Apple makes clear that Google’s claims of mass exploitation of Apple’s software are overreaching and inaccurate. Assuming the truth of the underlying facts as to the scope and duration of past problems, I believe the appalled reactions aren’t excessive. Apple has claimed invulnerability as a key part of its advertising for years. Apple may do a better job protecting its customers than many others, but they can no longer claim total purity. For those who believed in total protection, this is a definite shock.
Apple issues statement refuting Google’s ‘false impression’ of iOS security [u]
Apple has challenged some of Google’s claims regarding iOS vulnerabilities, and stresses that its own ‘end-to-end’ security systems are ‘unmatched’ by its rivals.
In a rare public response, Apple has issued a press release specifically to address recent claims by Google concerning security vulnerabilities within iOS. Apple disagrees with Google’s estimate of how long these vulnerabilities were open to attack, and how many websites were affected.
Apple also states that it addressed the issues promptly and accuses Google of deliberately causing concern for iPhone users.
“Google’s post, issued six months after iOS patches were released,” says the release, “creates the false impression of ‘mass exploitation’ to ‘monitor the private activities of entire populations in real time,’ stoking fear among all iPhone users that their devices had been compromised. This was never the case.”
“The attach affected fewer than a dozen websites that focus on content related to the Uighur community.”
Apple says that Google’s claim that websites which exploited these vulnerabilities were able to attack users for two years is grossly inflated.
“All evidence indicates that these website attacks were only operational for a brief period, roughly two months,” the statement continues.
“We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.”
Apple’s release concludes with a statement claiming that iOS has unmatched security, and in a criticism of Google, says that it is because “we take end-to-end responsibility.”
The complete text of Apple’s statement reads:
Last week, Google published a blog about vulnerabilities that Apple fixed for iOS users in February. We’ve heard from customers who were concerned by some of the claims, and we want to make sure all of our customers have the facts.
First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones “en masse” as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.
Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.
Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not “two years” as Google implies. We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.
Security is a never-ending journey and our customers can be confident we are working for them. iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software. Our product security teams around the world are constantly iterating to introduce new protections and patch vulnerabilities as soon as they’re found. We will never stop our tireless work to keep our users safe.
Google later responded to Apple’s press release in a statement to The Verge.
“Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies. We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online,” a Google spokesperson said.
Updated with statement from Google.