Apple’s VP of software, Craig Federighi, told Reddit user Mateusz Buda that automatic iOS updates can take up to four weeks to roll out to all users, in part due to Apple’s caution. So, if it can take a month for essential security updates to arrive on your device, why bother with auto updates at all? “Without automatic updates, there’s a risk people might not opt-in for the updates at all—meaning their personal data (like logins, financial info, etc.) is at risk for cybercriminals to snatch up,” Caroline Wong, Chief Strategy Officer at the cybersecurity company Cobalt, told Lifewire via email. “Updates are easy to forget, so I always recommend going with auto-updates. Nowadays, they even happen while you sleep so as to not inconvenience people.”
Security
Automatic updates work great, until they don’t. In 2019, the iOS 13 release was a disaster, with problems in the camera app, AirDrop, and iMessage, app crashes, cellular data disconnection, and much more. It also felt unfinished and rushed. This put a significant blemish on Apple’s otherwise excellent reputation for software updates, most of which go smoothly. It may also have caused many people to hold back on updates and perhaps to turn off automatic updates altogether, which would be a major mistake. There are two parts of software updates that interest users. One is security fixes and enhancements; the other is new features. Features are more appealing, for sure, but the security fixes are the most important. And most important of all are the updates that fix zero-day exploits, which is a cool-sounding name for security exploits that have ‘zero days’ of history. Hackers might save these up and deploy them before platform vendors have a chance to fix them. “It absolutely matters how long you wait to run a security update,” Dr. Chris Pierson, CEO of cybersecurity company BlackCloak, told Lifewire via email. “Users should immediately patch devices that have updates which address zero-day security vulnerabilities—especially those who are higher risk individuals. Think of it this way: if the front door of your house fell off, how long would you wait to get that fixed?”
Automatic
According to Federighi’s email reply, Apple rolls out its updates incrementally. First, they are available only to those that open up the Settings or System Preferences app and manually trigger the update. Then, automatic updates start to roll “1-4 weeks later,” after Apple has received feedback on the update. This turns the most eager of us into large-scale beta testers for these updates, and Apple can catch any problems and fix them before pushing the patch to its billions of users. This is a pragmatic approach, and it avoids updates that cause more damage than they fix, but it’s not perfect. The biggest risk is that, once a fix for a zero-day exploit is published, everyone learns about the existence of that exploit. This starts a race. Can hackers and malware vendors develop a way to use the security hole before the patch is applied to everybody’s device? Even if all Apple users have automatic updates enabled, there’s still a 1-4 week window in which users remain quite vulnerable to attack. “Software updates are do-or-die for security, they keep our devices up to date and prevent old security vulnerabilities from being used against us. Why would you want to risk attack from a bug that has already been fixed?” Tyler Kennedy, creator of the iMessage anti-spam app Don’t Text, told Lifewire via email. The message is that you should keep automatic updates switched on. If this kind of thing doesn’t bother you, then you will at least be sure to get those updates eventually. Even if you prefer to manually apply updates as soon as possible, the automatic update is a safety net, especially on devices you might not use as often. And Apple’s safety-first method of slowly rolling out the fix means that there shouldn’t ever be another iOS 13 moment, so even cautious users can keep auto-updates enabled without worrying.