It was just last week that we covered a report by Google‘s Project Zero security researchers claiming they’d identified a malware campaign targeting iPhones for “at least two years.” When successful, the exploit chain allowed iPhones to be compromised with no interaction from the user beyond visiting a malicious website.
Now Apple is disputing some of Google‘s claims about the severity of these exploits in order to “make sure all of our customers have the facts.”
Apple aims multiple condemnatory comments towards the Project Zero post:
- Apple downplays the breadth of the attack, stating it was “narrowly focused, not a broad-based exploit of iPhones ‘en masse’ .” The attack affected “fewer than a dozen websites” relevant to the Uighur community.
- Cupertino admonishes Google for posting its research six months after it had already been patched. Apple says the post “creates the false impression of ‘mass exploitation’ to ‘monitor private activities of entire populations in real-time,’ quoting Google’s own words in the Project Zero report. Apple accuses Google of stoking fear “among all iPhone users that their devices had been compromised,” when “this was never the case.”
- More specifically, Apple counters Google‘s claim that the attacks endured for “at least two years.” Apple says “all evidence” suggests the attacks were instead active for “roughly two months.”
- Apple also downplayed Google‘s role in fixing the bug in the first place. While Google claims it gave Apple a “7-day deadline” (who knew companies could assign deadlines to one another?) to fix the exploit, Apple says it had been working on the problem before Google ever approached it.
Apple is trying to set the record straight – at least in its view – over the severity of the exploit and Google role in fixing it, implying it didn’t need Google‘s help. Moreover, Apple wants to make clear it’s still ahead of the competition’s security because it takes responsibility “for the security of [its] hardware and software.”
When contacted for comment, a Google spokesperson replied:
Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies. We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online.
It seems to comes down to a matter of perspective. Google seems to be claiming that Project Zero posts are aimed at technical audiences and is meant to advance the industry, but Apple suggests the post undermined its broader reputation in mobile security by exaggerating the severity of the exploit.