
Google reveals fistful of flaws in Apple's iMessage app - dmmalam
https://www.bbc.co.uk/news/technology-49165946
======
tristor
I'm honestly appalled at the number of comments in this thread trying to
lambast Project Zero for the good work they do in improving software security.
Even if Google specifically started and ran Project Zero to target
competitor's products (which they didn't, and they don't, there's over 100
bugs found by P0 in Google products), it wouldn't matter because the effect
would still be that the online world is a safer place with more secure
software.

Of all places, I thought Hacker News would have a community which understands
the critical importance of security research and the fact that fixing software
security bugs is a net benefit to everyone, every time, all the time.

~~~
quantdev
Hacker News has become tribal and politicized, much like many other parts of
the internet.

~~~
rootusrootus
Very true. And both Apple- and Google-related discussions brings out both
sides in force. In this case we have a story that involves both, so I am not
at all surpised to see it get contentious.

Personally, I've observed (via the voting mechanism and commentary) several
different cohorts of people visit HN throughout the day. You get a real sense
that opinions are regional and tribal. Europeans in the early morning, then
east coast and flyover states, and then brace for impact when SV (in
particular Googlers and/or pro-Googlers) pile on. It's fascinating.

~~~
nabakin
I think the trends you are seeing, are most likely due to bias and not
objective analysis. Try as we might, humans are subjective beings and truth is
difficult for us discern, especially with so many variables.

~~~
rootusrootus
Well, yes, of course I have not done a rigorous scientific analysis. But I can
tell you from repeated experiences that if I say anything a bit critical of
Europe or Europeans then I will get downvoted heavily in the wee hours of the
day, and almost always will make that up and then some about midday (Pacific
time). On the other hand, if I say something critical of Google then in the
wee hours it'll usually get a bunch of upvotes, and then lose them all about
midday.

No science here, absolutely, but I have had great success so far predicting in
advance what the voting pattern is going to be on a comment I make. I treat it
a bit like a sport.

------
ziddoap
It seems like peoples hatred for Google is leaking over to how they think
vulnerability disclosures should happen.

Reading through the comments is disorientating - people are angry that
researchers are.. _gasp_... researching vulnerabilities. It's not some
faceless Google Incarnate monstrosity, they are paid researchers (humans,
too!). If it was Cure53 that did this, for free, and made the exact same
announcement no one would bat an eye.

Good on _whatever_ company does vulnerability research, follows established
protocols in disclosure, and makes the world a safer place.

~~~
tptacek
When I read these comments I also feel like people must believe P0 is some
kind of new thing that Google came up with. In fact, vulnerability research
labs have been A Thing in the security field since the mid-1990s (I worked at
what I believe to be the first commercial vulnerability lab, at Secure
Networks, from '96-'98, along with much smarter people like Tim Newsham and
Ivan Arce). And they've always been taking this kind of (dumb) flak regardless
of which company they're attached to.

If companies like Apple or Microsoft are alarmed by the optics of Project
Zero, they are free to stand up their own vulnerability research labs; they
have the resources and they would immediately find takers in the research
community.

End-users, meanwhile, should have nothing but gratitude for P0, since that
project essentially represents Google donating fairly expensive and scarce
specialized resources to public interest work. Vulnerabilities that P0 finds
are vulnerabilities that aren't being sold through brokers to the global
intelligence community. Message board talk about the "black market"
alternative to bug bounties is almost always overblown, but P0 traffics in
_exactly_ the small subset of vulnerabilities that do have substantial, liquid
markets.

~~~
mehrdadn
> End-users, meanwhile, should have nothing but gratitude for P0, since that
> project essentially represents Google donating fairly expensive and scarce
> specialized resources to public interest work.

Why should end-users "have nothing but gratitude" when vulnerabilities are
disclosed and they are immediately placed at risk until they get a chance to
update, _even when the vendor has promptly provided a correct patch_? I know I
certainly don't appreciate that and can't reasonably expect any normal person
to appreciate it either.

~~~
billyhoffman
First: everyone is already at risk for everything that P0 finds. The
difference is no one if publicly talking about the flaws or the risk in the
open.

Second: P0 never “immediately places people at risk” because they always
follow responsible disclosure.

P0 has a well documented and frankly fairly conservative policy before
anything is publicly disclosed. Do vendors want more time to fix things? Sure,
they always will. Do P0 disclosures sometimes happen publicly before the
vendor has things fixed? Yes, Occasionally. However, looking at the net, P0
has provided far more value than they detract with public disclosure of flaws

~~~
mehrdadn
> First: everyone is already at risk for everything that P0 finds. The
> difference is no one if publicly talking about the flaws or the risk in the
> open.

You don't see how the risk might increase when more people learn about the
vulnerability?

> Second: P0 never “immediately places people at risk” because they always
> follow responsible disclosure.

What? They provided proof-of-concept exploits _just one week after the patch
was provided_. That's apparently not "immediate" in the eyes of security
researchers, but try asking the average user if that's enough time to expect
them to update.

> P0 has a well documented and frankly fairly conservative policy before
> anything is publicly disclosed.

Yes, and it could be worse, but it's also not great and could also be better.

> Do vendors want more time to fix things? Sure, they always will.

That was never my argument. I never said they should get more time to fix
things.

> Do P0 disclosures sometimes happen publicly before the vendor has things
> fixed? Yes, Occasionally.

Again, I was specifically NOT arguing about disclosing _before_ the patch is
provided.

> However, looking at the net, P0 has provided far more value than they
> detract with public disclosure of flaws

And I never singled out P0 or claimed otherwise. I'm disputing the entire
practice by whomever is practicing it.

~~~
JakeTheAndroid
> You don't see how the risk might increase when more people learn about the
> vulnerability?

Do you see the risk of having a vuln that is completely unknown still
exploitable in your stack?

> What? They provided proof-of-concept exploits just one week after the patch
> was provided. That's apparently not "immediate" in the eyes of security
> researchers, but try asking the average user if that's enough time to expect
> them to update.

Why are critical issues not being patched within 48 hours? The disclosure of
the issue can only mitigate so many things, and patch schedules by vendors is
not one of them. If your vendor takes 3 months to patch the system, is that
the requisite amount of time the researcher should be expected to wait before
disclosure? That seems preposterous.

> > Do vendors want more time to fix things? Sure, they always will.

> That was never my argument. I never said they should get more time to fix
> things.

So then that is your argument. What is a reasonable amount of time, and why is
your arbitrary value not arbitrary? A day, a week, a month, a year; when can
you ever be sure you've reached the critical threshold of patched systems
using a rule of thumb?

------
tptacek
I believe Natalie Silvanovich is giving a talk at Black Hat about some of
these next week. Silvanovich is a machine.

~~~
vesche
Indeed: [https://www.blackhat.com/us-19/briefings/schedule/#look-
no-h...](https://www.blackhat.com/us-19/briefings/schedule/#look-no-hands----
the-remote-interaction-less-attack-surface-of-the-iphone-15203)

~~~
rllyboredonline
While being a Project Zero member is cool and all, Natalie is also a well-
known Tamagotchi hacker
[https://natashenka.ca/about/](https://natashenka.ca/about/)

------
sigmar
>We are withholding CVE-2019-8641 until its deadline because the fix in the
advisory did not resolve the vulnerability

Wonder how this happened? rushed patch or perhaps they only tested against a
submitted PoC? Only a week left until the defcon talk. Still listed as "fixed"
in Apple's release here: [https://support.apple.com/en-
us/HT210346](https://support.apple.com/en-us/HT210346)

~~~
bangonkeyboard
Other security updates released on the same day last week caused Macs to
kernel panic every time they went to sleep [0]. Apple software quality is not
what it should be, and hasn't been for quite some time.

[0]: [https://eclecticlight.co/2019/07/24/dont-apply-high-
sierra-s...](https://eclecticlight.co/2019/07/24/dont-apply-high-sierra-
security-update-2019-004-apple-has-pulled-it/)

~~~
robocat
> Apple software quality is not what it should be, and hasn't been for quite
> some time.

Quality is a moving target: I know something about the quality of Safari, and
the quality has been getting better over the years (that said, I admit the
recent Mobile Safari Betas have been really shit, hopefully the release will
be good).

Maybe it is comparitive: for example Safari's quality it is nowhere near as
good as the Chrome team's quality (which is unbelievably good: regular updates
across thousands of different Android device types, across thousands of
versions of Android, with immensely complex software).

Also social media now means that we hear about quality issues - we raise the
bar on what we think is acceptable.

Do you think Apple's software quality has not improved over the years?

~~~
bangonkeyboard
_> Do you think Apple's software quality has not improved over the years?_

I think quality has actively declined.

As you know something of the quality of Safari, I'll limit myself to that.
Safari over the past several years has made myriad design changes that I
heavily disagree with (killing extensions, removing user control over website
data, baffling UI decisions), but even though those changes have made my
browsing experience worse they may not be objectively considered "software
quality." Instead, I'll focus on stability and bugs.

When macOS Sierra launched, I had to deal with weekly lockups and reboots of
the OS that I mentioned here:
[https://news.ycombinator.com/item?id=13159008](https://news.ycombinator.com/item?id=13159008).
I tracked the issue down to Safari 10, which introduced new resource leaks
that eventually brought the entire system down after being left open. Even
after major releases of the browser eventually stopped forcing restarts,
leaving Safari open for extended lengths of time will still cause not just
instability and misbehavior in itself (e.g., popover arrows eventually
disappearing), but also knock-on problems in completely separate applications,
including greyed-out standard menu actions that return immediately once Safari
is quit. This resource exhaustion is independent of the number of tabs, but
handling of large numbers of tabs has also regressed: tabs now crash or unload
regularly, and there is no easy built-in way to see which; this causes data
loss and erroneous cookie manipulation when the tabs are reloaded when
navigating back to them. Pages often do not add correctly to History,
particularly from clicked or OpenSearch search results, with mismatched
titles/URLs or entirely missing entries: to this day, searching Wikipedia with
Quick Website Search gives a tab title that does not match the page or the
history item, and interaction with the back/forward cache is likely to
exacerbate this. Worse, pages often disappear entirely from autocompletion,
causing mistaken page loads and spurious searches when expected results are
missing. A couple of years ago, Safari stopped preventing the Mac from
sleeping while a download was in progress, forcing me to copy URLs into
Terminal to download with a caffeinated curl command instead to avoid
truncated files. A recent release of Safari marked random unvisited links as
visited, likely due to some newly introduced hash collision, and was not fixed
for many months.

This is just what I can recall off the top of my head, in one limited aspect
of a single application. All of these were newly introduced errors; some
major, many persistent. I sometimes have call to use older versions of Safari,
and while definitely slower and less compliant, in many respects they are
remarkably better in terms of feature stability and experience.

------
skc
This type of thread always goes alot differently when the flaws revealed
aren't in Apple products

~~~
buboard
Choice supportive bias is real, and it seems to scale with price

------
mktmkr
Apparently iOS 12.4 came out last week but I have automatic updates on and the
update is not installed. I just triggered it manually a moment ago.

~~~
yots
Can anyone explain iOS “automatic” updates? They never seem to work for me.

~~~
spike021
You have to have the phone charging overnight, usually. But sometimes I wake
up in the morning to a message that it had an issue and couldn't update.

~~~
runeks
I _always_ wake up to this message, and have to do it manually. I don’t know
why.

------
macrael
Project Zero continues to be a Good Thing

------
0x0
Is this why Apple also quietly released updates for older devices as iOS 9.3.6
and 10.3.4? IIRC Apple has only patched EOL'd iOS releases once before - in
6.1.6 for the ssl gotofail?

~~~
george_perez
That was for the GPS 10-bit bug.
[https://www.theregister.co.uk/2019/02/12/current_gps_epoch_e...](https://www.theregister.co.uk/2019/02/12/current_gps_epoch_ends/)

Apple's runs out in November 2019 instead of April.

~~~
0x0
Apple's changelogs are often incomplete at time of release and updated with
additional CVEs later. A gps fix sounds like a convenient cover story for an
emergency 0day patch for imessage, for example.

------
mey
Interesting that there isn't a post on Project Zero's blog. That's typically
how they do public notification.

~~~
ehsankia
I definitely would've preferred that to the BBC article.

ZDNet seems to be the better / primary source on most other articles:
[https://www.zdnet.com/article/google-researchers-disclose-
vu...](https://www.zdnet.com/article/google-researchers-disclose-
vulnerabilities-for-interactionless-ios-attacks/)

------
snazz
I wonder what kind of infrastructure they had set up to find these
vulnerabilities and extract names of classes and methods. Do they jailbreak
iPhones and run fuzzers directly on the device? Do they analyze IPSWs
directly?

Edit: _and explains how to set up tooling to test these components._ I'll wait
for the BlackHat slides.

~~~
saagarjha
> extract names of classes and methods

This is very easy to do using tools such as class-dump if you can get access
to the binary (either from the IPSW, or sometimes directly from the shared
cache).

------
mavrick33
Glad to see tech companies holding each other accountable. I hope the white
hat hacking between these folks continues. The more vulnerabilities found, the
safer our data will be.

------
caycep
TBH, while I think the iMessage service is invaluable, the app itself is often
buggy for me. On OS X, it often hangs w/ the spinning beach ball when
attempting text input, the iCloud sync can be spotty, and the cardinal sin, on
my iPhone X, there are inexcusable screen draw bugs w/ orientation rotation,
or w/ the keyboard popping up to type....so I am not entirely surprised. It is
an app in need of a good overall bug hunt.

~~~
Nextgrid
One bug I’ve noticed on iOS is the bar with the message text field and the
send button sometimes being displayed at the bottom even if you’re on the
message list view.

------
jwildeboer
TL;DR Apple happily fixes what Google’s hackers uncover and responsibly
disclose but the beeb desperately spices things up because clickbait ;)

~~~
mr_toad
Wish I had a bunch of people testing my code for free and giving me 30 days to
fix things before anyone else found out.

~~~
panpanna
Even better when your competitors do it!

Think if Google instead of disclosing these responsibly would leak one bug to
hackers every month or so. How many would stay on iMessage efter getting owned
for the tenth time??

------
goldrake
Meanwhile google keyboard collects everything you type and android collects
everything you say. Who needs bugs..

------
garysahota93
Does anyone know how to file a bug report for iMessages? I have a slew of bugs
I'd like to report from my day to day usage.

~~~
mrunkel
[https://feedbackassistant.apple.com/](https://feedbackassistant.apple.com/)

------
sixothree
On the surface it appears Google is spending millions of dollars to expose
flaws in competitor's products.

~~~
ziddoap
Words are wonderful. Try saying it this way:

Google is spending millions of their own dollars to freely help other
companies (and themselves!) enhance their security and close holes malicious
actors can exploit.

Now replace "Google" with any other company or independent researcher of your
choice. If you're no longer angry, you're being biased solely because its
Google and not someone you like.

~~~
ctrl-j
My biggest question would be how many security vulnerabilities Google
uncovered and disclosed on their own platform. If they are being good and
helping other companies - great! But if they're also profiting by FUD'ing them
- then we should call them something _other_ than white hats.. grey hats
maybe?

~~~
kevin_thibedeau
Google fixes its shit before the 90 day deadline. Apple could hire the talent
it needs to do the same.

~~~
scarface74
Well, Apple released a patch for all phones back to the 4s released in 2011.
What are the chances that security patches for Android phones make it to
phones released even two years ago?

Even Microsoft released a patch recently to a security vulnerability found in
Windows XP.

~~~
lern_too_spel
Android doesn't need a system update to update the messaging app.

~~~
scarface74
But it does need system updates to update parts of the system....

~~~
lern_too_spel
The point is that this is a pretty small portion of all security updates.
Compare to iOS, where updating the browser or iMessage (both with very large
vulnerability surfaces) requires a system update.

~~~
scarface74
You act as if there is a difference. It’s not like Apple pushes the entire OS
down for a minor update. Either way it’s a delta.

But that “pretty small portion” doesn’t matter if you can’t patch it.

~~~
lern_too_spel
> You act as if there is a difference.

There is a large difference. One is an automatic app update while the user
continues working. The other requires the user to stop everything they're
doing and reboot their device.

~~~
scarface74
Or the user can just tell it to update later on when they aren’t using it.

With the benefit that all necessary components are updated together and that
Apple can push out any updates world wide without waiting on the carriers....,

~~~
lern_too_spel
> Or the user can just tell it to update later on when they aren’t using it.

This is how devices stay vulnerable.

> With the benefit that all necessary components are updated together

The whole app is already updated atomically. There is no benefit here.

> and that Apple can push out any updates world wide without waiting on the
> carriers

The same as a Pixel or Android One device. The only difference is that app
security updates are artificially slower on iOS due to poor design, and for
apps like browsers, this is a fatal flaw.

~~~
scarface74
_This is how devices stay vulnerable._

As opposed to most Android phones that never get system updates? As opposed to
Apple releasing an update two weeks ago for all iOS devices back to 2011?

 _The whole app is already updated atomically. There is no benefit here._

The Safari app is also used as an out of process web view for other apps as is
the messenger app...

 _The same as a Pixel or Android One device. The only difference is that app
security updates are artificially slower on iOS due to poor design, and for
apps like browsers, this is a fatal flaw._

It’s estimated that Google may sell 1-2 million phones a year and Android One
phones are not much more ubiquitous. Even then Google only promises updates
for two years.

~~~
lern_too_spel
> As opposed to most Android phones that never get system updates?

Don't buy them. Problem solved. Do you avoid Linux entirely because there
exist Linux-based routers that are never updated? No, you buy Linux-based
routers that _are_ updated.

In this case, the choice is between properly updated Android phones, poorly
updated userspace iOS phones, and poorly updated base system Android phones.
The obvious choice is a phone from the first group.

> The Safari app is also used as an out of process web view for other apps as
> is the messenger app...

As is Chrome on Android. Since Android is designed in a way that apps can
gracefully recover from arbitrary processes being killed, this does not
matter. Chrome gets updated, the process restarts, and the page the user was
viewing in the web view reappears. If the app wasn't in the foreground, the
user won't even notice.

~~~
scarface74
So their are approximately 2.5 billion Android devices in the world and less
than 2% are sold by Google and they are the only ones getting updated and you
don’t think that’s a problem?

But yet every single Windows PC sold by any vendor can still get updates
directly from Microsoft.

 _In this case, the choice is between properly updated Android phones, poorly
updated userspace iOS phones, and poorly updated base system Android phones.
The obvious choice is a phone from the first group._

You are really claiming that Android has a better update strategy than iOS and
is more secure? Which Android phones from 2011 are still getting updates?
2013? 2015? Heck 2017?

~~~
lern_too_spel
> you don’t think that’s a problem?

It's a problem, just like the routers that aren't getting updated. It's not my
problem.

> You are really claiming that Android has a better update strategy than iOS
> and is more secure?

Yes. I've already explained why, and you haven't refuted it.

> Which Android phones from 2011 are still getting updates?

I don't use eight year old phones, so this doesn't matter to me. If you use
old phones, you could argue that iOS is marginally more secure than the
Android options; but that argument is irrelevant to the purchase decisions of
99% of the people here who do upgrade devices regularly for whom there are
Android options that are much more secure than iOS phones.

~~~
scarface74
_If you use old phones, you could argue that iOS is marginally more secure
than the Android options; but that argument is irrelevant to the purchase
decisions of 99% of the people here who do upgrade devices regularly for whom
there are Android options that are much more secure than iOS phones._

The average replacement time for cell phones in the US is 32 months.

[https://www.npd.com/wps/portal/npd/us/news/press-
releases/20...](https://www.npd.com/wps/portal/npd/us/news/press-
releases/2018/the-average-upgrade-cycle-of-a-smartphone-in-the-u-s--
is-32-months---according-to-npd-connected-intelligence/)

8 months longer than Google has promised updates.

[https://www.digitaltrends.com/mobile/what-is-android-
one/](https://www.digitaltrends.com/mobile/what-is-android-one/)

And that’s only with Android One phones. Most Android phones never get updates
or are rolled out slowly waiting on the OEM and carrier.

~~~
lern_too_spel
> The average replacement time for cell phones in the US is 32 months.

That is not my replacement cycle nor the replacement cycle for most of the
readers of this forum. It has no bearing on my purchase decisions nor the
purchase decisions of most of the readers of this forum. For people who
upgrade regularly, which is a group that includes me and most of the people on
this forum, Android One and Pixel devices are more secure than iOS devices,
and you appear to agree.

> 8 months longer than Google has promised updates.

Android One phones get security updates at least three years after release.

~~~
scarface74
_That is not my replacement cycle nor the replacement cycle for most of the
readers of this forum._

Well as long as it caters to you and the rest of the people on HN (have you
done a survey?), I guess that’s all that matters - not the other 2 billion
people in the world....

 _Android One and Pixel devices are more secure than iOS devices, and you
appear to agree._

Android One phones still have to wait on the manufacturer to update their
phones. Yes, but they pinky promise they will. From the article I posted.

I’ve never had to wait on a manufacturer to get updates from my Windows PCs.
Heck I still get updates for my Mac Mini running Windows 7 and Apple
definitely had nothing to do with it. Why is the Android architecture so piss
poor that they can’t figure this out? This- an OS vendor licensing to OEMs and
providing update - has been a solved problem for PCs for well over 30 years.

From the earlier article I posted.

 _While updates do still have to go through each phone’s manufacturer, there’s
much less to check and update, so updates will generally arrive much faster.
It won’t be a day one patch like you’d expect on the Google Pixel range_

 _Each Android One phone is guaranteed to get at least three years worth of
security updates from its release date, and up to two years of major Android
releases, too._

 _Android One phones get security updates at least three years after release._

The iPhone 5s (2013) received 5 years worth of OS updates.

The 4s (2011) just received a bug fix earlier this month.

The 6s (2015) is still a more performant phone than any midrange Android phone
released this year and can hold its own against high end Android phones that
are two years newer. It would be a pity to replace it if it were an Android
phone just because Google couldn’t figure out how to update third party
devices. My son is still using it.

~~~
lern_too_spel
> I guess that’s all that matters - not the other 2 billion people in the
> world....

I already explained the choices. For us, the obvious choice is a properly
updating Android device. Any user who chose an iPhone or non-updating Android
phone made a poor security choice. Any user who has a longer than three year
upgrade cycle has no good options unless they use a community-maintained
Android build.

> Android One phones still have to wait on the manufacturer to update their
> phones. Yes, but they pinky promise they will.

They are guaranteed monthly security updates. If you have an example of one
that hasn't had monthly security updates, that would be a breach of contract
with at least the user and possibly with Google who certified the device as
Android One.

Windows updates aren't guaranteed to work with arbitrary device manufacturers'
custom drivers.

> [Irrelevant stuff about how long iOS devices are updated]

The comment you replied to was a correction to your claim about how long
Android One devices are updated. That is the maximum period a user can get a
secure device for because we have already established that all alternatives
have non-working security update systems.

>The 6s (2015) is still a more performant phone than any midrange Android
phone released this year and can hold its own against high end Android phones
that are two years newer.

You have conceded that iOS is worse for security, so now you want to argue
about performance. Android has iOS beat there, too. Here is a midrange Android
phone one generation older than the iPhone 6 beating it at the most common
task for phone users — opening apps:
[https://youtu.be/hPhkPXVxISY](https://youtu.be/hPhkPXVxISY)

Here is a midrange Android phone of the same generation as the iPhone 6s
beating it in the same test:
[https://youtu.be/B5ZT9z9Bt4M](https://youtu.be/B5ZT9z9Bt4M)

Of course if you want to get off topic, a more interesting discussion than
performance is usability, and Android is multiple generations ahead of iOS for
what you can do with it and has been since at least the Verizon Droid, which
came with driving navigation and voice control.

~~~
scarface74
_You have conceded that iOS is worse for security, so now you want to argue
about performance. Android has iOS beat there, too. Here is a midrange Android
phone one generation older than the iPhone 6 beating it at the most common
task for phone users — opening
apps:[https://youtu.be/hPhkPXVxI*](https://youtu.be/hPhkPXVxI*)

I’m not arguing performance for performance sake. I’m arguing that a four year
phone is still performant compared to many newer Android phones and it is
getting _both* security updates and os upgrades 24 months and 12 months longer
than the tiny percentage of Android phones that get either. It also doesn’t
have to wait for a third party OEM to decide to push updates.

I’m also criticizing Google for not knowing how to push updates to phones
running its operating system without OEM intervention - something Microsoft
figured out 30 years ago with PCs.

But you don’t need to speculate how fast iOS users update their phones.

There are plenty of sites showing how many iOS users have updated operating
systems compared to Android users:

[https://www.forbes.com/sites/ianmorris/2018/04/13/android-
is...](https://www.forbes.com/sites/ianmorris/2018/04/13/android-is-still-
failing-where-apples-ios-is-winning/)

So do have a cite showing that a larger percentage of Android users are
running an up to date OS?

~~~
lern_too_spel
> So do have a cite showing that a larger percentage of Android users are
> running an up to date OS?

You keep coming back to this irrelevant point. Many Android phones are
insecure, just as all iPhones are. Don't buy them.

> I’m also criticizing Google for not knowing how to push updates to phones
> running its operating system without OEM intervention - something Microsoft
> figured out 30 years ago with PCs.

Who cares? Don't buy them. Besides, I already pointed out in my previous post
that Microsoft didn't solve this problem. Do you blame Linus for all the
routers that don't get updated, or do you just not buy them?

> I’m arguing that a four year phone is still performant compared to many
> newer Android phones and it is getting both*

So is a five year old midrange Android phone, which is also as insecure as any
iPhone. Don't buy them.

~~~
scarface74
_You keep coming back to this irrelevant point. Many Android phones are
insecure, just as all iPhones are. Don 't buy them._

Seeing that the latest iPhones you can get that hasn’t received a recent patch
is the iPhone 4 from 2010, where are “all of the insecure iPhones” -
especially seeing that both Google and Apple routinely publish the percentage
of devices running older OS’s, there is no conjecture needed on which one is
running a greater percentage of OS’s with unpatched vulnerabilities - we have
numbers straight from the source.

 _Who cares? Don 't buy them. Besides, I already pointed out in my previous
post that Microsoft didn't solve this problem._

Seeing that I have a _Mac Mini_ from 2006 running Windows 7 that is still
getting security updates and a Dell from 2009 running Windows 10, I think
Microsoft solved the problem a lot better than Google. The other 2.7 billion
Android users probably would care if they knew any better.

 _you blame Linus for all the routers that don 't get updated, or do you just
not buy them?_

Linux is free open source software that anyone can use, no one pays Linus for
using it, and Linus doesn’t have much of any criteria about how it’s used.
None of that is true about Android. What makes Android Android is Google Play
Services that is licensed by a commercial entity.

 _So is a five year old midrange Android phone, which is also as insecure as
any iPhone. Don 't buy them_

There is no five year old iPhone that isn’t supported and receiving security
patches. Right now, there isn’t any 8 year iPhone that hasn’t received a
security patch recently.

~~~
lern_too_spel
> Seeing that the latest iPhones you can get that hasn’t received a recent
> patch is the iPhone 4 from 2010

We already discussed this. iOS has a huge attack surface that can only be
patched via system updates, which is horribly bad design and terrible for
security.

> The other 2.7 billion Android users probably would care if they knew any
> better.

If those billions knew better, they would get an Android One or Pixel instead
of an instead of an iOS or other Android device. We already established that
there is only one set of devices that is good for security, and the vast
majority of people, including you it seems, do not have them. It's not my
problem to fix their security. I don't buy them myself.

> I have a Mac Mini from 2006 running Windows 7 that is still getting security
> updates and a Dell

In exactly the same way, updates work fine for those of us on properly updated
Android devices, and Windows updates don't work for people with hardware that
has poorly supported drivers. You didn't address my point. Also, you still
haven't addressed why this matters.

> Linux is free open source software that anyone can use, no one pays Linus
> for using it, and Linus doesn’t have much of any criteria about how it’s
> used.

So exactly the same as Android.

> There is no five year old iPhone that isn’t supported and receiving security
> patches.

And all of them have poorly updated userspace. There is no five year old
Android phone that has poorly updated userspace. All of those are insecure
except for the subset of Android devices that have properly updated base
system.

~~~
scarface74
_We already discussed this. iOS has a huge attack surface that can only be
patched via system updates, which is horribly bad design and terrible for
security._

And your theory isn’t supported by facts on the ground - we have statistics
about the percentage of iOS devices running the latest version of iOS versus
the number of Android devices.

Since iOS annoying asks you to upgrade when there is one available and you are
given a choice to automatically update when you’re not using, do you have a
reliable citation showing the number of iOS devices without the latest version
compared to the number of Android devices? Or do you just have a hunch?

------
pmarreck
Would be nice if Google finally came out with their own iMessage-like service
that texted over the Internet instead of 30 year old SMS

------
Bhilai
The recent barrage of security bugs in iOS makes me wonder if Apple has been
more lenient on their security posture in recent times.

It also shows that Google Project Zero is very successful in marketing their
work. There are several other players reporting security bugs in iOS
regularly, I see Tencent KeenLab, Pangu, Checkpoint, GaTech SSLab in the last
two releases to name a few, but very few have achieved similar recognition as
GPZ.

~~~
cheeze
I think it's clear that Apple security hasn't been as good as everyone would
like. Remember the disastrous Mac OS login bug?

------
jeffrallen
A fish, a barrel, and a smoking gun.

~~~
mktmkr
You are getting downvoted because the kids don't get the reference.

~~~
Operyl
No. You're both being downvoted because it didn't really add anything to the
conversation. It was just filler.

------
sambroner
Hard to tell what’s really going on here from this article. Although it seems
like five vulnerabilities were fixed and one remains (and google is being
unusually patient about the sixth issue)

One thing I’ve always struggled with is the strategy of these white hat teams.
I’m sure Google Zero spends a lot of time on Apple because Apple is an
enormous company, large partner, and competitor in some spaces.

So now I wonder: does the release of vulnerabilities ever get effected by
business agenda?

I assume it has to, although I’m not sure of the agenda here. In this case,
iMessage is in direct competition with a Google sms protocol (although googles
hasn’t gained much traction). Maybe the vuln is less impressive than saying,
“there’s one more”?

~~~
kps
Project Zero, as evident from their bug tracker¹, is a Chrome security effort.
It looks at everything in the browsing stack — Chrome, libraries, plugins, OS,
processors, proxies — presumably because security can be broken anywhere in
the chain.

¹ [https://bugs.chromium.org/p/project-
zero/issues/list?can=1](https://bugs.chromium.org/p/project-
zero/issues/list?can=1)

~~~
samstave
How did you make the little ‘1’ ?

^1

~~~
jmgrosen
The wonders of Unicode: "Superscript One" has codepoint U+00B9.

~~~
samstave
But in the hn reply box, how do you type it?

------
finnthehuman
Project Zero Works for the manufacturer of the largest data exfiltration
vector in human history and don’t seem to be making meaningful progress on
fixing that.

All their bug reports come with a bad taste in my mouth.

~~~
_jal
I'm a citizen of a country that is likely responsible for more preventable
deaths than any other.

Guilt by association is in fact not completely unjustifiable. But either it
attenuates quickly, or every human you know must be shunned for ethical
reasons.

~~~
finnthehuman
I’m not judging the people that like finding exploits for a living, I’m
judging google employing them while the rest of googles business model is
directly opposed to user security.

~~~
jdgoesmarching
You’re upset that a deep-pocketed company is funding security research?

I have no love for Google but I’m extremely happy they found vulnerabilities
that could be patched on my phone before someone else did.

------
d2mw
Project Zero has always been disguised marketing, and IMHO an extremely nasty
form of it. I have no doubt they plan coordinated releases like this on a
regular basis

(these downvotes are confusing. Do you disagree that it is marketing? That
their approach is brutal? That they plan this regularly?)

~~~
VikingCoder
Giving a company 90 days to fix a problem that may be currently exploited,
harming end users, seems nasty to you?

We should all be so lucky as to have Project Zero handing us free bug reports
like that. Responsible companies PAY for bug reports on their products. Google
is handing them over for free.

~~~
Jasper_
Sure, but at the same time, when Google announced that Google+ had a huge
security breach of 52M accounts, they didn't publicly disclose it until well
after the fact because they didn't think it was serious enough. I wish Google
would follow their own principles.

~~~
tptacek
By that standard, literally no company in the industry is following these
principles, because internal findings are not routinely disclosed. Internal
vulnerability researchers have access to information outsiders don't, so you
can imagine, the bugs you're not hearing about are pretty lurid. Every major
tech company in North America spends millions annually on third-party software
security tests; did you think these just weren't turning things up? What did
you think was happening to the reports?

~~~
bzbarsky
For what it's worth, Mozilla routinely discloses internal findings, subject to
the same policy as external findings: the bug report is opened up once the fix
has shipped to a sufficient fraction of users.

So it's not "literally no company". ;)

Disclosure: I work for Mozilla and I have reported a number of security bugs
on our code, the vast majority of which are now public.

~~~
tptacek
Mozilla certainly discloses _more_ than other vendors do, but I'm talking to
Mozilla security team members about this now, and maybe one of them can jump
in here and correct me, but I don't think they can claim that _all_ their
internal findings are reliably (and meaningfully, in advisory form) disclosed.

Regardless: that's a good point. I should have said, public disclosure of
internal findings is not _an industry norm_. Mozilla is a good counterexample
to the argument that _everyone_ close-holds internal findings.

~~~
bzbarsky
That's a good point about advisories. All the findings are public eventually
in the form of non-hidden bug reports, but not all may have advisories issued.
Doubly so if the finding happens before the affected code had first shipped in
a release (so buggy code gets checked in, then internal testing finds a
security bug in it before it ships, and that bug is fixed).

