The Mac Security Blog

Recommended + Security & Privacy

If You Care About Security, Throw Away Your iPhone 4 Right Now

Posted on by

Throw your iPhone 4 in the bin
With the release of iOS 8—perfectly timed with the launch of the iPhone 6 and the trouser-bulging iPhone 6 Plus—Apple has continued its long and proud tradition of essentially forcing you to throw out your old iPhone and buy a new one.

Why do I say that? Because iOS 8, the latest version of their mobile operating system, is packed with security fixes – none of which are coming to iOS 7.

And, sadly, if you are still using an iPhone 4, iOS 8 is simply unavailable to you. iOS 7 is the end of the road as far as you are concerned.

Which means you have a choice.

You can either buy a more recent model of the iPhone (and upgrade it to iOS 8 if it isn’t already pre-installed), switch to an Android (I can hear you gagging already…), or stick with your once proud iPhone 4 running iOS 7 and run the gauntlet of being exploited by the myriad of threats which will never get patched.

To be honest, none of these are terribly attractive options.

Why not buy a more recent iPhone?

Your iPhone 4 has probably served you well for years as a mobile phone, and allows you to browse the web and perform any number of functions without difficulty. Its battery may be getting a little long in the tooth and not last as long as it once did (the lack of replaceable batteries could be argued to be another way in which Apple builds obsolescence into its devices), but there are workarounds for that to keep you topped up during the course of the day.

Buying a newer iPhone just to keep it secure from vulnerabilities is a costly option for those with tight budgets. And tough luck if you actually *liked* the iPhone 4 because of its smaller size, compared to the later iPhone 5, the beefier iPhone 6 and the palm-stretching colossus that is the iPhone 6 Plus.

Why not buy an Android?

Switching to Android isn’t going to be attractive to many either. After all, you’ve invested in the Apple ecosystem by making app purchases, and learnt how the iOS operating system works. You may have been turned off by Android in the first place by the significantly larger malware threat affecting the platform.

Furthermore, and thanks to Jon Ribbens on Twitter for reminding me of this, it’s not as though many Android devices don’t have their own fair share of problems when it comes to receiving OS updates.

Why not stick with what you’ve got?

Which leaves, of course, sticking with your iPhone 4 running iOS 7. That would be fine if so many security vulnerabilities in iOS 7 hadn’t been fixed in iOS 8. And it’s not as though the software flaws are academic and unlikely to be a threat in the real world.

Of particular concern is a memory-corruption issue in iOS’s core graphics library, which could open opportunities for attackers to remotely exploit Safari on iPhones and iPads still running iOS 7.1.x.

According to security researchers at Binamuse, who discovered an exploit kit which exploited the CVE-2014-4377 vulnerability, attackers could potentially create a boobytrapped PDF file and embed it on a webpage to attack vulnerable devices running iOS 7.1.x, and gain complete control of victims’ iPhones, iPod Touches and iPads.

In short, your iPhone 4 is not updated and it can be exploited just by browsing to a dangerous webpage.

But this is just one of many vulnerabilities that iOS 8 fixes, and who knows what future flaws later updates to iOS 8 will fix, which will remain forever unpatched on iOS 7.

Apple should patch iOS 7… but probably won’t

Apple should really do the right thing and patch iOS 7 for those millions of users who are either unable or unwilling to update their operating system. Sadly, I can’t see that happening…

I know that Apple doesn’t want to get into a Microsoft-style situation (remember Windows XP?) where it finds itself struggling to keep an ancient operating system secure, long after they should have been dumped; but, the iPhone 4 was first launched on the world in mid-2010, and was still being sold in some countries until early this year.

To be selling a product less than a year ago, and for it now to be inherently risky from the security point of view, feels like a company that doesn’t care about the safety of some of its most vulnerable customers – those who can least afford to shell out hundreds of dollars for the very latest gadget.

Do you think Apple is right to leave iOS 7 users in the lurch, or should they do more to support those who bought the iPhone 4 and earlier devices? Leave a comment with your point of view.

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →