Earlier this year, FireEye found that malicious substitute apps could be downloaded and installed without the user having to tap Trust. Last week, research firm FireEye announced they'd found 11 iOS apps in the Hacking Team data breach that were designed to exploit Masque Attack. These apps didn't require a jailbroken phone, even.
I'll be honest: even though this is part of my bread and butter, I didn't hear about last week's announcement for a few days--because iOS 8.1.3 closed some holes and 8.4 some others, so it didn't cause a blip online. In response to researchers who found some related problems in June that relied on the Mac and iOS App Store, Apple repaired some exploits and had said it was researching the rest. Ostensibly, critical fixes will appear in iOS 8 releases to come, and full fixes in iOS 9. Versions before iOS 8 haven't been patched.
Why are Apple critics shouting fragmentation and a lack of support for older devices? Why aren't we seeing malware in abundance for vulnerable hardware that could be exploited by well-documented flaws? Because most iOS users are running iOS 8.
Why was iOS 6 afraid of iOS 7?
Somewhere from 10 to 20 percent of devices are running iOS 7 or an earlier version. MixPanel pegs it at 10 percent, while David Smith's tracking of usage related to his Audiobooks app puts it around 20. Over a billion iOS devices have been sold since the first iPhone, but it's impossible to know how many remain in use unless Apple were to provide figures. I suspect at least 30 percent, if not many more, have joined the choir invisible, and that somewhere in the 700 million range are in use.
So 70 to 140 million users of systems that predate iOS 8 (and most iOS 8 users have upgraded to 8.4) seems like a large audience to exploit, even though a significant portion are using older devices. However, there are somewhere in the 1.5 billion range of Android devices in use, and vendors still sell hardware that runs versions prior to Android 5--that's about 1.2 billion previous version Android users, of which a good portion are phones. Faced with 70 million potential victims or over a billion, after an exploit just affected 95 percent of all Android phones in use, which would a malware developer seek to find flaws in?
It would be exceedingly smart and polite of Apple to maintain a patch tree for critical flaws that propagated back a version even if it were only for devices that are incapable of being upgraded to a newer iOS release. It hasn't done so in the interests of keeping the pressure on people to run the latest and greatest, which has an impact on folks buying new apps and using new paid services. And old hardware is dying every day, making the universe of devices to exploit ever smaller.
Sign up for CIO Asia eNewsletters.