Apple has called out Google for promoting a “false impression” about iOS vulnerabilities the iPhone maker said it fixed in February. It claims Google is unnecessarily panicking Apple customers.
On Aug. 29, Ian Beer of Google’s Project Zero published a blog post that took a “very deep dive” into 14 vulnerabilities—two of them zero-days upon discovery–in iOS that its Threat Analysis Group (TAG) found were being used by a group of hacked websites. Google discovered the flaws in January and told Apple about them. They were subsequently disclosed to the public in February.
The picture Google painted of about the attacks was rather grim, noting that “simply visiting the hacked site was enough for the exploit server to attack your device” and install spyware that could monitor a person’s entire digital life. The affected sites receive thousands of visitors per week, according to Google’s estimation.
Now Apple is defending itself against what it claims is a misleading portrayal by Google of the exploits in an attempt to assuage customers who’ve expressed worry about their risk some six months after patches were issued in an out of band release of iOS 12.1.4.
In a statement published on its online newsroom Friday, Apple claimed that the scope of the risk as described by Google is false for two reasons.
While it characterized the attack as “sophisticated,” the iPhone maker said it was far more narrowly focused on less than a dozen websites focused on content related to the Uighur community rather than a “broad-based exploit of iPhones ‘en masse.’” Uighurs are an ethnic minority community in China’s northwestern Xinjiang region.
“Google’s post … creates the false impression of ‘mass exploitation’ to ‘monitor the private activities of entire populations in real time,’ stoking fear among all iPhone users that their devices had been compromised,” according to Apple’s statement. “This was never the case.”
Secondly, Apple said that evidence indicates the attacks were ongoing only for two months, not the two years Google “implied” in its analysis.
Indeed, Google characterized the attack as a “sustained effort” to hack iPhone users in certain communities over a period of at least two years, citing evidence of iPhone exploits “covering almost every version from iOS 10 through to the latest version of iOS 12.”
However, Apple claims this is simply not true, saying it resolved the issue just 10 days after learning about it.
“When Google approached us, we were already in the process of fixing the exploited bugs,” the company said in the statement.
Apple said it will continue to take customer and industry feedback on vulnerabilities seriously so it can continue to sustain “unmatched” security in its software and hardware and respond to risks as soon as they’re found, the company said.
“Security is a never-ending journey and our customers can be confident we are working for them,” Apple said in its statement.