Apple has pushed back at Google’s big iOS security disclosure last week, accusing the company of stoking fears about potential iPhone hacks when the reality was something very different. Google’s Project Zero team revealed it had discovered a number of exploits in the wild that took advantage of loopholes in iOS security, and claiming that they had been active across several generations of the iPhone and iPad software.
Apple patched the issues earlier in the year, with Google’s security team saying that it gave the Cupertino firm a seven day deadline to fix the fourteen different vulnerabilities. It then went into a highly technical explanation of how the so-called exploit chains operated, and suggested that they had been active in the wild for at least two years.
Now, Apple is countering that explanation. In a new statement released today, the iPhone-maker accuses Google of generating a “false impression” that its software was a lot more vulnerable to hacks than it actually is.
“Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised,” Apple says. “This was never the case.”
The suggestion of exploits being active in the wild for two years, too, is incorrect, according to Apple. Indeed “all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not “two years” as Google implies,” the company says. Even the Project Zero team’s portrayal of the situation being that they had informed Apple of the security issues wasn’t true, the Cupertino company implies.
“We fixed the vulnerabilities in question in February – working extremely quickly to resolve the issue just 10 days after we learned about it,” Apple says. “When Google approached us, we were already in the process of fixing the exploited bugs.”
Ian Beer of Project Zero wrote last month that Google had notified Apple of the issues discovered on February 1, 2019, and that Apple released iOS patches to address those issues on February 7. Today’s statement by Apple implies the company had actually known about the problems, and been working on fixing them with what was eventually the iOS 12.1.4 release, for three days before that disclosure.
Subsequent reports about the exploits in the wild suggested that they were the handiwork of Chinese security services, in the hope of entrapping the devices of a small group of Uyghurs as part of a greater surveillance drive. Apple also opted not to mention reports published since Google’s Project Zero disclosure, that suggested Android phones were also targeted by the hackers associated by the Chinese government.
In early September, security firm Volexity disclosed that similar “watering-hole” attacks on Android devices used by Uyghurs had been observed in the wild. At least eleven sites had been leveraged to target Android users, and had been in operation in some case for at least four years. Signs that some of the compromised sites were also trying to make unauthorized access to Gmail accounts were also spotted. The Project Zero team made no mention of any potential Android vulnerabilities that could be targeted in such a way.
Update: Google has made a statement on Apple’s comments, standing by its findings and the way it disclosed them. “Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies,” a Google spokesperson said. “We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online.”