Apple quietly stops meaningful auto-updates in iOS

Credit to Author: Evan Schuman| Date: Tue, 05 Apr 2022 09:14:00 -0700

In the mobile world pitting Apple’s iOS devices against Google’s Android devices, Apple has historically had one distinct advantage: patches and updates.

Given the fragmented nature of Android (hundreds of handset manufacturers versus just one for iOS), it is simply far easier for Apple to quickly and efficiently push out updates in a way that allows a large percentage of users get updates quickly. That has been true regardless of whether its new functionality or a critical security patch.

So what’s the problem? Craig Federighi, Apple’s senior vice president of software engineering, has quietly said that Apple has dramatically slowed down auto updates — by as much as a month.

In a Reddit conversation with user Mateusz Buda — it was first reported by Forbes — Federighi said: “We incrementally rollout new iOS updates by first making them available for those that explicitly seek them out in Settings. And then 1-4 weeks later — after we’ve received feedback on the update — ramp up to devices with auto-update enabled.”

In short, despite activating auto-update, users may wind up waiting a month for a security patch unless they dig into settings every day on the off chance there’s an update to be found. 

This raises so many questions and some very serious concerns for IT and security admins whose users work with iPhones and iPads for business. 

First, doesn’t this directly contradict the implied intent of auto-update? Users select this option so that they are best protected. The users who are willing to wait are the ones that would have never chosen auto-updates.

By the way, auto-updates themselves are not necessarily the safest route. Apple updates have a history of doing bad things to iOS devices. It wouldn’t necessarily be a bad IT policy to deliberately not install the latest updates and to wait to see whether a new update causes things to blow up. Why be a guinea pig if you don’t have to, right? That said, this can be dealt with by delaying things a day or two, not for a month.

Not flagging security patches is a tremendous problem. Once a security hole is discovered, bad guys move in immediately, hoping to steal or disrupt what they can before the world patches the hole. Apple creating a patch and keeping it quiet — in terms of lagging auto-updates — is nothing shy of reckless.

This means IT (or someone who focuses on security) must check every day for updates and then choose whether to blast message/email that news to all users. That would be fine had IT instructed users to not accept auto-update, but for those who wanted users to choose auto-update, it is decidedly not good.

From a marketing perspective, Apple is hurting itself. One of the key security arguments for Apple/iOS over Google/Android has been faster updates/patches. Apple is handing Google’s Android a great marketing win by undermining one of Apple’s best advantages and differentiators. And by not publicly announcing this on their homepage and via a news release, Apple comes across as hiding this and deceiving their users. Admitting this in a Reddit chat seems an odd way to tell people.

In effect, Apple is turning its more security-conscious users into beta-testers. It seems to be deliberately discouraging most people from patching, so Apple can catch bugs missed internally. That’s a beta program. People expect to be invited to do that and told that they are doing that.

There is a compromise move that Apple could have considered: place a blatant red alert on the devices announcing that there is an update available, which Apple sometimes has done. But it won’t install without the user taking explicit action. This saves users and IT the effort to search for possible updates, while also not installing the updates automatically for a month.

http://www.computerworld.com/category/security/index.rss