Apple has challenged some of Google's claims regarding iOS vulnerabilities, and stresses that its own 'end-to-end' security systems are 'unmatched' by its rivals.
In a rare public response, Apple has issued a press release specifically to address recent claims by Google concerning security vulnerabilities within iOS. Apple disagrees with Google's estimate of how long these vulnerabilities were open to attack, and how many websites were affected.
Apple also states that it addressed the issues promptly and accuses Google of deliberately causing concern for iPhone users.
"Google's post, issued six months after iOS patches were released," says the release, "creates the false impression of 'mass exploitation' to 'monitor the private activities of entire populations in real time,' stoking fear among all iPhone users that their devices had been compromised. This was never the case."
"The attach affected fewer than a dozen websites that focus on content related to the Uighur community."
Apple says that Google's claim that websites which exploited these vulnerabilities were able to attack users for two years is grossly inflated.
"All evidence indicates that these website attacks were only operational for a brief period, roughly two months," the statement continues.
"We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs."
Apple's release concludes with a statement claiming that iOS has unmatched security, and in a criticism of Google, says that it is because "we take end-to-end responsibility."
The complete text of Apple's statement reads:
Last week, Google published a blog about vulnerabilities that Apple fixed for iOS users in February. We've heard from customers who were concerned by some of the claims, and we want to make sure all of our customers have the facts.First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones "en masse" as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.
Google's post, issued six months after iOS patches were released, creates the false impression of "mass exploitation" to "monitor the private activities of entire populations in real time," stoking fear among all iPhone users that their devices had been compromised. This was never the case.
Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not "two years" as Google implies. We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.
Security is a never-ending journey and our customers can be confident we are working for them. iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software. Our product security teams around the world are constantly iterating to introduce new protections and patch vulnerabilities as soon as they're found. We will never stop our tireless work to keep our users safe.
Google later responded to Apple's press release in a statement to The Verge.
"Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies. We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online," a Google spokesperson said.
Updated with statement from Google.
61 Comments
As they should.
iOS is not insecure, nor should it be inferred it is when rare exploits are exposed.
Good for Apple.
The importance of Google’s Project Zero cannot be overstated, but the handling of this issue was sloppy and irresponsible. It’s now obvious this was little more than a smear campaign against Apple as the issue was not only fixed in a timely manner 6 months ago, but singling out iOS as the only target was disingenuous when vulnerabilities in Windows and Android were exploited as well.
There is no way the Project Zero team did not know ALL the facts of this “attack” and it’s apparent that Google marketing must’ve stepped in and decided to publicly disclose only certain aspects to disparage iOS.