Several months after the release of iOS 9, Duo Labs used our exclusive collection of endpoint data to release an analysis of devices that continued to use outdated software. We’re revisiting that analysis here to learn whether the iOS 10 rollout continued to show the same patterns.
Why Do iOS Upgrades Matter?
Unpatched devices are vulnerable devices.
In contrast to its desktop operating system, Apple generally does not continue to support old versions of iOS with security patches after a new version has been released. That means users who choose not to upgrade to a new version are not just opting out of new features and user experience changes; they are also opting to continue running vulnerable software.
Adoption of iOS 10
According to Apple, 79% of iPhone users are now on iOS 10 as of February 20, 2017. iOS 10 offered numerous improvements including:
- A revamped Apple Music user experience
- Siri integration with third party apps
- Improvements to Apple maps
- The ability to delete default apps
- Widgets on the lock screen
By all accounts, users should have been motivated to take advantage of this free upgrade. But despite the relative ease of doing so, users delayed applying updates as they became available. This matches the behavior we have seen with past releases. As with the release of iOS 9, we found that 85% of users had not upgraded within 7 days of release. At 90 days after release, a third were still running outdated software.
Factors Driving Adoption
One might think that, despite controversy about elimination of the headphone jack, purchases of new iPhone 7 hardware would be a major factor in the prevalence of iOS 10. Apple ships new phones with the latest operating system preinstalled. However, Duo’s data does not bear this out.
At 10 days after release, the iPhone 7 accounted for barely 1% of iOS devices using Duo’s services and this rose steadily to just over 10% in the first 90 days of availability. So purchases of new hardware account for only a small portion of up-to-date device software.
On the other end of the spectrum, we have users who could not upgrade to the most recent operating system even if they wanted to. We found that 90 days after the release of the iPhone 7, about 6% of iOS devices in use were too old to receive updates, including security fixes, from Apple.
With 10% of phones shipped with the latest operating system and another 6% unable to upgrade, we’re left with about 84% of users who have a choice about whether or not to upgrade. Nearly a third of these users choose not to do so. We might hope that end users are simply cautious about major software updates and would react differently toward an update focused on security fixes rather than new features.
Sadly, the opposite is true. On October 24, 2016, Apple released iOS 10.1 containing security patches as well as fixes to numerous non-security bugs. Users installed at significantly lower rates in the first five days of availability, compared to the iOS 10 release a month earlier.
It seems that new features, rather than bug fixes, compel most users to upgrade.
Adoption Varies Across Industries
Some industries significantly lead others in the adoption of iOS updates. End users employed at electronics and consumer web companies are nearly twice as likely to update within 30 days compared to users working in the energy or federal government sectors.
Though we have not yet studied the underlying causes of these industry differences, we do know that some organizations actively discourage timely updates for compatibility and stability issues, such as those related to mobile device management. With the 30 day time window in the above figure, these factors should be minimized, so this bears further investigation.
In any case, visibility by administrators into their end users’ device state is the first step in forming a strategy to ensure that unpatched devices are not exposing your organization to unnecessary risk.
As a security professional, allowing unpatched devices on your network introduces unnecessary risk of a compromise. Company-issued laptops are usually subject to policies that ensure that they stay up-to-date, but with many organizations supporting BYOD policies, this is less often the case with mobile devices. So what can you do? To echo our past advice, you should:
- Educate your users about the importance of applying updates in a timely manner.
- Help users apply updates when it is convenient for them. Many users are not aware that they can schedule iOS updates to run while they are sleeping!
- Deploy an endpoint security solution to help ensure the security hygiene of all devices accessing your network.
- Limit access from untrusted endpoints to your internal network.