Apple is used to promoting the security of its products in comparison to the competition, but it was on the defensive last week following a report from Google’s Project Zero. According to Google researchers, iOS was the target of a sophisticated attack for two years until Google alerted Apple in early 2019. However, Apple is now seeking to downplay the severity of the attack, claiming Project Zero has blown the whole thing out of proportion.
The news of Apple’s iPhone vulnerability broke recently with an in-depth report from Project Zero, a group at Google that specializes in uncovering zero-day hacks that threaten internet users. According to the team, a number of websites had deployed hacks that could install malware with root access on the iPhone. The operators of the sites could steal data, monitor phone locations, and even access the user’s on-device password storage. Google said the attacks operated “over a period of at least two years” and covered almost every version of iOS active during that time.
Apple issued a press release late last week disputing part of Google’s findings. The iPhone maker strenuously objects to Google’s claim that the attacks operated for two years. In fact, Apple says it was closer to two months. Furthermore, Apple says it already knew about the flaws and was conveniently already working on a fix. It’s impossible to verify that claim, but it does sound suspect. Google’s Project Zero researchers are cited in Apple’s official changelog from February as reporting the flaws.
Apple also says the attack focused on the Uyghur community, a group of ethnically Turkic Muslims living in western China. Uyghurs have been targeted for persecution and imprisonment by Chinese authorities for years. The government often uses technological means like the iPhone hack to track and investigate the Uyghur population.
Apple seems to be suggesting that Google wanted to make the flaws look more severe than they were, but Project Zero has traditionally conducted its business in without favoritism. In response to Apple’s criticism, Project Zero has issued a statement standing by its “in-depth research which was written to focus on the technical aspects of these vulnerabilities.”
Google is used to getting publicly chastised for security vulnerabilities — Android is open source, but Apple has the benefit of quietly patching exploits as it finds them in its closed software. Perhaps the iPhone maker is just a little overly sensitive with its new iPhone unveiling this week.