Apple Disputes Some Details of Google's Project Zero Report on iOS Security Vulnerabilities [Updated]

Google's Project Zero last week shared details about multiple serious iOS vulnerabilities that allowed malicious websites to access a victim's phone. There were a total of 14 vulnerabilities that were being exploited, and while those have now been fixed, some of the security holes were abused for several years.

Apple today responded to Google's Project Zero blog post in an effort to address customer concerns with all of the facts.

trio iphones ios
Apple says the attack was "narrowly-focused" rather than a broad-based exploit of iPhones as described. Fewer than a dozen websites targeting Uighur Muslims were affected, according to Apple. Further, Apple says that Google created a false impression of mass exploitation, causing fear among iPhone owners.

Google also got the length of the attacks wrong. Apple says the websites were operational for approximately two months rather than two years, with the vulnerabilities fixed 10 days after Apple learned about them. Fixes were already in the works when Google approached Apple.

Apple's full letter is included below:

Last week, Google published a blog about vulnerabilities that Apple fixed for iOS users in February. We've heard from customers who were concerned by some of the claims, and we want to make sure all of our customers have the facts.

First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones "en masse" as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.

Google's post, issued six months after iOS patches were released, creates the false impression of "mass exploitation" to "monitor the private activities of entire populations in real time," stoking fear among all iPhone users that their devices had been compromised. This was never the case.

Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not "two years" as Google implies. We fixed the vulnerabilities in question in February -- working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.

Security is a never-ending journey and our customers can be confident we are working for them. iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software. Our product security teams around the world are constantly iterating to introduce new protections and patch vulnerabilities as soon as they're found. We will never stop our tireless work to keep our users safe.

According to Google, the websites in question that targeted ‌iPhone‌ users were able to steal private data like messages, photos, and GPS location in real time with little effort after a visitor went to an infected website.

Google believes thousands of visitors accessed these websites per week over two years, with the vulnerability present in iOS 10, iOS 11, and iOS 12. Apple addressed the issues in iOS 12.1.4 back in February 2019.

In a statement to The Verge, Google said that it stands by its original report despite Apple's comments.

Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies. We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online.

Popular Stories

Beyond iPhone 13 Better Blue Face ID Single Camera Hole

10 Reasons to Wait for Next Year's iPhone 17

Monday July 8, 2024 5:00 am PDT by
Apple's iPhone development roadmap runs several years into the future and the company is continually working with suppliers on several successive iPhone models simultaneously, which is why we sometimes get rumored feature leaks so far ahead of launch. The iPhone 17 series is no different – already we have some idea of what to expect from Apple's 2025 smartphone lineup. If you plan to skip...
iPhone 15 Pro Cameras

iPhone 17 Pro Max Will Be First Model to Feature Three 48MP Cameras

Thursday July 11, 2024 12:20 am PDT by
Next year's iPhone 17 Pro Max will feature an upgraded 48-megapixel Tetraprism camera for enhanced photo quality and zoom functionality, according to Apple analyst Ming-Chi Kuo. In his n-iphone-tetraprism-upgrade-ca62dd37e364">latest investor note published to Medium, Kuo said the key specification change would be a 1/2.6" 48MP CIS sensor, up from the 1/3.1" 12MP sensor expected to be used...
iPhone 16 Pro Front Update Blue

iPhone 16 Pro Rumored to Support 40W Fast Charging and 20W MagSafe

Wednesday July 10, 2024 3:57 am PDT by
Apple's forthcoming iPhone 16 Pro and iPhone 16 Pro Max will support 40W wired fast charging and 20W MagSafe charging, claims a rumor currently swirling around China. Right now, iPhone 15 and iPhone 15 Pro models are capable of up to 27W peak charging speeds with an appropriate USB-C power adapter, while official MagSafe chargers from Apple and authorized third parties can wirelessly charge...
AirPods Pro Beta Firmware

Apple Releases New AirPods Pro 2 Beta Firmware With Support for iOS 18 Features

Tuesday July 9, 2024 11:46 am PDT by
Apple today released a second beta firmware for the AirPods Pro 2, including both the Lightning and USB-C versions. The updated firmware has a build number 7A5244b and it is available to developers at the current time. This is the second firmware update that Apple has released since announcing new AirPods Pro 2 features in June. There are several new features that are coming to the AirPods...
Beyond iPhone 13 Better Blue Face ID

iPhone 16 Models Rumored to Have Face ID-Related Design Changes

Tuesday July 9, 2024 9:15 am PDT by
iPhone 16 models coming later this year could have some Face ID-related "design changes," supply chain publication DigiTimes said this week. The original source of this information is British newspaper The Telegraph, which six weeks ago reported that Face ID component supplier Coherent was considering selling or repurposing a manufacturing facility in Newton Aycliffe, a small town in...
orka desktop

MacStadium Releases Free Orka Desktop macOS Virtualization Software

Wednesday July 10, 2024 6:55 am PDT by
Mac cloud services provider MacStadium today unveiled Orka Desktop, a free virtualization tool that allows Mac users to create and manage macOS virtual machines locally via an easy-to-use admin panel. Orka users can create or download custom macOS images locally for their own personal use, or to collaborate with team members using a familiar workflow, versioning, audit, and review controls....

Top Rated Comments

Khedron Avatar
63 months ago
Apple is just spinning their standard "a small number of customers were affected" narrative

If they genuinely disagreed with Google's claims they'd lawyer up
Score: 32 Votes (Like | Disagree)
sulpfiction Avatar
63 months ago
Googles mission statement is to exploit it's users. Hello Kettle.
Score: 24 Votes (Like | Disagree)
AlterZgo Avatar
63 months ago
“Don’t be evil...” unless it’s an opportunity to trash your strongest competitor, then go head and lie, fabricate stuff, misstate and exaggerate.
Score: 24 Votes (Like | Disagree)
gnomeisland Avatar
63 months ago
Hope Apple does this to google. Finds vulnerabilities and work their propaganda to hurt Google
I hope they don’t. It’s very unethical. However if it was at all intentional on Google’s part I hope it gets included in their various on-going anti trust investigations.
Score: 17 Votes (Like | Disagree)
NickName99 Avatar
63 months ago
And now we know why Google didn’t release a list of the websites affected, and why they waited until right before the iPhone 11 release to talk about it.
Score: 17 Votes (Like | Disagree)
gnomeisland Avatar
63 months ago
While I generally think Apple is one of the most ethical corporations ATM, I’m not sure who to believe.

If Apple’s right, then Google’s misrepresentations are damaging, bordering on libel coming from a close competitor. Their reports did a lot of damage to the narrative that iOS is more secure than Android (not that Android hasn’t come a long way).
Score: 15 Votes (Like | Disagree)