Apple has hit back at Google for the latter’s reporting of a serious security vulnerability in iOS, claiming its rival had exaggerated the impact of the bug in its disclosure.
Last month, Google’s Project Zero research team detailed a flaw that could see user data, such as files, messages and location data, compromised if a user with an affected device visited a malicious website.
“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” Google’s team had said.
Apple Google security
The vulnerability was patched six months ago and Apple says it was already in the process of fixing the flaws when it was contacted by Google. Indeed, it says the issue was resolved just 10 days after the communication.
However Apple has taken issue with Google’s disclosure. It refutes the suggestion that the target was ‘indiscriminate’, arguing that fewer than a dozen sites were affected – mainly those serving the Chinese Uighur community, and says the post unnecessarily caused panic among iOS users.
“Google’s post, issued six months after iOS patches were released, creates the false impression of ‘mass exploitation’ to ‘monitor the private activities of entire populations in real time,’ stoking fear among all iPhone users that their devices had been compromised,” says Apple. “This was never the case.”
Apple regards the relative security of the iOS platform as a key differentiator, so the topic is a sensitive one for the company.
The company launched a bug bounty programme for iOS three years ago, offering up to $200,000 to ethical hackers that responsibly reported vulnerabilities. However it increased the upper limit to $1 million earlier this year, a move which would combat claims the rewards on offer were too low.
Google has been contacted for comment.