The changelog for iOS 12.5.6 mentions a fix for a Webkit exploit, so I guess Webkit was updated? The current version of Webkit/Safari doesn't run on iOS 12 (released in 2018) though (as far as I'm aware).
On a side note, if we want to use this a proof of good long term support, then Android is even better. Phones running Android 7 (2016) are using the latest Chrome/Webview version (108). The difference is that updates are delivered via the Play Store and not as system updates.
> The difference is that updates are delivered via the Play Store and not as system updates.
You're claiming that the security issue detailed in the article will be fixed through the Play Store, for devices no longer receiving updates from the device maker?
There are advantages to the iOS model of six years of full support followed by security updates for many years later, especially when an actively exploited issue is discovered.
> You're claiming that the security issue detailed in the article will be fixed through the Play Store, for devices no longer receiving updates from the device maker?
Yes. The Webkit equivalent (Webview) is updated via the Play Store ( https://play.google.com/store/apps/details?id=com.google.and... ). A bug on Webview would be fixed with an app update, which doesn't even require a restart. Makes sense if we think about it... we don't need a system update to update Chrome/Firefox/Edge/Safari on our computer.
On iOS, a fix or new features on the email, photos, phone, messages, etc, apps are presented as a security/new OS update. On Android, you get an app update.
It's not only apps, they can also update system parts. For example, if there's an issue with the "module" that deals with media, wifi/bluetooth, etc, Google can issue an update and the phone receives it via the Play Store. This article (scroll down) has a list of all modules that can be updated: https://blog.esper.io/what-is-project-mainline/ . I don't know if it's from Google or the different SoC makers, but they can also update things like GPU drivers on newer devices (the user obviously doesn't see any of this).
And Google can backport features without updates from the brand. For example, during the pandemic, Apple and Google added support for Covid apps... in Google's case, they released an update via the store and every phone going back to Android 6 (2015) got it. That's also how they added support for earthquake detection/warnings, nearby share (similar to airdrop), etc.
> There are advantages to the iOS model of six years of full support followed by security updates for many years later, especially when an actively exploited issue is discovered.
Long term support is good and Apple is ahead here offering 5 or 6 major updates. However, it's important to understand what these "security updates" bring.
The iPhone 5s isn't as secure as the iPhone 14 because iOS 12 isn't supported any more. This security update, which was essentially a browser update, reminds me of Microsoft releasing a patch for EOL Windows XP or Win 7 because some malware was taking computers left and right. They fixed one problem, but many remain and you can't consider XP to be safe.
I have used iPhones before (iPhone 5) and am aware of the benefits of Apple's system updates, but we're screwed when those 5 or 6 major updates end. Your browser might get a patch like this, but it's still outdated and doesn't support new web features. On Android, because they are detached from the system, the device maker could be out of business and your 6 year old device running an old Android build will have the latest Chrome, photo gallery, email, etc.
> A bug on Webview would be fixed with an app update
TFA isn't about web browsers. It's about the security keys for multiple vendors leaking to the public.
>Łukasz Siewierski, a member of Google's Android Security Team, has a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaked platform certificate keys that are actively being used to sign malware. The post is just a list of the keys, but running each one through APKMirror or Google's VirusTotal site will put names to some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart's Onn tablets.
These companies somehow had their signing keys leaked to outsiders, and now you can't trust that apps that claim to be from these companies are really from them. To make matters worse, the "platform certificate keys" that they lost have some serious permissions.
On a side note, if we want to use this a proof of good long term support, then Android is even better. Phones running Android 7 (2016) are using the latest Chrome/Webview version (108). The difference is that updates are delivered via the Play Store and not as system updates.