Apple Accuses Google of “Stoking Fear” Over iOS Security – Google Says It Stands By Its Findings
Apple isn't happy about Google's recent report that revealed how some malicious websites secretly targeted iPhones using iOS exploits that enabled attackers to spy on the victims.
Google's Project Zero report [link] was apparently so damaging that just a few days after it went live, Zerodium - the top bug bounty program - increased the value of Android exploits to up to $2.5 million. In comparison, bounties for iOS zero days max at $2 million.
This may have other reasons, but bug bounties hint at how secure a platform is considered in the industry and how difficult it is to find zero day exploits. With several reports in the past couple of years focusing on iOS exploits and security issues, people who normally exclusively consider iPhones for security purposes are now beginning to think about Android. Google's mobile operating system is also getting more secure by the day with several OEMs now offering timely security and software updates.
This is where Apple's problems come in.
Apple says Google is creating "false impression" about iOS security
The iPhone maker usually doesn't like paying attention to these reports unless things get serious. In a statement, Apple has said today that it was a "sophisticated attack," which was "narrowly focused" and wasn't as “en masse” as Google suggested in its Project Zero report.
"The attack affected fewer than a dozen websites that focus on content related to the Uighur community," Apple said, adding:
Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.
Google's report had also noted that iOS versions 10 through 12 were affected by these vulnerabilities, hinting that the attackers may have exploited these bugs for over two years. Apple refutes this by saying that "all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not 'two years' as Google implies."
Given the severity of the issue, Google had privately disclosed the bugs to Apple giving the company only seven days to fix the bugs. Apple was also quick to address these problems, fixing them with the release of iOS 12.1.4 back in February.
Apple said that it was already "in the process of fixing the exploited bugs" when Google had contacted it.
iPhone maker hasn't shared any technical details of the attack
We tried to reach out to Apple to get a clarification on how many users it estimates were targeted in this attack, but the company is keeping its usual silence. Apple hasn't shared any technical details or argued against those shared by Google's Project Zero team. The company's only argument against Google's report is that the attack wasn't widespread or active for as long as Google has said.
When we contacted Google about Apple's recent statement, the Android maker said that it stands by its security research team. In an emailed statement to Wccftech, a Google spokesperson wrote:
“Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies. We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online.”
We will update this space if Apple shares any further information about this problem. You can read Apple's complete statement here, but it's the usual corporate "we care about our users" lingo. This strategy of saying just enough usually works for Apple, but it's perhaps time for the Cupertino tech giant to avoid using Facebook-like "Newspeak" and come clean to its users.
Only recently, Apple was caught up in the Siri contractor issue, which only came to the surface because of an investigative report. In response to that issue, Apple had said that it hasn't been fully living up to its high ideals. As we had said at the time, these reports only create concern whether there are more minefields hidden inside the ecosystem that just haven't been discovered yet.
"Security is a never-ending journey and our customers can be confident we are working for them," Apple reassures in its latest statement, adding that "iOS security is unmatched."
This is where things become problematic for users. Apple users have ended up relying 100% on the company for taking care of their security concerns. They do believe that the company is taking, what Apple calls, "end-to-end responsibility" for the security of both its hardware and software. But, does it? Apple users didn't even learn about this exploit until a third party detailed it. February's iOS 12.1.4 changelog makes no mention of the attack and turns a critical problem into just another bug that was fixed.
While many Apple fans go into the debate of "but, Android is worse," the security conscious consumer that considers iPhone for its privacy and security promises - not just out of fandom - may just start paying attention to the alternatives.