-state level malware.
And frankly, my PC has been used safely since much longer than iOS has been supported, and I don't know why I shouldn't expect my phone to last that long. The rate at which phones got performance improvements has stagnated into gimmick-level power increases (like "AI accelerators") a long time ago.
I think they are doing this to protect millions of people from mass attacks once the nation-state attack gets RE’d in the next few hours/days and deployed by non-governments, much more likely.
> Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.
Even if there was no mention of this or the implication that it’s linked to the notifications Apple sends for targeted attacks, is it fair to say this kind of backdated security patch implies a lot about the severity of the vulnerability? What’s Apple’s default time frame for security support?
Yes, this means it was exploited in a spyware campaign in the wild.
The full exploit chain seems to target WhatsApp directly using a second bug in WhatsApp; although this vulnerability is definitely present anywhere this kind of image is processed using Apple’s native image support, it would usually be aggressively sandboxed (in iMessage by BlastDoor and in Safari by the web content sandbox), so you’d need a lot more vulnerabilities than those that are currently disclosed to make it useful in those places. A bug in WhatsApp itself is particularly bad in terms of spyware actors, since it leaves one of their most popular targets, WhatsApp, vulnerable without a significantly more complex kernel escalation and sandbox bypass.
One key thing I noticed is this is before iPadOS was a thing, so this patch targets iPads too... Which makes me wonder... this is speculation no proof, but I wonder if someone is exploiting Point of Sale devices that are powered by old iPads somehow, which is out of the control of a lot of end-users who are at thee mercy of the POS vendors who are probably charging an insane premium on them.
I worked at a restaurant chain and I remember it being a whole thing to even consider reworking the POS tables + software due to rising costs.
I work for a POS company that uses iPads (along other clients) and I’ve not heard of anything like that. I assume it’s people of interest (journalists, or politicians).
Also my company, as well as at least 1 other I know of that uses iPads, don’t sell the iPads to the stores, they replace or buy their iPads directly from Apple. Smaller places handle it all themselves, larger might use MDM but they are buying them at-cost.
I’m not saying everyone does that, just that I’m not aware of it.
> What’s Apple’s default time frame for security support?
This isn't thaaaaat far out of support. Their last security update for iOS 15 was just earlier this year, and they only dropped iPhone 6s from new major versions with iOS 16 a few years ago. As someone who has kept my last few iPhones for 5+ years each, I definitely appreciate that they keep a much longer support window than most folks on the Android side of things.
Before I got my first iPhone five years ago, I always noticed that iPhone owners would drag it along for a long time, but really the phones are tanks. I remember switching Android phones every two years, because they quite literally started to decay. I think my last Android Phone I could have probably made last longer than two years, I still turn it on and play random games on it, and its still very responsive.
I assume they know just how long their customers keep their phones and maintain them accordingly.
This... is the opposite of my experience. Friends with iPhones seem to upgrade them unreasonably often, but my (Samsung) Android phones last a loooong time. My first Samsung I retired somewhat involuntarily after 3 years so that I could get a model that would also work overseas, but the phone itself was still fine. My second Samsung (the one I got in 2016 for the overseas trip) I just retired last fall, 2024, and even then only because a job required MS Authenticator and it wouldn't let me download it to the phone. Battery life was still fine, everything I used worked fine.
I fully expect to be using my current Android phone into the 2030s.
Well your experience is maybe more based on your friend behavior than on an absolute rule.
This is the same for absolutely every manufactured goods. The same durable car model will be kept for over a decade by some people while some other opt for a leasing plan that guarantee a new car every two years. But the intrinsic quality of the car remain unaffected.
To ponder this you must consider what become of the phone they replace : did they trash it or did they have a second life with a less edgy owner?
I'm migrating from my 5 year old flagship (lol) only because vendor decided to stop supporting it. Battery still good for a day, great screen, good enough camera, fantastic sound, ssd card slot...
My next has at least 7 years of mainline support (with all AOSP releases) plus at least couple of years damage control updates.
No specific timeframe is defined, but they tend to release things that matter really far back — like, the Apple CA certificate expiration update went out a few years ago to basically the entire deployed Square terminal iPad userbase, etc. I expect it’s driven by telemetry and threat model both. Presumably the cutoff is wherever the telemetry ceases!
Headline is slightly misleading. It implies that the update is only available on the 6s, when in reality it's available for:
> iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
That's a lot of devices, more so than "10-year old iPhone 6s" implies.
I won't be upgrading my iPhone 7 and 4th gen iPad mini, because I don't want to take the chance that the update needs an update to Dopamine to be jailbroken. Fortunately they're secondary devices for me.
Apple does support their phones for some time. But note that 10 years is only if you bought the iPhone 6s when it was new and at its most expensive. The iPhone 7 (Plus) wasn't discontinued until 2019 and is on the same iOS version. So it got something like 3 years of OS upgrades (impacting app support) and 6 years of security upgrades in the worst scenario.
That's the fair way to look at it though. You don't expect to get three months' less warranty when you buy a model three months after release. It's also how the EU software upgrade requirements work: 5 years (or more) after they discontinue the model and stop producing it
It’s not clear to me if this can result in a RCE. If it does, then does this mean that enough iPhone 6s are still out in the wild where a bad actor could easily take over a big enough portion to do more nefarious things?
It seems to me that this exploit was used in a chain with a WhatsApp issue that would trigger the malicious DNG data to be loaded as a zero click, presumably just into WhatsApp. It’s unclear to me if there was a sandbox escape or kernel vulnerability used along with this; it might have been used to exfiltrate WhatsApp messages only.
This would explain why there’s only a single patch for a simple memory corruption issue; usually an attacker would need a lot of chained vulnerabilities to bypass mitigations on iOS, but if the vulnerability is in the exact target application to begin with, it sure does make things easier.
This doesn't really mean much on account of the iOS ecosystem only supporting the latest two OS versions in their apps as a general rule. Once you are behind 2 versions, your device becomes quite useless at that point
Quite useless?! I still use my iPhone SE (1 gen) from 8 years ago. It’s working perfectly fine for my daily business. Sure, some newer apps I cannot install, but so far I’m not missing anything important. Banking apps work, navigations works, obviously the browser still works, etc
I have the same phone but to be fair some websites stopped working (GitHub is among them) and some of my banking apps stopped getting updates as well.
No huge deal breakers _personally_ as I don’t need banking on my phone anyway (I have an iPad at home, and also checked that the banks offer authentication devices like TAN generators if I really need to get out of the iOS/Android ecosystem).
Apple Pay still works fine.
I hope that small phone has a long life ahead of it still :)
Kudos to Apple but are they going to update iPhone 8 firmware too? Think it’s been over a year since the final release. (Surely security vulnerabilities have been discovered since then!!)
I wish they would do the same for iOS 17, instead of forcing users to upgrade to iOS 18. A bunch of superfluous works and many of them even erroneous. Alarm clock for example: if you didn't allow it to snooze, pressing on the power button will snooze it, but without the possibility to turn it off easily. Why on earth would somebody rewrite the alarm clock?!
honestly this is incredible, though i'm not sure how the android space is catching up? apparently google and samsung have been promising 5/6 years of software updates recently as well
The EU now requires that smartphones and tablets receive a minimum of 5 years of security updates - starting from the end of sale.
A product information sheet must be published for each new device, and one of the categories included is how long the device will receive security updates:
I'm no Apple fanboi--quite the opposite. But I take a note of this act and tip my hat, considering how Android OEMs have been pumping out abandonwares.
My pile of old android phones ... they sadly do not live long overall as far as a % of survivors goes. A few have lived long lives for sure, but overall not as many as my old iPhones.
it was upfront disclosed in Apple land in that I knowingly know this to be true and do not expect it as a feature but it is a surprise new condition with no notice in Android land that makes it such worrisome action
Ever since the Pixel 2, the Android phones put out by Google have been long lasting. I have a Pixel 2 XL that still works just fine and it's now 8 years old. Doesn't get OS updates but it works.
I used to do this back when I was on Android and official updates only lasted 1-2 years. Now I’m on an iPhone I get official OS updates for such a long time I don’t need to worry about flashing custom roms.
Can't say my experience matches yours, either. I too have a box of unsupported mobile devices; the stuff I can do on an Android device clears every iOS one. I can't install apps on iOS without a desktop and a specific unsupported iTunes client. I can only use a subset of iOS functions.
My Android phones still do everything they say on the tin. Regardless, you've worded your entire argument to be orthogonal to my original point so it's clear you're not arguing in good faith. Nothing you ever said was related to the principles I mentioned, just what you consider to be personally valuable. Which is fine, but akin to responding to a health food nut by saying how great burgers taste.
I am out of date on the latest from the jailbreak scene, but checkra1n supports the device up to iOS 14. If you updated to iOS 15, there may not be a full jailbreak, but not all is lost.
The latest release of Xcode, Xcode 26, still allows you to build apps for iOS 15. At some point you will have the secondary problem of needing an older Xcode which only runs on an older macOS, though Apple has been doing the minimum to make it possible to acquire both of these.
With a free Apple Developer account, you can sign and side load your apps, but they expire every 7 days, and you wouldn't be able to add any restricted entitlements. But the TrollStore exploit (https://github.com/opa334/TrollStore), which I cannot vouch for, seems to work around these limits.
So: It seems like if you are the kind of person who keeps disposable vapes to reprogram the microcontrollers, the iPhone 6S should actually be an attractive device worth keeping:
- Runs an operating system released in September 2021 and received regular bug fixes and security updates through July 2024. Still receives occasional security updates as of September 2025. Not completely end-of-life.
- Supported by the latest developer tools, probably through June 2026, with older downloads available (https://xcodereleases.com/).
- Known jailbreaks and exploits to maximize utility.
It's not surprising that the trade-in value for a 10-year-old device is nil, but on the secondary market they fetch about $60 (https://swappa.com/prices/apple-iphone-6s) which is not bad if you consider the device capabilities compared to most hobbyist devkits.
I think if we're comparing the easiness of repurposing an EOL phone, it is much better to just check the postmarketOS wiki for supported devices and pick one of those instead. They got great instructions for reflashing/jailbreaking the bootloaders etc.
And yes, you get a full blown Linux with it. So you can, like me, repurpose your smartphones into pretty much everything. I have removed their batteries and have them solar powered as Freifunk routers and even offline-ready kiwix media servers among other things.
And if drivers followed the Safe Driving Protocol (SDP), we wouldn't need airbags. Real life happens regardless of the imaginary frameworks infosec people dream up.
Bunch of negativity on Apple UI recently, but you gotta give Apple credit for supporting really old phones. Google Pixel, forget about it lol
Pixels 8 and later get 7 years. Not as good as Apple but reasonable.
Pixels 6-7 got 5 years. I'd say that's on the low end of okay.
For "lol" you have to go back to 2021 or earlier. Or look at some of Motorola's offerings.
I left Android at the Nexus 5 after years of buying every Nexus phone. The deal breaker: Despite staying on official ROMs, Google broke audio in video recording such that all my vacation videos with a special friend ended up with garbled audio. My mistake for trusting Google updates right before my trip. You'd think for their reference phone they would test a primary feature like video recording for regressions? Apparently not.
My friend at the time had an iPhone 5, I noticed her phone worked without issue while my Nexus 5 was constantly draining its battery.
I finally bought an Apple device and 11 years later never looked back. Finally said goodbye to Windows & Linux as well. I presume this is how many Apple conversions happen.
Back when Pixel came out I used to argue with a friend because it supposedly had a better camera: I'd always point out that the Pixel phone has its own Wikipedia article describing all its issues: https://en.wikipedia.org/wiki/Pixel_(1st_generation)#Issues
Its been like 12 years since the G1? They are still playing games till this day. Give it a rest already.
I remember when Google broke 911 calling, and decided it was ok to wait for the next maintenance patch to fix it. People could have died, but Google just couldn't hurry up and release an emergency patch.
Apparently it still isn't fixed
https://www.androidauthority.com/google-pixel-10-911-calling...
911 calling issues have been a persistent problem for Pixel devices.
How is that even legal.
While quite frightening, how could you even test this? You can't just make test calls to 911, can you?
(I'm actually somewhat interested in the answer... I have a use-case, and the seeming inability to test is a bit worrying)
You can schedule a 911 test call. "Test calls can be scheduled by contacting your local 911 call center via its non-emergency phone number." [0] More info here:[1]
[0] https://www.911.gov/calling-911/frequently-asked-questions/ [1] https://www.nasna911.org/home
Phone makers (and even their supply chain partners) operate their own in-building cell networks with carrier-type hardware, and extensive debugging and observability, including simulation of multiple towers and location.
It wouldn’t get you 100% E2{ for 911 testing, but it does let you develop and test the stack extensively before taking it to the real world and scheduled testing coordinated with 911 call centers.
Haven't tried it myself, but this official-seeming website suggests that you can schedule a test call ahead of time with your local 911 call center.
https://www.911.gov/calling-911/frequently-asked-questions/#...
I'm pretty sure Google can buy a femtocell to simulate local mobile network of their own.
I went back and forth over years right up until google was caught tracking people even with the feature disabled.
It’s honestly kind of sad. Google could still print money without the endless spying but they just can’t help themselves
> It’s honestly kind of sad. Google could still print money without the endless spying…
They literally couldn’t.
Exactly, that IS Google’s business model.
Google was raking in money before the massive surveillance infrastructure. They did it by selling context-based ads.
I used to be on android, but after the Samsung Galaxy S3 started fucking with my settings in updates I went to Apple and have been on iPhones ever since. Specifically what sticks in my memory the most was an update that reset the shortcuts on the bottom menu bar to default and locked it so it was no longer possible to customize it. At the time I used none of those default apps.
Actually, similar reason that I ended up abandoning Windows for Linux on my home desktop (I had been using Linux on work computers for years at that point). Windows 10 kept changing my settings back to default after every major update and it was infuriating. I would have gone for a mac if there were better support for games.
> The deal breaker: Despite staying on official ROMs, Google broke audio in video recording such that all my vacation videos with a special friend ended up with garbled audio.
For me it was also the Nexus 5.
It just lost many of my photos, of our firstborn child.
Unrecoverable. Gone. And so was I from the Android-platform.
It’s not unreasonable to blame google for this reliability issue, but this is also a little bit on the user who didn’t appropriately back up their important data to a different device/service/building/account.
They could use Google Photos to store them off the phone, but…
https://www.reddit.com/r/googlephotos/comments/xsn9ij/people...
The camera clicked, but they were never saved. Hard to back that up, really.
sounds like someone left
in the controller...Yeah everyone seems to have horror stories that pushed them to Apple, and of course there are some more minor horror stories from Apple too but they just don’t reach the same height for most users
Remember when the CEO of Google testified before Congress that if they were allowed to purchase DoubleClick and enter the advertising market that they wouldn't link your use of Google services with your advertising profile?
I'll believe Google's promises after they keep them, not before.
We really should be requiring these types of things to be bonded, i.e., if Google says that, they have to bond all company owned stock and all executive stock options and compensations against it.
Same for politicians; they make a claim, they have to sign a bond against all their assets that they’ll do it after the election.
Like a cease and desist letter, but inverted. Persist and insist, perhaps?
> Pixels 8 and later get 7 years. Not as good as Apple but reasonable.
I had 3 pixels over the years. all 3 died after 1-2 years tops. And repairability is zero. absolutely would not recommend if you're a digital nomad. meanwhile my iphone 14 is still going strong. Battery life has gone down but still acceptable.
All of those phones should have been within warranty and swiftly replaced.
yes, hence the part about "would not recommend if you're a digital nomad."
you need to be in the united states to get service
> Pixels 8 and later get 7 years.
looks like Pixel 8 was released October 2023, so not even 2 years ago. not sure I'd put much stock in what Google says about support after <30% of the stated time.
> Pixels 6-7 got 5 years.
looks like Pixel 6 was released October 2021, so not even 4 years ago.
"got" as in announced to be given. Not as in the 5 years of support is already done.
It's legally binding.
Yes, and Pixel 6 is still supported for at least another year. I'm not sure what your point is.
their point is that it has not yet taken place, so shouldn't be talked about using past tense
From first sale, right? The interesting date to me is years of support from last sale—when a company would still sell you a device as new.
So, up until 3-4 years ago (around the time of iPhone 13), you couldn't buy a Pixel phone with more than 3 years of security updates? Lol indeed.
> Pixels 8 and later get 7 years. Not as good as Apple but reasonable
7 to 10 years is a 50% increase. Diminishing marginal returns dents that. But it still represents huge quantities of metal and resources.
> Pixels 8 and later get 7 years. Not as good as Apple but reasonable.
Pixel 8 gets 7 years of OS updates, not security updates. That's actually more than the 5-6 years that Apple commits to.
I'm reading this now on a Pixel 2XL. It runs reasonably well, though I've currently got a few too many apps running in the background crapping it up. It's asinine that Google dropped support for this model so quickly, and I really have no faith in them at all anymore. 7 years is what it should have always been.
Early pixel models comes with unlimited google photos feature etc. I think maintaining is more of a lost revenue to google than patching cost. If customos devs can do it on donation so can google. Probably a reason for google to obselete them and a reason for us to keep alive and running it as long as possible.
I still see few custom roms spoofing as early pixel models to enable unlimited google photos.
Pixel 4a… announced Aug 2020… EOL’d Jan 2022… updates stopped Aug / Nov 2023
Android is abandonware IMV
The phones and the policies haven't been out long enough to see if Google actually releases updates at five years. The Pixel 6 will drop out of support in a year, so we'll see!
They're legally required to in the EU.
I have a functional Pixel 3XL that when flashed with one of the few modern Android ROMs available for it feels pretty fine to use for the most part… better than a lot of brand new low end Android devices, if I’m being honest. Too bad it’s not supported any more.
It's still supported by lineageos. It's just the installer doesn't do major version bumps, you have to manually reflash to higher versions.
If Graphene can do it, why can't they?
They can, they just don't want to add more engineering hours to that I imagine
FWIW in my experience upgrading Android versions works, mostly, as long as you remember to uninstall the old Google Play services and then install the new ones.
However, without a tested migration path, it may break your phone and make you factory reset + reflash the ROM if it doesn't work out, and there's nobody you can turn to or blame when that goes wrong. There's no official support, but that doesn't mean it'll never work.
Testing migration paths is a massive pain, especially when you're upgrading a whole bunch of parts all at once, and volunteers have more fun and frankly more important things to work on.
My Pixel XL here works great for scrolling at night. I'm skeptical of the "no more system updates" boogeyman; I'd love some case studies or anecdotes about the real-world threats that using an old devices exposes me to.
> I'd love some case studies or anecdotes about the real-world threats that using an old devices exposes me to.
The Apple patch in the OP is in regards to a zero-interaction exploit that compromised the device to install spyware etc.
> Impact: Processing a malicious image file may result in memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.
> specific targeted individuals.
Isnt this exactly the point? Most people who aren't the target of state intelligence agencies have little to worry about from using an older phone.
Those exploits trickle down to less sophisticated actors as they become known.
That's the idea, but I'm not seeing it
Maybe that's because of the boogeyman being feared and so people update enough to make such attacks not common enough to be worth it, so once we stop fearing it... but idk. So far it hasn't mattered to have devices with Bluetooth vulnerabilities at hacker conferences of all places
Realistically, your malware exposure risk has three parts:
- The apps you run get exploited and your outdated OS can't protect you - An app you install exploits your OS - Someone attacks a system component and exploits your OS
The first risk can be mitigated mostly by just updating your browser/email client/webview engine/etc, which Google supports long past an OS version's lifetime. Android apps typically get updated for five or six versions behind the latest one.
The second attack vector is always a risk (0days do exist), but probably won't harm you if you have a set of trusted apps. There's always the risk of a supply chain attack, but I haven't heard of that in practice outside of cracked apps or that shitty spamware you find on Google Play.
The third vector probably won't affect you either because most system components aren't directly exposed. iOS has a history of getting exploited through simple MMS messages but on Android those processes are harder to exploit (and can often be updated years later through Google Play if you use the Google ones).
There was a huge flaw in Google's Bluetooth stack which pretty much allowed RCE on any phone with Bluetooth enabled. If your phone hasn't been patched against that, you have to be careful about leaving Bluetooth oh. Same goes for WiFi, but those bugs are harder to exploit.
There's a risk, but in practice millions to billions of people use outdated Android versions and malware strains abusing that fact aren't very common, especially not if you don't install weird third party apps from shady sources.
Part of the challenge of exploiting Android devices in practice is that there are endless combinations of firmware versions+device models+system app versions+kernels. iOS, on the other hand, generally has a handful of models, often running predictable software stacks because of Apple's decent track record when it comes to software updates.
Android exploitations does exist: various spyware companies use remote attack vectors, including WhatsApp or MMS like on iOS, to deploy targeted exploit chains to their victims. In practice, that's a risk to journalists, human rights activists, and other people The Government Doesn't Like Very Much (any government, really). Outdated phones are also easily dumped by law enforcement, so if you do anything that could be considered illegal, better not take your phone across international borders.
It can both be true that it’s good to get security updates for old devices, and that you might have no issues using an old phone personally. It doesn’t make it a boogeyman. Things can be two things.
I just had my iphone 12 mini battery replaced. This thing performs as well as the day I bought it. It will be a sad day when I have to "upgrade".
Given that 5 years of support is now the minimum required for devices to be sold in the EU, Apple is now on the lower end of the range compared to companies like Google and Samsung.
Apple may have done better in the past, but these other manufacturers are making stronger legally binding claims than Apple.
Let me play devil's advocate for a second, because I feel it’s more nuanced.
Pros:
- [for users] 15.8.5 patches one high-profile bug.
- [for Apple] minimal effort which translates to longer perceived support time
Cons:
- It leaves unpatched multiple bugs fixed in iOS 16-26, and so it might give users false sense of security
I'm on a fence here, especially without real numbers
Not surprised. I met with Samsung for work purposes to buy hundreds of phone, and the best they could do with their flagship phones was offer 3 years of security updates. This was around 2019. Apple, who didn't meet with us, was around 6 years from our estimate.
From a ROI, for corporate phones, Apple iPhones had a longer lifespan, which is why we bought hundreds of iPhones, and not Androids.
On a personal note, I had the Nexus S, the Nexus 5, and they all died a horrible death either from lack of updates, or just having the physical button break, and the microphone stop working.
And let us not speak of Sony Xperia Z5, which all of sudden removed their fingerprint sensor due to a North American patent problem. They also broke their bluetooth audio so that song names STOPPED being displayed. That was all in a span of less than 3 years.
Never again Sony Android phones.
At that point, I got fed up of custom ROMS and joined the "iPhone, it just works" group and moved on.
Fwiw Samsung is now 7 years OS/Security on flagships and 6 years OS/Security on the entry/mid-level Galaxy A Series.
Yes, but it took them a long time to get there.
"it just works" is the biggest lie they sell. It works only insofar as you use what 95+% of people use. Step outside and not only is it a big gamble, you've also got no way to debug anything. It's a world of walls and limitations with no Windows in sight
You seem to have hit all the bad luck and concluded (fairly) that anything but Apple must be bad. I seem to have hit all the bad luck on the Apple side. The device I got from work ran out of updates after fewer years than I privately use my Android, and not before the touchscreen partially broke, various apps had software issues that didn't manifest on other (identical) phones, the battery went bad, and certain OS features like hotspot didn't work half the time you tried to turn them on. I've simply never had these issues on Android, and if e.g. an app doesn't work, I can just wipe its data. On iOS there's no such button; it's not something you should need because in 95+% of cases "it just works" and so they don't let you. It's not your device
Currently I'm trying to help an Apple user whose email client broke, both on iOS and macOS, with unexplainable "could not connect" behavior that no other user is seeing (Windows, Android, and Linux all represented). It differs whether they use mobile data or WiFi, but in different ways on different OSes and email clients. Sometimes IMAP works partially (connecting, fetching mail, but not loading folders). I'll probably have to travel 90 minutes each way to see what I can debug on their device. They're tech savvy and we're both perplexed by the different behaviors but there isn't much you can see on iOS so we had given up on mobile email. Now that it's happening on macOS as well suddenly, maybe we can figure something out
It's just not a vendor I'd want to work with myself because there keep being major issues with very limited ways of fixing them. I'm sure most of the functions "just work", just like most Android phones "just work" and you hit a bad apple with that Sony device. At least on Sony you can install a different OS if the issues are major enough that people put in the effort of making one
Might as well say it since nobody else commented about it, but modem/soc vendors are huge limiting factor on longterm android support. Qualcomm maintains these updates for only a few years, basically nothing earlier than around 2020-2021 gets kernel driver or modem updates.
Of course it's still up to phone manufacturer to integrate these changes, but it puts an effective security support timeline on even 3rd party ROM's like lineageos. They can cherrypick, but it's not as secure once that support ends.
Apple has almost everything in-house (except until recently, modems). So they have a ton of flexibility in continuing to provide updates.
My problem with this argument is many of these types of CVEs have nothing to do with baseband firmware or drivers or anything else controlled by Broadcom. Google could still patch security issues in the parts of the system most exposed to attackers, namely the libraries and apps in the OS itself.
I’d be more afraid of a zero day image parsing bug in messages, where I could be exploited with a drive-by spam text or hyperlinked image, than some theoretical baseband attack by someone in a privileged cell network system.
That's part of the reason why Google is pulling more and more stuff out of AOSP and into Google Play.
They started with the WebViews that vendors refused to update leading to all kinds of exploitation. These days, system components like the bytecode runtime and the Bluetooth stack can be updated by Google, unless the manufacturer actively prevents Google from doing that.
Firmware remains an issue, and IOMMU protections aren't all that great on every single device, but more and more Android internals get maintained by Google these days.
As for messages, there is always a risk in the pipeline between modem and the system service, but the Messages app is just another app you can update through Google Play or whatever store you prefer. Same with the dialer app and plenty of other apps. The super-integrated components that make for preferred exploitation targets on iOS aren't set up the same way on Android (not that Android doesn't have other attack vectors, of course).
The problem is that baseband or whatever drivers are made in kernel trees that are essentially forks of the kernel at a certain point in time.
This means that any fix needs to be backported to that special tree, irrespective of whether the Broadcom code is impacted, which may prove challenging when you end up having not just one but many trees, each at slightly different levels of outdatedness.
The approach clearly does not scale.
The solution would be for Broadcom to be diligent and forward port their tree to current mainline or current LTS at a minimum but they won't do that.
See how the RPi kernel is generally stuck at a special old version (e.g 6.6 for pi4, which is quite reasonably a LTS but then there's 6.12 as LTS already)
They do; many of the system apps and libraries are updated via the Google Play Store.
Sure, but like, this is a fundamental flaw with the Android model. It's valid to criticize Android for this.
The other fundamental flaw in the iphone market is that NOBODY can fix bugs in ios but apple, I have personally fixed bugs in my android builds.
That’s great for you. But it doesn’t make a difference to the other 99.999999% of users who only install whatever is available from automatic system updates.
It’s the equivalent of saying in response to a political issue that affects all of society - doesn’t really affect me because I flew to my private island. We’re happy for you, but how does that advance the conversation?
All it takes is for one person to fix a bug for it to potentially be a solution for others.
That option is not on the table for anyone using iOS.
Just because everyone doesn't do what I do, doesn't make it wrong.
I’m not saying you’re wrong. It’s just irrelevant. So what if you can patch the issue on your phone, how does that affect the rest of society?
It just sounds like you’re bragging about your technical chops, like a person with a private island would be flexing their wealth.
Not at all, anyone can do what I do, they just dont care most of the time.
I question your use of the word “fundamental“.
Same as OP's fundamental.
Which is insane if you think about it. 20 year old NICs are still supported by the kernel. Hardware drivers should be GPLd, no ifs and no buts. As if having closed source drivers gave OEMs a competitive advantage, it's basically all for planned obsolescence
I believe the hardware drivers usually are GPL, the problem is that they are... at best, they are downstream patches that require ongoing work to port to newer kernel versions (since Linux doesn't do stable ABIs or APIs for drivers).
Sounds like something Google could solve with contracts and money if they wanted to.
Apple depends on Qualcomm just like everyone else (except for the new iPhone Air)... so this really doesn't seem like a valid excuse for Android manufacturers.
They don't though (also the 16e has in-house apple modem, I have no idea what the fate of the intel modems was). The majority of other vendors' designs get full qualcomm soc's with dsp, modem, security processor firmwares.
Apple literally has the scale to go to Qualcomm and buy slightly customized variants (the X71, for instance). And those modems are integrated with their custom Apple designed chips. I don't see any other vendor able to do that.
I pay a vendor for something in my product and the vendor support period is limited, as a consumer, that should not be your problem.
Especially seeing that Microsoft has the same business model with Windows and PCs don’t have this problem.
It's interesting Apple is doing this specifically to protect old devices from seemingly nation state sponsored attacks:
> Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.
People who might be targeted by nation state actors should really be running a phone that’s on the latest OS. It wouldn’t cost that much to not use a 9 year old phone. If you’re remotely afraid of your government, you can afford a phone released within the last 5 years. It’s worth it!
> If you’re remotely afraid of your government, you can afford a phone released within the last 5 years.
Why in the world would you think that? Who do you think governments target, Bond villains?
Journalists mostly. Also prosecutors, judges, opposition party members.
And potentially friends, family, kids?
I've always wondered, if you can't hack your main target's phone, but their kid has an old iPhone you can hack and maybe bug (let's just say you can for the argument's sake), you sure as hell do it right?
Scary thought but I think it's reasonable to be concerned that not just a given sensitive target is directly at risk, but those around them as well.
These attacks are also applied against all manners of enemies of certain regimes, as well as law enforcement with hacking warrants.
There are plenty of people who get hacked by governments. A smattering of targets got leaked here: https://www.occrp.org/interactives/project-p/#/
I wouldn't expect a Kazakh artist/activist to have the money for the latest and greatest iPhone. Nor would I expect an activist against an industrial plant on the US side of the Mexican border to need to worry about nation-state level malware.
And frankly, my PC has been used safely since much longer than iOS has been supported, and I don't know why I shouldn't expect my phone to last that long. The rate at which phones got performance improvements has stagnated into gimmick-level power increases (like "AI accelerators") a long time ago.
I think they are doing this to protect millions of people from mass attacks once the nation-state attack gets RE’d in the next few hours/days and deployed by non-governments, much more likely.
> Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.
Even if there was no mention of this or the implication that it’s linked to the notifications Apple sends for targeted attacks, is it fair to say this kind of backdated security patch implies a lot about the severity of the vulnerability? What’s Apple’s default time frame for security support?
Yes, this means it was exploited in a spyware campaign in the wild.
The full exploit chain seems to target WhatsApp directly using a second bug in WhatsApp; although this vulnerability is definitely present anywhere this kind of image is processed using Apple’s native image support, it would usually be aggressively sandboxed (in iMessage by BlastDoor and in Safari by the web content sandbox), so you’d need a lot more vulnerabilities than those that are currently disclosed to make it useful in those places. A bug in WhatsApp itself is particularly bad in terms of spyware actors, since it leaves one of their most popular targets, WhatsApp, vulnerable without a significantly more complex kernel escalation and sandbox bypass.
https://www.whatsapp.com/security/advisories/2025/
One key thing I noticed is this is before iPadOS was a thing, so this patch targets iPads too... Which makes me wonder... this is speculation no proof, but I wonder if someone is exploiting Point of Sale devices that are powered by old iPads somehow, which is out of the control of a lot of end-users who are at thee mercy of the POS vendors who are probably charging an insane premium on them.
I worked at a restaurant chain and I remember it being a whole thing to even consider reworking the POS tables + software due to rising costs.
By the phrasing this is almost certainly a patch for targeted vulnerabilities to install Pegasus or similar.
I work for a POS company that uses iPads (along other clients) and I’ve not heard of anything like that. I assume it’s people of interest (journalists, or politicians).
Also my company, as well as at least 1 other I know of that uses iPads, don’t sell the iPads to the stores, they replace or buy their iPads directly from Apple. Smaller places handle it all themselves, larger might use MDM but they are buying them at-cost.
I’m not saying everyone does that, just that I’m not aware of it.
Makes sense, I dont recall the name of the vendor my employer was using at the time, only that it was insanely expensive at the time.
Only if you think some state intelligence agency is wasting million-dollar vulnerabilities on a bit of credit card skimming.
> What’s Apple’s default time frame for security support?
This isn't thaaaaat far out of support. Their last security update for iOS 15 was just earlier this year, and they only dropped iPhone 6s from new major versions with iOS 16 a few years ago. As someone who has kept my last few iPhones for 5+ years each, I definitely appreciate that they keep a much longer support window than most folks on the Android side of things.
Before I got my first iPhone five years ago, I always noticed that iPhone owners would drag it along for a long time, but really the phones are tanks. I remember switching Android phones every two years, because they quite literally started to decay. I think my last Android Phone I could have probably made last longer than two years, I still turn it on and play random games on it, and its still very responsive.
I assume they know just how long their customers keep their phones and maintain them accordingly.
This... is the opposite of my experience. Friends with iPhones seem to upgrade them unreasonably often, but my (Samsung) Android phones last a loooong time. My first Samsung I retired somewhat involuntarily after 3 years so that I could get a model that would also work overseas, but the phone itself was still fine. My second Samsung (the one I got in 2016 for the overseas trip) I just retired last fall, 2024, and even then only because a job required MS Authenticator and it wouldn't let me download it to the phone. Battery life was still fine, everything I used worked fine.
I fully expect to be using my current Android phone into the 2030s.
Well your experience is maybe more based on your friend behavior than on an absolute rule.
This is the same for absolutely every manufactured goods. The same durable car model will be kept for over a decade by some people while some other opt for a leasing plan that guarantee a new car every two years. But the intrinsic quality of the car remain unaffected.
To ponder this you must consider what become of the phone they replace : did they trash it or did they have a second life with a less edgy owner?
Maybe you use low end phones or crappy vendors?
I'm migrating from my 5 year old flagship (lol) only because vendor decided to stop supporting it. Battery still good for a day, great screen, good enough camera, fantastic sound, ssd card slot...
My next has at least 7 years of mainline support (with all AOSP releases) plus at least couple of years damage control updates.
It's a matter of the choose I think.
The second hand resale market for iPhone is huge, especially in Asian 3rd world countries.
It is in Apple’s interest to keep old iPhones updated, as old iPhones being in active usage is better than them rotting in a drawer.
A relative of mine used their Galaxy Note II until the internal flash died and it stopped booting. It was definitely over 5 years old by that point.
> is it fair to say this kind of backdated security patch implies a lot about the severity of the vulnerability?
That is my assumption, that the result is a pretty severe impact and/or the victim has little to no way to prevent it (zero click situation).
Granted I can't speak for Apple, but I was thinking along the same lines you were.
No specific timeframe is defined, but they tend to release things that matter really far back — like, the Apple CA certificate expiration update went out a few years ago to basically the entire deployed Square terminal iPad userbase, etc. I expect it’s driven by telemetry and threat model both. Presumably the cutoff is wherever the telemetry ceases!
Almost certainly some kind of zero click/zero user action RCE exploit.
Edit: I should've read, "Impact: Processing a malicious image file may result in memory corruption."
So simply receiving an image via SMS or loading it in some other way likely accomplishes the initial exploit, so yeah, zero click exploit. Always bad.
I think their minimum standard is 5 years after they stop selling a product. However, it could go longer if things still work.
The 6S was discontinued in 2018, which would give it support until at least 2023, so we aren’t too far beyond that.
Headline is slightly misleading. It implies that the update is only available on the 6s, when in reality it's available for:
> iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
That's a lot of devices, more so than "10-year old iPhone 6s" implies.
I won't be upgrading my iPhone 7 and 4th gen iPad mini, because I don't want to take the chance that the update needs an update to Dopamine to be jailbroken. Fortunately they're secondary devices for me.
I think it’s just highlighting the oldest device that got the update, not a huge deal
iPad Air 2 was released in October 2014 so the iPhone 6s is not even the oldest device in the article.
It was a huge enough deal that the title of this post got changed.
This reeks in all possible ways of nation state activity.
One single nation
Apple does support their phones for some time. But note that 10 years is only if you bought the iPhone 6s when it was new and at its most expensive. The iPhone 7 (Plus) wasn't discontinued until 2019 and is on the same iOS version. So it got something like 3 years of OS upgrades (impacting app support) and 6 years of security upgrades in the worst scenario.
Mate if you go by when manufactures stop selling devices, there’ll be android devices with _negative_ support years.
And that’s 6 years _so far_.
That's the fair way to look at it though. You don't expect to get three months' less warranty when you buy a model three months after release. It's also how the EU software upgrade requirements work: 5 years (or more) after they discontinue the model and stop producing it
It’s great that they made an update.
It’s not clear to me if this can result in a RCE. If it does, then does this mean that enough iPhone 6s are still out in the wild where a bad actor could easily take over a big enough portion to do more nefarious things?
"iOS 18.6.1 0-click RCE POC", 50 comments, https://news.ycombinator.com/item?id=45019671
And since nobody got to it in the other thread, https://www.whatsapp.com/security/advisories/2025/ .
It seems to me that this exploit was used in a chain with a WhatsApp issue that would trigger the malicious DNG data to be loaded as a zero click, presumably just into WhatsApp. It’s unclear to me if there was a sandbox escape or kernel vulnerability used along with this; it might have been used to exfiltrate WhatsApp messages only.
This would explain why there’s only a single patch for a simple memory corruption issue; usually an attacker would need a lot of chained vulnerabilities to bypass mitigations on iOS, but if the vulnerability is in the exact target application to begin with, it sure does make things easier.
> Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.
This specific vulnerability was already known and exploited - and patched by Apple - three weeks ago on devices that Apple deemed "current".
Cudos to Apple for those updates.
Although I'm not sure that people who are running an OS/device that ancient are the ones that are going to upgrade or even know what an upgrade is.
The phone will prompt them to update. It’s displayed as if you’re unlocking your phone, a dark pattern for the greater good.
I didn't knew that. Good!
This doesn't really mean much on account of the iOS ecosystem only supporting the latest two OS versions in their apps as a general rule. Once you are behind 2 versions, your device becomes quite useless at that point
Quite useless?! I still use my iPhone SE (1 gen) from 8 years ago. It’s working perfectly fine for my daily business. Sure, some newer apps I cannot install, but so far I’m not missing anything important. Banking apps work, navigations works, obviously the browser still works, etc
I have the same phone but to be fair some websites stopped working (GitHub is among them) and some of my banking apps stopped getting updates as well.
No huge deal breakers _personally_ as I don’t need banking on my phone anyway (I have an iPad at home, and also checked that the banks offer authentication devices like TAN generators if I really need to get out of the iOS/Android ecosystem).
Apple Pay still works fine.
I hope that small phone has a long life ahead of it still :)
Kudos to Apple but are they going to update iPhone 8 firmware too? Think it’s been over a year since the final release. (Surely security vulnerabilities have been discovered since then!!)
It seems like this is the corresponding iPhone 8-era update: https://support.apple.com/en-us/125141
iOS 16.7.12 was released on September 15, 2025 (to fix this same bug) and runs on the iPhone 8.
I wish they would do the same for iOS 17, instead of forcing users to upgrade to iOS 18. A bunch of superfluous works and many of them even erroneous. Alarm clock for example: if you didn't allow it to snooze, pressing on the power button will snooze it, but without the possibility to turn it off easily. Why on earth would somebody rewrite the alarm clock?!
honestly this is incredible, though i'm not sure how the android space is catching up? apparently google and samsung have been promising 5/6 years of software updates recently as well
The EU now requires that smartphones and tablets receive a minimum of 5 years of security updates - starting from the end of sale.
A product information sheet must be published for each new device, and one of the categories included is how long the device will receive security updates:
e.g. for iPhone 17 Pro:
https://regulatoryinfo.apple.com/cwt/api/ext/file?fileId=ene...
7 years of (supposed) support for newer Pixel phones
I'm no Apple fanboi--quite the opposite. But I take a note of this act and tip my hat, considering how Android OEMs have been pumping out abandonwares.
[dead]
[dead]
[dead]
[flagged]
Well, good. The moment they stop, it's declared E-waste and Apple suggests you give it to them for free.
Fucked-up world we live in where a disposable vape can be reused for more purposes than an iPhone with expired software support.
I got plenty of old iPhones I can still use.
My pile of old android phones ... they sadly do not live long overall as far as a % of survivors goes. A few have lived long lives for sure, but overall not as many as my old iPhones.
Unfortunately I think it'll be much worse in the coming years with Google's ban on ban sideloading apps and other companies following them.
For whatever reason I don't sweat that condition in Apple land, but I do find it very worrisome to see Android land forego side-loading.
it was upfront disclosed in Apple land in that I knowingly know this to be true and do not expect it as a feature but it is a surprise new condition with no notice in Android land that makes it such worrisome action
Ever since the Pixel 2, the Android phones put out by Google have been long lasting. I have a Pixel 2 XL that still works just fine and it's now 8 years old. Doesn't get OS updates but it works.
Choose phones supported by LineageOS where the bootloader can be unlocked, and you can easily outlast iOS.
I used to do this back when I was on Android and official updates only lasted 1-2 years. Now I’m on an iPhone I get official OS updates for such a long time I don’t need to worry about flashing custom roms.
I want root reliably.
Every version of Lineage offers rooted debugging, even without Magisk.
I know that root can be obtained in iOS, but Apple really prefers that users be restrained from this capability.
My experience just with the hardware doesn't match that. My android devices just tend to fail over time more often than iPhones.
Granted, there's PLENTY of other good reasons to make that choice even with that condition. So I don't disagree generally.
Can't say my experience matches yours, either. I too have a box of unsupported mobile devices; the stuff I can do on an Android device clears every iOS one. I can't install apps on iOS without a desktop and a specific unsupported iTunes client. I can only use a subset of iOS functions.
My Android phones still do everything they say on the tin. Regardless, you've worded your entire argument to be orthogonal to my original point so it's clear you're not arguing in good faith. Nothing you ever said was related to the principles I mentioned, just what you consider to be personally valuable. Which is fine, but akin to responding to a health food nut by saying how great burgers taste.
I am out of date on the latest from the jailbreak scene, but checkra1n supports the device up to iOS 14. If you updated to iOS 15, there may not be a full jailbreak, but not all is lost.
The latest release of Xcode, Xcode 26, still allows you to build apps for iOS 15. At some point you will have the secondary problem of needing an older Xcode which only runs on an older macOS, though Apple has been doing the minimum to make it possible to acquire both of these.
With a free Apple Developer account, you can sign and side load your apps, but they expire every 7 days, and you wouldn't be able to add any restricted entitlements. But the TrollStore exploit (https://github.com/opa334/TrollStore), which I cannot vouch for, seems to work around these limits.
So: It seems like if you are the kind of person who keeps disposable vapes to reprogram the microcontrollers, the iPhone 6S should actually be an attractive device worth keeping:
- Runs an operating system released in September 2021 and received regular bug fixes and security updates through July 2024. Still receives occasional security updates as of September 2025. Not completely end-of-life.
- Supported by the latest developer tools, probably through June 2026, with older downloads available (https://xcodereleases.com/).
- Known jailbreaks and exploits to maximize utility.
It's not surprising that the trade-in value for a 10-year-old device is nil, but on the secondary market they fetch about $60 (https://swappa.com/prices/apple-iphone-6s) which is not bad if you consider the device capabilities compared to most hobbyist devkits.
I think if we're comparing the easiness of repurposing an EOL phone, it is much better to just check the postmarketOS wiki for supported devices and pick one of those instead. They got great instructions for reflashing/jailbreaking the bootloaders etc.
And yes, you get a full blown Linux with it. So you can, like me, repurpose your smartphones into pretty much everything. I have removed their batteries and have them solar powered as Freifunk routers and even offline-ready kiwix media servers among other things.
[1] https://wiki.postmarketos.org/wiki/Devices
If old iPhone can be easily hacked like a disposable vape, of course you can repurpose it. But you can’t.
Well you need to protect the store. This sounds like something useful to root a device.
If Apple followed Security Development Lifecycle (SDL) well, the update should not be here.
And if drivers followed the Safe Driving Protocol (SDP), we wouldn't need airbags. Real life happens regardless of the imaginary frameworks infosec people dream up.