Back in June, Google discovered a range of security flaws in iPhone software that injected malicious code into phones. It came as quite a shock, as Apple and security typically go hand-in-hand. It wasn’t long before Apple published a scathing statement, correcting many errors in Google’s findings.
The initial findings were published by Project Zero, Google’s security arm tasked with finding zero-day vulnerabilities. Google published a blog post detailing how a handful of hacked websites had taken advantage of an iOS vulnerability. They found that a small amount of hacked websites were distributing malware to users’ phones.
“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week,” the statement from Google reads.
Apple shot back just a week after the report was published, saying that the vulnerabilities Google highlighted were fixed in a patch that went out in February. It corrected Google’s statement by explaining that fewer than a dozen websites were compromised, and a specific group of people were targeted. The group targeted was the Uighur community — a small ethnic group of Muslims in China. Apple believes the website attacks were only operational for about two months, not two years, as the Google security researchers reported.
The biggest flaw in Google’s published research is detailing the actual scale of the hack. “Google’s post, issued six months after iOS patches were released, creates the false impression of ‘mass exploitation’ to ‘monitor the private activities of entire populations in real time,’ stoking fear among all iPhone users that their devices had been compromised. This was never the case,” Apple explains in its blog post.
The moral of the story?
As we know, security is one of Apple’s most prized features. “Regardless of the scale of the attack, we take the safety and security of all users extremely seriously,” it said in the statement.
We’re not saying that Google should retire Project Zero’s research team. It is doing great work, especially considering the increasing number of people who use the internet. Cybersecurity is something that should be in the mind of every person who uses a smartphone, and the onus can’t fall on smartphone companies to keep us protected online all the time.