Apple slams Google for raising false alarm on iOS security
San Francisco: Apple has slammed Google for creating a false impression about its iPhones being at hacking risk owing to security flaws that allegedly let several malicious websites break into its iOS operating system.
Researchers working in Google’s Project Zero team had discovered several hacked websites that used security flaws in iPhones to attack users who visited these websites — compromising their personal files, messages, and real-time location data.
In a statement, Apple said the so-called sophisticated attack was narrowly focused, not a broad-based exploit of iPhones “en masse” as described.
“The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously,” the Cupertino-based iPhone maker said on Friday.
“Google’s post, issued six months after iOS patches were released, creates the false impression of ‘mass exploitation’ to ‘monitor the private activities of entire populations in real time’, stoking fear among all iPhone users that their devices had been compromised. This was never the case,” Apple said.
According to Google, the websites delivered their malware indiscriminately and were operational for years.
According to the iPhone maker, “all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not ‘two years’ as Google implies”.
Google’s Threat Analysis Group (TAG) discovered that there was no target discrimination as simply visiting the hacked site was enough for the exploit server to attack the iPhone, and if it was successful, install a monitoring implant.
“We estimate that these sites receive thousands of visitors per week,” said the Google blog post.
Google researchers also said they identified a vulnerability that accessed all the database files on the victim’s iPhone used by end-to-end encryption apps like WhatsApp, Telegram and iMessage.
Apple said that it fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after it learnt about it.
“When Google approached us, we were already in the process of fixing the exploited bugs,” said the company, adding that its product security teams around the world are constantly iterating to introduce new protections and patch vulnerabilities as soon as they’re found.