Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple issues statement refuting Google's 'false impression' of iOS security [u]

Last updated

Apple has challenged some of Google's claims regarding iOS vulnerabilities, and stresses that its own 'end-to-end' security systems are 'unmatched' by its rivals.

In a rare public response, Apple has issued a press release specifically to address recent claims by Google concerning security vulnerabilities within iOS. Apple disagrees with Google's estimate of how long these vulnerabilities were open to attack, and how many websites were affected.

Apple also states that it addressed the issues promptly and accuses Google of deliberately causing concern for iPhone users.

"Google's post, issued six months after iOS patches were released," says the release, "creates the false impression of 'mass exploitation' to 'monitor the private activities of entire populations in real time,' stoking fear among all iPhone users that their devices had been compromised. This was never the case."

"The attach affected fewer than a dozen websites that focus on content related to the Uighur community."

Apple says that Google's claim that websites which exploited these vulnerabilities were able to attack users for two years is grossly inflated.

"All evidence indicates that these website attacks were only operational for a brief period, roughly two months," the statement continues.

"We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs."

Apple's release concludes with a statement claiming that iOS has unmatched security, and in a criticism of Google, says that it is because "we take end-to-end responsibility."

The complete text of Apple's statement reads:

Last week, Google published a blog about vulnerabilities that Apple fixed for iOS users in February. We've heard from customers who were concerned by some of the claims, and we want to make sure all of our customers have the facts.

First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones "en masse" as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.

Google's post, issued six months after iOS patches were released, creates the false impression of "mass exploitation" to "monitor the private activities of entire populations in real time," stoking fear among all iPhone users that their devices had been compromised. This was never the case.

Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not "two years" as Google implies. We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.

Security is a never-ending journey and our customers can be confident we are working for them. iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software. Our product security teams around the world are constantly iterating to introduce new protections and patch vulnerabilities as soon as they're found. We will never stop our tireless work to keep our users safe.

Google later responded to Apple's press release in a statement to The Verge.

"Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies. We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online," a Google spokesperson said.

Updated with statement from Google.



61 Comments

gatorguy 13 Years · 24627 comments

As they should.

iOS is not insecure, nor should it be inferred it is when rare exploits are exposed. 

mjtomlin 20 Years · 2690 comments

Good for Apple.

The importance of Google’s Project Zero cannot be overstated, but the handling of this issue was sloppy and irresponsible. It’s now obvious this was little more than a smear campaign against Apple as the issue was not only fixed in a timely manner 6 months ago, but singling out iOS as the only target was disingenuous when vulnerabilities in Windows and Android were exploited as well.

There is no way the Project Zero team did not know ALL the facts of this “attack” and it’s apparent that Google marketing must’ve stepped in and decided to publicly disclose only certain aspects to disparage iOS.

davgreg 9 Years · 1050 comments

gatorguy said:
As they should.

iOS is not insecure, nor should it be inferred it is when rare exploits are exposed. 

Ask the NSA.

Your iOS may not be insecure, but your iPhone most likely is.
NIST and the NSA introduced backdoors in standards for the baseband radios, hacked the makers of SIM cards, etc.
Police all over have Stingrays that spoof cell towers and sweep up the data of people without a warrant or probable cause.
Then there are security issues related to the ISP/wireless ISPs and how they process and handle your data.

After all that, then you get to weaknesses in the UNIX base, the open source technologies incorporated into iOS, Apple’s own proprietary software and protocols and then the apps running on iOS from 3rd party vendors.

Finally do not forget that Apple runs some services on AWS and is therefore subject to the security concerns of that platform.

So you might be right regarding iOS, but your iPhone- not so much.

tmay 11 Years · 6456 comments

mjtomlin said:
Good for Apple.

The importance of Google’s Project Zero cannot be overstated, but the handling of this issue was sloppy and irresponsible. It’s now obvious this was little more than a smear campaign against Apple as the issue was not only fixed in a timely manner 6 months ago, but singling out iOS as the only target was disingenuous when vulnerabilities in Windows and Android were exploited as well.

There is no way the Project Zero team did not know ALL the facts of this “attack” and it’s apparent that Google marketing must’ve stepped in and decided to publicly disclose only certain aspects to disparage iOS.

https://www.forbes.com/sites/thomasbrewster/2019/09/01/iphone-hackers-caught-by-google-also-targeted-android-and-microsoft-windows-say-sources/#43e4c76b4adf

Abalos65 5 Years · 64 comments

mjtomlin said:
Good for Apple.

The importance of Google’s Project Zero cannot be overstated, but the handling of this issue was sloppy and irresponsible. It’s now obvious this was little more than a smear campaign against Apple as the issue was not only fixed in a timely manner 6 months ago, but singling out iOS as the only target was disingenuous when vulnerabilities in Windows and Android were exploited as well.

There is no way the Project Zero team did not know ALL the facts of this “attack” and it’s apparent that Google marketing must’ve stepped in and decided to publicly disclose only certain aspects to disparage iOS.

Can you give a link to the supposed vulnerabilities being exploited in Windows and Android which Project Zero brushed under the rug?

The last part of your comment I find troubling, as it is a statement without a shred of evidence.