Google discloses iOS bug, Apple claims Google is exaggerating issue
posted Saturday Sep 7, 2019 by Scott Ertz
Google's Project Zero is a security team within the company that identifies and discloses security issues in products produced by the company and other high profile products from other companies. The original concept of Project Zero was very dangerous, but the company amended their ways. Today, Project Zero works with the developers of the products in which they find the exploits to determine how and when the exploit should be disclosed.
Their most recent high profile disclosure was in Apple's mobile operating system: iOS. The details of the exploit are not important, though they are available from Project Zero. The important part is that the exploit has existed for years in the platform, starting in version 10 and existing until just recently. The problem revolves around the ability for a website to exploit the operating system and the user's privacy. Google's public report says that they discovered websites in the wild taking advantage of the exploit earlier in the year. They also informed Apple of the issue and worked with them to determine a disclosure timeline.
Apple, however, takes issue with almost every aspect of the report. According to the company's statement,
Google's post, issued six months after iOS patches were released, creates the false impression of "mass exploitation" to "monitor the private activities of entire populations in real time," stoking fear among all iPhone users that their devices had been compromised. This was never the case.
Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not "two years" as Google implies. We fixed the vulnerabilities in question in February - working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.
This statement itself is a mischaracterization of what Google said. Either Apple didn't understand the report, or they are trying to hide something. Google said that the exploit existed for 2 years (iOS 10 through iOS 12) not that websites were operating for the 2 years. Google said that they discovered websites taking advantage of the exploit earlier this year. Since the statement, it was revealed that the websites in question were likely run by the Chinese government, and target the Uyghur Muslim community, a group that the Chinese government has been intent on eliminating in their country. With Apple's dedication to the Chinese market, in an attempt to shore up its flailing sales, Apple might be trying to save face with the Chinese government.
