Apple gives iPhone users an insecurity complex
Summary: Nobody expects old technology to go on forever. But giving new iPhone users a year before abandoning them to the hackers is a low shot from a high-tech company
If you own an iPhone 3G and use it with Wi-Fi, stop now. You're not safe, nor will you ever be.
There's a security hole that means you cannot make Wi-Fi secure, but risk having your secrets tapped. Apple knows what it is, but will only fix it for later models. So, if you have a 3G and want to keep your personal data safe, you must buy a new phone.
Apple stopped supporting the iPhone 3G in January, with the release of the incompatible iOS 4.3. The iPhone 3G itself was discontinued in June 2010, so anyone who bought one then has had around a year of use. But, as patches are only being issued for iOS 4.3.x, an upgrade is the only sanctioned option.
For any company, this would be shoddy. For Apple, it's unforgivable.
Apple has chosen not to supply iPhone 3G owners with a fix to a known Wi-Fi security problem. Photo credit: Apple
There are, of course, limits to how far a company can be expected to support obsolete products. And support can mean many things. Adding new features is one level, and nobody should be surprised when an old design proves physically incapable of managing the latest software.
Admittedly, users love it when they get new things for free, but Apple understandably prefers you bought the new hardware to go with it.
But fixing security problems that render something unsafe is not dependent on hardware, and not something that should be seen as subservient to revenue maximisation. This is doubly so when the security flaw is in a vital part of the software: mobile phones operate in a very hostile, varied environment where attacks are particularly easy to mount.
Moreover, since the problem has been fixed in more recent versions of the operating system, much of the hard work has been done. It's true that bug fixing isn't particularly cheap: once found, the bug has to be fixed and the fix tested intensively, with the result distributed to millions of users. This isn't trivial, but all the mechanisms are in place inside Apple. It, of all companies, can afford to extend security support for its user base.
That it doesn't, even with a year-old product, is very poor. Microsoft withdrew Windows XP from sale in October — it's a very mature product, with no more upgrades due. Even so, security updates are promised through to 2014. Microsoft would really, really like you to upgrade to Windows 7, but it won't leave XP users in the lurch for three more years.
Why won't Apple do the same? It would be nicer if it didn't just leave serious security holes open but had the decency to send, say, some self-destruct signal to the phones (perhaps via a battery hack). That way, its users would be safer than now. Or it could send a text message: "Your phone is insecure. Apple recommends you buy a new one". That would be honest, at least.
The only two reasons for Apple choosing to leave its users out to dry are miserliness — where the company chooses not to spend money it can easily afford — or greed, where it is happy for any mechanism that forces a hardware upgrade cycle.
Which is it to be, Steve?
Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
M
I spoke to a representative at Apple this morning who says you are liars.
They said "there have never been any security problems with iOS - it is phone software - and Apple has never patched or upgraded security on iOS"
What am I to believe?!
This is a very rare potential situation. It would be more accurate to say care should be taken when typing in passwords to high value accounts when on a public network using an iOS device with out the latest software version.
And there is not reason that Apple could not offer a patch to iOS 4.2. The fact that 4.3 does not support the iPhone 3G does not mean Apple is no longer supporting the phone! It is simply that the 3G doesn't have the power to run 4.3.
It is both possible and plausible to set up an SSL man-in-the-middle attack, and I've seen it done. There is a reason SSL exists, and for a phone to offer it but have it broken is a serious security flaw. I doubt you'd find any security expert who'd differ. Apple considers it serious enough to patch for some of its users - why not all?
As for the 3G not being powerful enough to run 4.3, that's not the point. Apple could patch 4.2 (it does, after all, have the working code now) and issue the fix. The bug isn't dependent on the performance of the phone.
The fix IS entirely dependent on Apple committing the internal resources to maintain 4.2 for security patches: many other outfits, with far fewer resources than Apple, maintain security for older versions of their products. It's a pure business decision, and one that leaves users in the lurch for - as far as I can see - no reason other than to push the upgrade cycle.
Doesn't that mean exactly that?