About the security content of iOS 12.4.9 (opens in new tab)

Comparatively, no. Android phones generally get a maximum of 3 years of security updates from launch, not from last device sale date. So, within mobile phones, it's more informative to compare it to their competition. It shows you just how much better Apple is at mobile device support compared to everyone else.

>Wouldn't last official sale date be a better indicator of true device support?

well in that case many cheap android phones/tablets would have negative support periods, considering they don't release any updates at all.

Apple uses this metric as well[1]. If something hasn't been sold by Apple for 5 years (but less than 7 years), it's considered vintage and you can still get hardware service and certain critical software fixes, though not necessarily any new features.

The support for MacBooks is actually great. Certain Late 2013 and Mid 2014 Retina MacBook Pros, while considered vintage, will be receiving the Big Sur update[2].

1. https://support.apple.com/en-us/HT201624 2. https://www.apple.com/macos/big-sur-preview/ (at the bottom of the page)

A range would be fair. For example "safe to use for 3-7 years" in the case of this phone by the sound of it.

No, because devices can be and sometimes are sold with software that is already out of date. The better indicator is how long software support is provided for a device from beginning to end.

Well, let's not get crazy. It's fine (I'm using it currently because my Samsung S9 died) but it's definitely no perfect phone. It doesn't even have water resistance and the screen to body ratio is pretty bad, IMO.

Only upside is the thing is built in such a way that it has barely taken any damage from the years of abuse I put it through.

I'm likely getting an iPhone 12 Pro Max very soon and will continue to only use the iPhone 5S I've had since 2013 as a backup.

If the 5S is perfect, what's the iPhone SE (2016)?

How do you still have one that's running OK? My Apple products almost always "die" after a few years. I had the 5S but one day it crashed and would not turn back on no matter what I did. The iPhone I had before that did the same thing.

The 12 mini is gonna be my next daily driver.

Some YouTube gadget reviewers agree with you and predict some “revivals”.

If only Google could put this much effort into supporting its own Pixel devices, which stop getting updates to the base OS after just three years.

I think it's more a testament to the length of time they support their devices for.

That's the kind of thing you can say in a comment, rather than in the title.

I think this is a bad decision. The "in-the-wild" part is the interesting part because it is not the norm at all and it implies an interesting story.

Catalina runs on all Macs that support Mojave, which I assume influenced the decision. (I didn't see an iOS 13 update, which helps bolster this theory.)

And the fact that android devices are generally patched slower, so an exploit can give you access for longer.

In the US, iOS has the majority of market share at 52.4%, and Android has 47%[1].

[1] https://www.statista.com/statistics/266572/market-share-held...

Does it matter? A full-chain zero-click remote complete compromise for either system is only $2-3 million. That is absolute chump change. 4-6% of households in the US [1], 5-8 million households, have sufficient assets to fully compromise every iPhone or Android in the world. If we consider businesses, I bet that is within the reach of no less than 50% of the businesses (including small businesses) in the US. That is an absurd number of entities where that price point is totally doable.

If a bad actor can derive just $10 on average per phone they attack, then all they need to do is find a way to deploy their $2-3 million exploit to 1 million phones for less than $5 million to make a tidy profit. Given that we are talking about zero-click remote compromises, which means the victim only needs to receive the payload, this means that it is profitable as long as the cost per victim impression is less than $5, a CPM of $5000. With that sort of budget you can embed your attack into an ad and then outbid everybody else by a factor of 10 for placements. You can buy a mailing list and embed your attack as a "payload pixel". If it is a zero-click text message attack then you can buy access to the spam-callers and mass deploy it that way.

These systems are between a factor of 10-100x off of adequate. To care about their relative differences is like debating whether paper mache or tissue paper is better at stopping bullets. One is probably better than the other, but neither provides meaningful protection, so it hardly matters. You need fundamental, qualitative improvements before differences between the solutions provide meaningful effects on outcomes.

[1] https://dqydj.com/average-median-top-net-worth-percentiles/

Yes. Here's an article from May of this year[1], where it states that it is still the case.

Also, you can go directly to Zerodium's website, where, as of today, they are still paying more for Android exploits than iOS exploits[2].

[1] https://www.theregister.com/2020/05/14/zerodium_ios_flaws/

[2] http://zerodium.com/program.html

I think you've misunderstood. iOS exploits are cheaper. If your explanation held, then you'd expect them to be costlier. That said, I'm sure your explanation is a component of their price.

> That's some serious longevity

Well, yes, its better than your average Android vendor. But on the other hand Windows 8 was released 2012 (i.e. about a year before iPhone 5s), and is scheduled to get updates until 2023. That is pretty serious longevity. And supporting handful of Apple devices must be comparatively simpler than supporting the hodgepodge fleet of Windows 8 devices.

Not exactly - more like being denied the ability to not have a specific OS version forced on someone if they want their device to stay secured.

Being able to stay secured with the latest patches shouldn’t require one to be forced to get the unwanted memory/resource hogging “features” of newer OS releases.

Apple doesn't allow downgrading (and it's gotten even harder with Touch/Face ID not being downgradable with SHSH blobs), so people accidentally update, or get their hardware replaced in a repair, are SOL.

users buying new devices that automatically update on activation aren't going to have that choice.

FairPhone too?

iOS wasn't stressing me directly, it was that the UI is built to encourage compulsive media consumption and that was eating into other parts of my life like work (which is stressful.)