Considering security updates, do you think iOS has advantage in speed? Apple’s usually to roll out security updates to all supported iPhones —often for five or six years— nearly instantly, including critical zero-day fixes, which can be deployed overnight. In comparison, while Pixel devices get immediate updates(but it's only available in a handful of countries), Android devices from other manufacturers depend on their update schedules, which can be slow and inconsistent and often ends after about three or four years. Even with top players like Samsung, there are week delays, especially for non-flagship or older models. In your view, does the pace and longevity of Apple’s security updates tip the balance in their favor, or am I just being biased?
Yes, absolutely (though Apple does not actually ship anything overnight). In fact when I worked on Android one of the frustrations I ran into was the slow pace to roll out security improvements. While Pixel phones get fixes quickly enough the majority of the world is not actually on Pixel devices, so if you want to ship changes you need to get OEMs on board, and then also have users on devices that are still being supported. A lot of the people we covered would simply not get any improvements until they literally bought a new device, in areas of the world with some of the longest lifecycles for those devices.
I switched from Android to iOS because Google forced updates to my phone somehow, even though I had internet access disabled. I only used it as a phone: no email, web browsing, etc. My phone (Blu R2) was a few years old, and after the update, all kinds of stuff was broken. For example, zooming a picture would cause the messaging app to crash. So once that update was installed, I had to enable updates continuously to try to get back to a working phone. But instead, things just kept getting worse. I gave up and bought an iPhone XR on eBay for half retail price.
Most HN folks think diversity is a good thing, and I'm not saying it isn't, but it does have its disadvantages. In my case, I could probably buy new Android phones at least 3x more often than iPhones based on cost, but a lot of people (me) don't want to be fiddling with new phones every year or 2. It was apparent to me that Android updates are not tested thoroughly on older phones. I understand that would be hard because there is a huge variety of hardware, but it's a significant downside of Android IMO.
It's not correct because he states "That’s why it’s best to use secrets as files", this is event worse than store in on ENV because in this case you just need read access to the file system instead of needing code execution, if you have RCE with the same privilege level of the application you will have access to the secret anyway.
