Apple Hits Back At Google Over iPhone Hack Report

Apple has hit back at Google in a statement that made clear it feels that its security researchers have overstated the level of threat against iPhone users.

Last month security researchers at Google’s Project Zero had warned iPhone users of a “sustained effort” of an attack “in the wild” against Apple devices.

The researchers detailed how hackers utilised booby-trapped websites to try and carry out zero-day attacks against visiting iPhone users.

iPhone hack

But Apple has disputed Google’s insistence that it was a large-scale hacking effort that targeted users of Apple devices, and has issued a hard hitting statement.

“Last week, Google published a blog about vulnerabilities that Apple fixed for iOS users in February,” said Apple.

“First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones ‘en masse’ as described,” it said. “The attack affected fewer than a dozen websites that focus on content related to the Uighur community.”

The Uighur are a Muslim community located in central and east China, and are at the centre of human right concerns in that region.

And Apple made no attempt to disguise its irritation at Google’s research team’s efforts to make this a more global threat, and not just one affecting a small ethnic community in China.

“Google’s post, issued six months after iOS patches were released, creates the false impression of ‘mass exploitation’ to ‘monitor the private activities of entire populations in real time,’ stoking fear among all iPhone users that their devices had been compromised,” said Apple. “This was never the case.”

“Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not ‘two years’ as Google implies,” said Apple.

“We fixed the vulnerabilities in question in February – working extremely quickly to resolve the issue just 10 days after we learned about it,” Apple added. “When Google approached us, we were already in the process of fixing the exploited bugs.”

But Google is standing by its research, after Tim Willis, a researcher on the Project Zero team, tweeted that Google’s Threat Analysis Group (TAG) “only saw iOS exploitation on these sites when TAG found them back in Jan 2019 (and yes, they looked for everything else as well)”.

Project Zero

This is not the first time that Google’s Project Zero team has stepped on toes with other tech firms.

The group was setup in 2014 to hunt down vulnerabilities and bugs before they are used in cyber attacks, but its actions have displeased a number of vendors.

In February 2015, Google was forced to defend its policy of automatically publishing zero-day vulnerabilities discovered by its Project Zero team after 90 days, and promised to offer up to two weeks grace if a vendor notifies the search giant that a patch is in the works.

Microsoft for example was previously critical of Google for publishing details of two vulnerabilities in 2015 arguing that such disclosures harmed end users by offering attackers information about potential flaws that could be exploited.

Redmond alleged at the time that Google had refused to delay the disclosure despite knowing that a patch was in development.

Do you know all about security? Try our quiz!

Tom Jowitt @TJowitt

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Recent Posts

Former Cortana Boss Javier Soltero Joins Google

'Hey Cortana... please forward my email to Google', as former Microsoft man joins search engine giant

2 hours ago

Jeff Bezos’s Blue Origin Partners Lockheed Martin For Moon Lander

Moon tourists? Space company of Amazon boss signs deals with multiple companies for moon landers

3 hours ago

Equifax Used Default ‘Admin’ Password, Lawsuit Alleges

Lawsuit alleges Equifax failed to take the most basic security precautions that resulted in highly damaging breach in 2017

4 hours ago

Bletchley Park Could Host Institute Of Technology

Plans submitted for tech teaching centre for 1,100 students on historic Bletchley Park site

5 hours ago

Avast Confirms “Extremely Sophisticated” Hack

State sponsored actor? Security vendor admits it has been targetted by sophisticated cyberespionage campaign

6 hours ago

NordVPN Confirms Hack After Data Centre Mistake

Panama-based VPN provider confirms it was hacked after Finnish data centre provider left server unsecured

9 hours ago