×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Sniffer Hijacks SSL Traffic From Unpatched IPhones

samzenpus posted more than 2 years ago | from the patch-your-phone dept.

Iphone 94

CWmike writes "Almost anyone can snoop the secure data traffic of unpatched iPhones and iPads using a recently-revised nine-year-old tool, a researcher said as he urged owners to apply Apple's latest iOS fix. If iOS devices aren't patched, attackers can easily intercept and decrypt secure traffic — the kind guarded by SSL, which is used by banks, e-tailers and other sites — at a public Wi-Fi hotspot, said Chet Wisniewski, a security researcher with Sophos. 'This is a nine-year-old bug that Moxie Marlinspike disclosed in 2002,' Wisniewski told Computerworld on Wednesday. On Monday, Marlinspike released an easier-to-use revision of his long-available 'sslsniff' traffic sniffing tool. 'My mother could actually use this,' he said."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

94 comments

ruh roh! (-1, Flamebait)

pak9rabid (1011935) | more than 2 years ago | (#36909194)

Cue the Androids fanbois!

Re:ruh roh! (-1)

Anonymous Coward | more than 2 years ago | (#36909308)

Cue the APPoLogizErs!

Re:ruh roh! (0, Funny)

Anonymous Coward | more than 2 years ago | (#36909824)

Queue the anally retentive!

Re:ruh roh! (0, Redundant)

Arancaytar (966377) | more than 2 years ago | (#36909942)

Cue is the correct term in this context. Fail.

Re:ruh roh! (1)

Anonymous Coward | more than 2 years ago | (#36910156)

Right on schedule!

Re:ruh roh! (-1)

Anonymous Coward | more than 2 years ago | (#36909992)

Cue the APPoLogizErs!

Re:ruh roh! (0)

Anonymous Coward | more than 2 years ago | (#36910750)

You mean unlike the iTards, who are already here?

-- A pre-MS-fuckup Nokia user. (Always have been, never will be anymore.) (And I will neither use Android either. If I don't have full access to the hardware, and Java extensions for ALL built-in functionality [Which isn't the case with Android. I checked. You can't even write a fuckin' answering machine on that thing! {The ones that say they are, actually aren't. I checked that too.}], they can go fuck themselves.)

Re:ruh roh! (0)

Anonymous Coward | more than 2 years ago | (#36912834)

Let me guess, you went back to the good old cups and string method of communications.

How can they patch this? (1)

exentropy (1822632) | more than 2 years ago | (#36909196)

If an attacker can act as the gateway for a victim (man in the middle), he can use this attack. sslsniff works by intercepting requests between the server and the victim, and it removes all HTTPS tags/references/links. In effect, the victim doesn't know there was supposed to be an SSL connection. I don't see how they can patch this with the current technology..

Re:How can they patch this? (1)

aeiah (937509) | more than 2 years ago | (#36909336)

you're thinking of sslstrip, another program by moxie marlinspike a lot of websites get around this by denying requests to http:/// [http] for login pages and beyond, but some surprisingly popular ones didn't when i played with it last year.

Re:How can they patch this? (1)

MichaelKristopeit424 (2018894) | more than 2 years ago | (#36909408)

just because the website denied the request doesn't mean the attacker couldn't already sniff the outbound request which would include the login credentials.

did you mean "some popular ones surprisingly didn't", or are you really surprised by their popularity?

Re:How can they patch this? (0)

Anonymous Coward | more than 2 years ago | (#36909656)

blocking HTTP URLs won't help, your attacker can do SSL connections perfectly well on their own

Re:How can they patch this? (0)

Anonymous Coward | more than 2 years ago | (#36909714)

Actually if you're already intercepting and modifying the HTTP request you can just turn it into an HTTPS request and send it on it's way, and the server is none the wiser. sslstrip already does this IIRC. The only way to defend against it is making sure users actually check the connection type.

Re:How can they patch this? (1)

petermgreen (876956) | more than 2 years ago | (#36909740)

a lot of websites get around this by denying requests to http:/// [http] [http] for login pages and beyond

There is nothing stopping a proxy using ssl to talk to the server while using an unecrypted connection to talk to the client.

Things get a little harder if the site has some pages ssl only and others avilable non-ssl only. In that case you would have to either mangle the hostname to differentiate or store a list of what protocol to use for what pages.

Re:How can they patch this? (1)

AJH16 (940784) | more than 2 years ago | (#36911780)

Not really, you simply have to assign each link an identifier so that when they click a link your proxy goes to the original link from your server or might even be more easily done by leaving the https on the links but returning http if the browser is not smart enough to notice the discrepancy.

Re:How can they patch this? (3, Informative)

spydir31 (312329) | more than 2 years ago | (#36909354)

No, you're thinking of SSLstrip [thoughtcrime.org] which methodically strips HTTPS references. This is a different attack [thoughtcrime.org] , where the client accepts certificates signed by any certificate that has a valid chain

Re:How can they patch this? (1)

rbrausse (1319883) | more than 2 years ago | (#36909378)

I thought the problem was a failure of ios to check the certificate chain? It is a mitm attack but one with a (for the attacked user) valid SSL connection. The patch fixes the incorrect certificate handling and will throw an exception.

never been used my ass (2)

aeiah (937509) | more than 2 years ago | (#36909252)

" "It's probably been in [iOS] since day one," said Wisniewski, who speculated that even attackers hadn't known of the flaw. "Someone would likely would noticed if it had been used, because every Windows user would have been getting browser warnings [of an invalid certificate] on a public Wi-Fi network even as iPhone users were seeing no such warning." " Does he seriously think you can't filter out non iOS devices and just forward them to the proper site? even a user agent check would suffice

Re:never been used my ass (0)

Anonymous Coward | more than 2 years ago | (#36909284)

Does he seriously think you can't filter out non iOS devices and just forward them to the proper site? even a user agent check would suffice

SSL does not work that way

Re:never been used my ass (1)

petermgreen (876956) | more than 2 years ago | (#36909724)

You may not be able to do a user agent check on the SSL request but you can probablly assume all requests from the same (local) IP came from the same device and most devices are likely to make unencrypted requests as well.

Re:never been used my ass (4, Informative)

nedlohs (1335013) | more than 2 years ago | (#36909344)

You can't check the User Agent without feeding them the fake SSL cert first, since it's in the encrpted data.

You could of course default pass along everything and only act as a man in the middle for https requests from a device that you've already intercepted an HTTP request from to determine it's of the right flavor. But that does make it ever so slightly more difficult.

Re:never been used my ass (0)

Anonymous Coward | more than 2 years ago | (#36909512)

have the https landing page[1] redirect to a http landing page[2], which redirects to a https landing page [3].
on [3] you know the user agent, and can serve a fake cert.

Re:never been used my ass (1)

petermgreen (876956) | more than 2 years ago | (#36909792)

To redirect the user off a https page you have to negotiate a ssl session with them and that means you have to present a cert. If the cert doesn't match they will get a warning before receiving the redirect.

but as the GP implies none of this really matters much because most users will go to a http page first anyway.

Re:never been used my ass (0)

Anonymous Coward | more than 2 years ago | (#36932844)

Except to do the first redirect you would have to send an HTTPS page which would give you away to a non iOS client.

Re:never been used my ass (2)

crow (16139) | more than 2 years ago | (#36910030)

Yes, but you can use the device's MAC address. It shouldn't be too difficult to determine the ranges used for iPhones.

Re:never been used my ass (1)

shutdown -p now (807394) | more than 2 years ago | (#36911550)

Can't you check for TTL~=128 on the packets to see if it's Windows or not? Then assume that anything that isn't Windows is iOS.

It won't help if there's an OS X or Linux desktop machine on the network, but how many people only have iPhone/iPad, and Windows on all their desktops? I'd wager it's a lot of potential targets.

Re:never been used my ass (1)

Anonymous Coward | more than 2 years ago | (#36909582)

Someone surely has all the iPhone 802.11 MAC prefixes. Attackers will simply attack only those hardware addresses.

3G Owners are SCREWED (5, Informative)

Anonymous Coward | more than 2 years ago | (#36909492)

3G owners can't upgrade past 4.2.1. Looks like they are SOL! Thanks Apple!

Re:3G Owners are SCREWED (1)

Anonymous Coward | more than 2 years ago | (#36909750)

Exactly. Apple should be ashamed that they don't provide security updates for the original iPhone and the iPhone 3G already. Original iPhone owners have been SOL for over a year now, almost 2 year actually. If Microsoft did this, they would probably be taken to court by the Department of Justice. I'd like to point out though, that other phone manufacturers have the same problem. Take the original droid, the G1. That thing is still running 1.6, right? You can't tell me that's a good thing. As phones evolve into mini-computers, this is going to be a much larger problem over time. Hackers will have a field day with these old security issues.

Re:3G Owners are SCREWED (1)

PhilHibbs (4537) | more than 2 years ago | (#36909900)

If Microsoft did this, they would probably be taken to court by the Department of Justice.

I have a 286 running Windows 3.1, can I take MS to court for not releasing security updates any more? That's an extreme example, all manufacturers have to end-of-line their older systems at some point, but I agree that it's a bit soon to do that for the iPhone 3G.

Re:3G Owners are SCREWED (1)

Bert64 (520050) | more than 2 years ago | (#36910078)

Simple, require manufacturers to release source code (and anything else required in order to build and run the source) once they are no longer willing to provide security updates. Someone else will pick up the slack and provide updates if enough people are still using the devices.

Re:3G Owners are SCREWED (1)

PhilHibbs (4537) | more than 2 years ago | (#36910836)

Not simple. The manufacturer may not own all the source code, or the libraries, or the "anything else" that the product uses.

Re:3G Owners are SCREWED (1)

Tomato42 (2416694) | more than 2 years ago | (#36913554)

Sucks to be them. No one forced them to use closed source libraries.

There should be a requirement for all governmental contracts to sell the application and service together with source code.

Re:3G Owners are SCREWED (1)

Anonymous Coward | more than 2 years ago | (#36910312)

Yes, if Microsoft was still selling Windows 3.1 a year ago and included network connectivity. Also, if people had to sign a 2 year contract with someone and weren't eligible for upgrade to a new device until the 2 years is up. Then yes, Microsoft should be held accountable.

Re:3G Owners are SCREWED (0)

Anonymous Coward | more than 2 years ago | (#36909754)

I'm guessing that all of those Android phones that never offer ANY security updates since they can't get updates from the vendor are ok though? We'll just tell grandma to root her phone instead, assuming the handset manufacturer even allows it.

Re:3G Owners are SCREWED (1)

Jeng (926980) | more than 2 years ago | (#36909912)

You know what is really great about Android?

It is distributed in so many different ways that you can talk all the shit you want about it since it is probably true about at least one handset.

Then again, it also means you are wrong about all the others.

Re:3G Owners are SCREWED (4, Insightful)

spinkham (56603) | more than 2 years ago | (#36910088)

iPod touch 2g also.

It was still being sold as the 8 gig version less than 3 months before the announced last software update.

The 3g 8gig was being sold around 6 months before the last announced software update.

I understand not getting feature updates, but why can't we get security updates for a device apple was still selling a year ago?

Re:3G Owners are SCREWED (0)

Anonymous Coward | more than 2 years ago | (#36910878)

Because fuck you, that's why.

-- Steve Jobs

Re:3G Owners are SCREWED (0)

Anonymous Coward | more than 2 years ago | (#36917494)

...right. 2g "MC" model owner here, too. The 8GB wasn't a 3G but a 2G and this wasn't made clear. But that aside, this is a serious security flaw, and should be treated similar (here we go!) to recalls on automobiles. A security flaw might cause damages, and where there's damages it's always a sport for the group of victims to find someone responsible. And when that someone has a big wallet...

Re:3G Owners are SCREWED (1)

Anonymous Coward | more than 2 years ago | (#36910288)

The 3G owners have been screwed since the moment they "upgraded" to iOS4. Damn things ran out of memory so fast they slowed to a crawl after just a short time using them.

Posting anonymously from an iPhone 4 because the Apple fanboys will no doubt descend like flies to defend whatever crap is decanted by The Turtlenecked One, and I'm not posting from the 3GS that iOS4 rendered useless, and couldn't revert back to 3.1.3 because of some other DRM crapple strategy.

Re:3G Owners are SCREWED (1)

stating_the_obvious (1340413) | more than 2 years ago | (#36911074)

first, downgrading from 4.0 to 3.1.3 on an iphone is (or maybe only was) possible. LMGTFY: http://www.google.com/search?aq=1&oq=downgrade+4.0&sourceid=chrome&ie=UTF-8&q=downgrade+4.0+to+3.1.3 [google.com] (click the top link...)

second, you can dramatically improve the performance of 3g phones running 4.0+ by disabling all (or most) of spotlight search settings -> general -> spotlight search, and then uncheck everything you can live without -- I recommend just keeping mail, events, and contacts)

I find it funny that you complain about apple's treatment of you (and all 3G owners) and then admit to buying a second iphone...

Re:3G Owners are SCREWED (1)

chemosh6969 (632048) | more than 2 years ago | (#36913620)

You'd think a bug 9 years old would've been fixed. As usual, no response until it's been publicized enough times instead of fixing it before it can get to this point. It would really suck if those older users really can't get a fix because they can't upgrade.

Breaks Jailbreak (3, Insightful)

tecker (793737) | more than 2 years ago | (#36909496)

Problem is that applying this update for something that is not likely exploited in the wild will hose your Unteathered Jailbreak. Reports on twitter are that redsn0w pointed at 4.3.4 (or 4.2.9) will work for getting a tethered Jailbreak. Many jailbreakers likely wont bother.

Wonder if someone will patch this like they did the PDF exploit and put it on Cydia.

Re:Breaks Jailbreak (1)

aristotle-dude (626586) | more than 2 years ago | (#36910016)

Problem is that applying this update for something that is not likely exploited in the wild will hose your Unteathered Jailbreak. Reports on twitter are that redsn0w pointed at 4.3.4 (or 4.2.9) will work for getting a tethered Jailbreak. Many jailbreakers likely wont bother.

Wonder if someone will patch this like they did the PDF exploit and put it on Cydia.

Sorry but I don't see the problem here. If you are concerned about security in the first place then you should not jailbreak. What exactly do you think a jailbreak is anyway? You are basically stripping the check for code signing and shutting down the BSD jail sandbox mechanism for the OS so that you can run unsigned code but that also means that someone can setup a repo and trick people to download and install malware onto their iPhone. On a jailbroken iPhone, code can access any part of the filesystem without restriction whereas a stock iOS install will prevent that from happening.

Geeks should not be encouraging their grandmas or other noobs to jailbreak/root their phones because they are then leaving those phones wide open to attack.

Re:Breaks Jailbreak (1, Informative)

rwven (663186) | more than 2 years ago | (#36910550)

Jailbreaking does not magically leave your phone wide open for attack.

Re:Breaks Jailbreak (1)

CheerfulMacFanboy (1900788) | more than 2 years ago | (#36916772)

Jailbreaking does not magically leave your phone wide open for attack.

I'll take Charlie Miller's word over yours. http://www.macworld.com/article/141506/2009/07/jailbreak_security.html?lsrc=rss_weblogs_iphonecentral [macworld.com]

Re:Breaks Jailbreak (0)

rwven (663186) | more than 2 years ago | (#36917832)

I don't care WHO said it. That's nothing but FUD. The fact remains that jailbreaking your phone doesn't leave it wide open. It DOES allow you to do many various things that CAN leave your phone wide open....but in and of itself, it's not really dangerous.

Re:Breaks Jailbreak (1)

aristotle-dude (626586) | more than 2 years ago | (#36927092)

I don't care WHO said it. That's nothing but FUD. The fact remains that jailbreaking your phone doesn't leave it wide open. It DOES allow you to do many various things that CAN leave your phone wide open....but in and of itself, it's not really dangerous.

Jailbreaking destroys the BSD jails in iOS, hence the name "jail break". It also circumvents checks for code signing so unsigned code can run on the iOS device. When there are no jails then each program that you install has free access to the filesystem whereas a stock iOS install limits access to a few areas on the filesystem for non-Apple software.

Re:Breaks Jailbreak (1)

rwven (663186) | more than 2 years ago | (#36928232)

And yet, ironically enough, having a jailbroken phone can allow you to avoid or patch vulnerabilities that Apple hasn't gotten around to patching (or won't)....

Also, running unsigned code is the #1 reason people WANT to jailbreak their phone. If people could run unsigned code on their iPhones, most wouldn't bother jailbreaking in the first place.

The "jails" only protect you from things that you install through itunes. If you remember the many web-based jailbreaking techniques in times past, obviously once a flaw has been found in apple's walled garden someone could easily do anything they wanted anyway. It's only good fortune that the vulnerabilities were used to jailbreak and subsequently patch the holes that allowed the jailbreak to begin with. Apple's "security" is their biggest security risk. As I see it, jailbreaking has historically made devices MORE secure than less.

Re:Breaks Jailbreak (1)

CheerfulMacFanboy (1900788) | more than 2 years ago | (#36929348)

I don't care WHO said it. That's nothing but FUD.

He knows better then you. Trust me. Or remain a fool. http://www.blackhat.com/presentations/bh-europe-09/Miller_Iozzo/BlackHat-Europe-2009-Miller-Iozzo-OSX-IPhone-Payloads-whitepaper.pdf [blackhat.com]

Jailbroken versus Factory iPhones
Jailbroken phones are much easier to work with than factory phones. The main difference is that the jailbroken phone disables code signing. This allows for the running of arbitrary third party, unsigned, applications. Such applications include a shell, sshd, gdb, python, etc. It is no wonder that researchers prefer to work on jailbroken phones. After all, besides the code signing, there appears to be no real distinctive difference between the jailbroken and factory phones. However, this is not the case.

Many researchers, including one of the authors of this paper, have given talks where their results tacitly relied on the fact a phone was jailbroken. This is because, by disabling the code signing requirements, it doesnt just change what programs may be executed, but it fundamentally changes the way the memory page protections work. As we discussed, at this point, it is not clear how to write to a page and then make that page executable on a factory phone. While there may be a clever way to accomplish this, at the present time, any discussion of shellcode with regards to the iPhone implies the phone is jailbroken. This includes payloads that return into mprotect to set page permissions for their shellcode. If you attempt to mprotect a page which has previously had data written to it on a factory iPhone, the mprotect will fail with a return value of -1 and errno set to “Permission Denied”.

Re:Breaks Jailbreak (1)

register_ax (695577) | more than 2 years ago | (#36927780)

Jailbreaking does not magically leave your phone wide open for attack.

Yes it does.

Jailbreaking requires you to write code to modify the bootstrap sequence. If you cannot do this, you must TRUST someone else will ENTER YOUR SYSTEM, and then LEAVE. You TRUST the program(s) they left behind (Cydia or equivalent) do not have any holes (like enabling telnet/ssh/trojan/something else bad by default) or, if they do (Strike 1), they will update their code appropriately and quickly (Strike 2 if they don't).

And that's only if you now use your phone as if it isn't jailbroken. If you want to install unsigned apps (reason most (everyone?) jailbreak), you leave yourself even more open to attack every unsigned app you install. That isn't to say you safe via Apple's signed process, but you are definitely not *safer* than without Apple. Unless you took *additional* precautions after jailbreaking, you must worry about leaving your phone anywhere as any technically minded person can get root access to your phone and install any sort of "bad" software!

Saying jailbreaking does not magically leave your phone wide open for attack is incredibly naive!

Re:Breaks Jailbreak (2)

dgatwood (11270) | more than 2 years ago | (#36910612)

Here's what I don't understand: why don't the jailbreakers modify the phone to add trust for a Cydia root cert (or whoever's), then use that to provide free certs for devs to sign apps on Cydia, etc.? That would provide the same flexibility as a full jailbreak, but without the security impact. Or heck, add trust for all the major CAs so that any standard code signing cert will work.

The problem is that jailbreaking started out as a hack and still hasn't grown up from being a hack into being a usable tool. Then again, I guess I shouldn't expect usability from an app that presents you with a "Loading data" screen for five minutes while it downloads a description of the entire set of available packages.... Apparently, they've never heard of doing updates on background threads, performing on-demand loading, etc. What a mess.

Re:Breaks Jailbreak (1)

Kalriath (849904) | more than 2 years ago | (#36918910)

You could even rub Apple's nose in it, and require all code submitted to Cydia to have an Apple Developer signature - and tell devs to sign up for the Safari developer program...

Re:Breaks Jailbreak (0)

Anonymous Coward | more than 2 years ago | (#36911056)

Thanks, fanboi, for that stellar but completely irrelevant and pointless defense of Apple's walled garden. "Apple keeps me safe and snuggly by protecting me with their monopoly!" makes as much sense as "Look at Chewbacca! Wookies on Endor do not make sense!"

Claiming jailbreakers don't care is equivalent to saying "The way she was dressed she deserved it!"

A jailbreak does not make your phone "more open" to Apple's faulty certificate validation mechanism. Apple failed you. Steve Jobs let you down. You can either accept the imperfection and move on, or go cry in the shower.

Re:Breaks Jailbreak (2)

scot4875 (542869) | more than 2 years ago | (#36913724)

Guess what: the phones are already wide open to attack. That's why they're so easily jailbreakable in the first place.

--Jeremy

Re:Breaks Jailbreak (1)

organgtool (966989) | more than 2 years ago | (#36910094)

Which is just another reason why I am done with buying phones that I need to jailbreak just to add basic features such as custom SMS ringtones.

Re:Breaks Jailbreak (1)

aristotle-dude (626586) | more than 2 years ago | (#36917318)

Which is just another reason why I am done with buying phones that I need to jailbreak just to add basic features such as custom SMS ringtones.

Custom SMS tones are coming in iOS 5.

What can I do for my iPhone 3G? (0)

Anonymous Coward | more than 2 years ago | (#36909542)

I use it for browsing over wifi, and the test at https://issl.recurity.com shows it is vulnerable to this attack.

Re:What can I do for my iPhone 3G? (1)

h4rr4r (612664) | more than 2 years ago | (#36909598)

Buy another iPhone of course. This is just your uncle Steve making sure you stay up to date.

Re:What can I do for my iPhone 3G? (0)

Anonymous Coward | more than 2 years ago | (#36913042)

By now any iPhone 3G users who felt the "don't-get-left-behind" pressure and could afford it will have been "born again" with upgraded hardware. So Apple won't lose any sales by throwing recalcitrant sinners a bone with security updates for the feature set they paid for.

Re:What can I do for my iPhone 3G? (1)

schnikies79 (788746) | more than 2 years ago | (#36909674)

Are you jailbroken? If so, wait for a couple days. There will be something available on cydia.

iPhone 3G (1)

bobbomo (877614) | more than 2 years ago | (#36909554)

still no support for a less than 3 year old device, thanks for nothing Apple.

I have been looking in to the whited00r project...

Like Android is much better (1)

Quila (201335) | more than 2 years ago | (#36909706)

Verizon started selling the Droid Eris in November 2009, issued an update to 2.1 in March 2010, and then nothing since.

Only four months of active support. That's gotta be a record.

Re:Like Android is much better (0)

Anonymous Coward | more than 2 years ago | (#36909794)

I've got one. To be fair, it has no GPU and as such can't make any good use out of 2.2 even if you root the phone to install it. 2.1 works better. My beef is with app developers upgrading apps and breaking support for no good reason.

Still, verizon could do more. Even the 2.1 took forever to roll out, the youtube app wouldn't even work on the phone while I was waiting for it.

What it would get (1)

Quila (201335) | more than 2 years ago | (#36909970)

It would at least get JIT compiling, tethering and the Chrome V8 JavaScript engine, along with a bunch of other vague "performance optimizations."

Re:Like Android is much better (1)

jimicus (737525) | more than 2 years ago | (#36909868)

I can beat that. Sony Ericsson shipped the XPeria X8 with Android 1.6 some time in about the end of August/beginning of September of last year. It had an upgrade to 2.1 towards the end of November, has had nothing since and Sony Ericsson have announced there will be no further update.

That's just three months - depending on where you are in the world, these phones get released at different times so it could actually work out at more like 2.

The mobile phone industry has never historically issued significant software upgrades once a phone's been released - back in the old pre-smartphone days, firmware would only ever be updated if you took the phone in for service and then you'd be lucky if any update made any noticeable difference. As an industry, none of the major phone manufacturers have ever treated their products as something customers might want to apply software upgrades to over the course of an 18-24 month contract.

Re:Like Android is much better (1)

risinganger (586395) | more than 2 years ago | (#36911176)

This is why I chose the iPhone over others, this being just one example of who mobile users were typically treated pre Apple.

Apple released the 3G in July 2008 and it received iOS updates until November 2010, approximately 6 months after being discontinued so around 2.5 years of support. Compare that to the XPeria X8 mentioned which on release used a one year old OS 1.6, when 2.2 had been out for around half a year and then they assume you should be grateful when they 'upgrade' you to another obsolete version. I'm not saying Apple are as pure as snow but when it comes to mobiles they highlighted most over manufacturers laziness in my mind.

As a 3GS owner I'm told iOS 5, with all sorts of decent enhancements over iOS4, will be available to me. So unless it turns out it's not available to the 8GB version for some odd reason that's a good couple of years support there too. Not one of my previous phones with LG, Samsung or even Nokia received anything like that.

Re:Like Android is much better (0)

Anonymous Coward | more than 2 years ago | (#36912860)

There are plenty of updates around for all of those phones if you look to places like xdadevelopers. You can easily get CM7 with almost no work at all that is a custom version of gingerbread which nearly all still supported phones haven't released updates to yet. That's the beauty of android, it's open source so just grab a new fork and update it yourself rather than blindly following Steve

Re:Like Android is much better (1)

jimicus (737525) | more than 2 years ago | (#36913268)

So if I want to update the OS on my phone - my 7 month old phone that still has 11 months of contract to run before I can get a subsidised replacement - I have to install an unsupported firmware that will blow any warranty out of the water?

Forget it.

Re:Like Android is much better (1)

scot4875 (542869) | more than 2 years ago | (#36913822)

And it's why I chose an Android phone that I knew was easily rootable so I could install whatever OS I wanted on it, and not be reliant on the manufacturer for updates.

Those who choose otherwise get no pity from me. It's easy enough to do the research beforehand, and it's not like hardware manufacturers have a good track record for providing support. Apple does do better than most, but they still drop support for phones that people are on contract for. Being less-bad than the alternatives isn't really a win in my book.

--Jeremy

Re:Like Android is much better (0)

Anonymous Coward | more than 2 years ago | (#36913796)

That is not entirely correct. Siemens (and I owned several of those (35 and 55 series) in the early 2000s ) had a web page where you can update your phone. Provided, this was not advertised, and you had to buy an expensive data cable at that time, that could cost up to a quarter of the phone price, but it was worth it.
Anyway, then went our of business.

Android is not Apple (0)

Anonymous Coward | more than 2 years ago | (#36910024)

We expect more from Apple, just like we expect more from Porsche than Chevrolet.

Apple's policy seems to be at least two years (1)

Quila (201335) | more than 2 years ago | (#36910280)

As you can see, that's already much better than the situation in Android land. Of the two iPhones that have gone out of support:

iPhone: Jan 2007 - Jul 2008, last update Feb 2010, support 3 years, 1.5 years after last sale

iPhone 3G Jul 2008 - Jun 2009, last update Nov 2010, support for 2.5 years, 1.5 years after last sale

I'm seeing a pattern here, and it's better than most Androids.

To be fair... (2)

TehCable (1351775) | more than 2 years ago | (#36909892)

"My mother could actually use this" To be fair, his mother is Kevin Mitnick

Re:To be fair... (1)

Anonymous Coward | more than 2 years ago | (#36910096)

Kevin could at most convince you to hand the phone over to him to check for electronic gremlins. I doubt he could hack the iPhone worth a damn. He's a social engineering genious; average techie at best.

Older iTouch devices? (1)

enderwig (261458) | more than 2 years ago | (#36909928)

Yeah, but devices that don't support iOS 4.3 will remain unpatched and vulnerable. These include: iPod Touch (1G & 2G) and iPhone 3G and older.

Re:Older iTouch devices? (0)

Anonymous Coward | more than 2 years ago | (#36910684)

New corporate methodology: revenue generation by not fixing known exploits. Wait, Microsoft has been doing this for years.

VPN (0)

Anonymous Coward | more than 2 years ago | (#36910068)

I get to keep my jailbreak plus I'm secure while keeping my jailbreak. Good job Apple better lucky trying to scare people into unjailbreaking next time.

Wait a minute (2)

psydeshow (154300) | more than 2 years ago | (#36910504)

Did Apple really write a new custom certificate validation stack for iOS? Really?

And then the developers failed to test it against this basic condition (using a valid certificate to sign a fake certificate)? On a device where you can only connect via wi-fi networks, which are inherently untrustworthy!

Why, Jobs, why?

THIS is the kind of gross incompetence that deserves a Congressional investigation. Who was behind this? Was it stupidity or actual malice?

Re:Wait a minute (2)

Synerg1y (2169962) | more than 2 years ago | (#36911038)

This is more like it, could a possible backdoor into IOS have been discovered? It seems that something like this would have come to surface a whole lot sooner...

was this a problem with earlier IOS is the interesting part.

Re:Wait a minute (1)

psydeshow (154300) | more than 2 years ago | (#36924736)

was this a problem with earlier IOS is the interesting part.

It's a problem on my my 2G iPhone, running iOS 3.1.3. So, yeah, it has been a problem for a while.

blllaaaaaa (0)

Anonymous Coward | more than 2 years ago | (#36910674)

iphone schmiphone ...

Why exactly (2)

deains (1726012) | more than 2 years ago | (#36911790)

Would you be doing anything "secure" at a public wi-fi hotspot? Checking bank details can wait until you get home I'd imagine, or you could hop onto the kinda-more-secure 3G network.

Re:Why exactly (1)

Tomato42 (2416694) | more than 2 years ago | (#36913642)

You either do check SSL certs and use secure ciphers or you don't.

If you don't you're not secure no matter the access point to network. Internet is a insecure network, WiFi hot-spots don't make it less so.

why is this so old... (1)

hesaigo999ca (786966) | more than 2 years ago | (#36920248)

Why is something that is so old, still working on new technology that has been pushed out after it? If Apple can not make sure that their products being shipped at least have the latest updates before shipping, then there is a problem....now i have to review how many times i used wifi hot spots with my iphone.....oh ..wait.....i never do that!

sorry, never mind..... as you were.....

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...