Apple Disputes Some Details of Google's Project Zero Report on iOS Security Vulnerabilities [Updated]

Google's Project Zero last week shared details about multiple serious iOS vulnerabilities that allowed malicious websites to access a victim's phone. There were a total of 14 vulnerabilities that were being exploited, and while those have now been fixed, some of the security holes were abused for several years.

Apple today responded to Google's Project Zero blog post in an effort to address customer concerns with all of the facts.

trio iphones ios
Apple says the attack was "narrowly-focused" rather than a broad-based exploit of iPhones as described. Fewer than a dozen websites targeting Uighur Muslims were affected, according to Apple. Further, Apple says that Google created a false impression of mass exploitation, causing fear among iPhone owners.

Google also got the length of the attacks wrong. Apple says the websites were operational for approximately two months rather than two years, with the vulnerabilities fixed 10 days after Apple learned about them. Fixes were already in the works when Google approached Apple.

Apple's full letter is included below:

Last week, Google published a blog about vulnerabilities that Apple fixed for iOS users in February. We've heard from customers who were concerned by some of the claims, and we want to make sure all of our customers have the facts.

First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones "en masse" as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.

Google's post, issued six months after iOS patches were released, creates the false impression of "mass exploitation" to "monitor the private activities of entire populations in real time," stoking fear among all iPhone users that their devices had been compromised. This was never the case.

Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not "two years" as Google implies. We fixed the vulnerabilities in question in February -- working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.

Security is a never-ending journey and our customers can be confident we are working for them. iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software. Our product security teams around the world are constantly iterating to introduce new protections and patch vulnerabilities as soon as they're found. We will never stop our tireless work to keep our users safe.

According to Google, the websites in question that targeted ‌iPhone‌ users were able to steal private data like messages, photos, and GPS location in real time with little effort after a visitor went to an infected website.

Google believes thousands of visitors accessed these websites per week over two years, with the vulnerability present in iOS 10, iOS 11, and iOS 12. Apple addressed the issues in iOS 12.1.4 back in February 2019.

In a statement to The Verge, Google said that it stands by its original report despite Apple's comments.

Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies. We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online.

Popular Stories

best buy holiday

Best Buy Reveals Black Friday Plans With Sitewide Sales Available Now

Friday November 8, 2024 10:05 am PST by
Black Friday sales are continuing today with Best Buy kicking off early Black Friday deals that will last for the next few days. Similar to other retailers, Best Buy's early Black Friday event includes sitewide savings on Apple products, headphones, TVs, monitors, video games, and more. Note: MacRumors is an affiliate partner with Best Buy. When you click a link and make a purchase, we may...
AirPods Pro Firmware Feature

Apple Releases Firmware Updates for AirPods Pro 2 and AirPods 4

Monday November 11, 2024 11:28 am PST by
Apple today released firmware updates for both AirPods 4 models (version number 7B20) and the AirPods Pro 2 with both Lightning and USB-C charging cases (version number 7B21). All of these AirPods models were previously on firmware version 7B19. It is not immediately clear what new features or changes are included in firmware versions 7B20 and 7B21, but we will update this story if we find...
mac mini thermal architecture feature

New Mac Mini Has Modular Storage, 256GB Model Will Have Faster SSD

Friday November 8, 2024 7:06 am PST by
Apple has returned to using two 128GB storage chips in the new Mac mini with 256GB of storage, according to a partial teardown video shared on social media today. This means the base-model Mac mini with the M4 chip will not have significantly slower SSD speeds compared to higher-end configurations of the computer with 512GB, 1TB, or 2TB of storage, as multiple NAND chips allows for faster SSD...
General Final Cut Pro Feature

Apple Likely to Announce Final Cut Pro Update This Week With These New Features

Sunday November 10, 2024 12:13 pm PST by
In its announcement video for the new Mac mini last month, Apple teased an "upcoming" version of Final Cut Pro for the Mac. Apple will likely announce the update during the annual Final Cut Pro Creative Summit, which begins this Wednesday. The conference is held in association with Apple, and attendees will be visiting Apple Park on the first day. Apple already teased four new features...
iphone 6 thickness

iPhone 17 'Air' May Not Be Much Thinner Than iPhone 6

Monday November 11, 2024 5:18 am PST by
Next year's iPhone 17 "Air" model may not be as thin as Apple planned, according to a rumor originating in Korea. According to the news aggregator account "yeux1122" on Naver, citing industry sources, Apple has run into problems making the new iPhone 17 model sufficiently thin. The device's reduced thickness is apparently dependent on manufacturing a battery with a thinner substrate, but...
Generic iOS 18

Everything New in iOS 18.2 Beta 2

Monday November 4, 2024 12:34 pm PST by
Apple today seeded the second betas of upcoming iOS 18.2 and iPadOS 18.2 updates to developers, and Apple is continuing to refine the Apple Intelligence capabilities. There are also a handful of smaller features that are worth knowing about. Find My Find My has a new option to Share Item Location with an "airline or trusted person" that can help you locate something that you've misplaced....
iphone passcode green

Cops Suspect iOS 18 iPhones Are Communicating to Force Reboots, Making Unlocking Harder

Thursday November 7, 2024 2:20 pm PST by
Law enforcement officials in Detroit, Michigan are warning other police officers about an alleged iPhone change that causes Apple devices stored for forensic examination to spontaneously restart, reports 404 Media. iPhones that are undergoing examination have apparently been rebooting, which makes them harder to unlock with brute force methods, and Michigan police think that it's due to a...

Top Rated Comments

Khedron Avatar
68 months ago
Apple is just spinning their standard "a small number of customers were affected" narrative

If they genuinely disagreed with Google's claims they'd lawyer up
Score: 32 Votes (Like | Disagree)
sulpfiction Avatar
68 months ago
Googles mission statement is to exploit it's users. Hello Kettle.
Score: 24 Votes (Like | Disagree)
AlterZgo Avatar
68 months ago
“Don’t be evil...” unless it’s an opportunity to trash your strongest competitor, then go head and lie, fabricate stuff, misstate and exaggerate.
Score: 24 Votes (Like | Disagree)
gnomeisland Avatar
68 months ago
Hope Apple does this to google. Finds vulnerabilities and work their propaganda to hurt Google
I hope they don’t. It’s very unethical. However if it was at all intentional on Google’s part I hope it gets included in their various on-going anti trust investigations.
Score: 17 Votes (Like | Disagree)
NickName99 Avatar
68 months ago
And now we know why Google didn’t release a list of the websites affected, and why they waited until right before the iPhone 11 release to talk about it.
Score: 17 Votes (Like | Disagree)
gnomeisland Avatar
68 months ago
While I generally think Apple is one of the most ethical corporations ATM, I’m not sure who to believe.

If Apple’s right, then Google’s misrepresentations are damaging, bordering on libel coming from a close competitor. Their reports did a lot of damage to the narrative that iOS is more secure than Android (not that Android hasn’t come a long way).
Score: 15 Votes (Like | Disagree)