Apple isn’t happy about the way Google revealed a major iPhone security flaw recently. Google security researchers revealed that malicious websites used previously undisclosed security flaws in iOS to hack into devices over at least two years. While Apple doesn’t dispute the research, the company accuses Google of “stoking fear among all iPhone users that their devices had been compromised” because key details were omitted in Google’s blog post.
“The sophisticated attack was narrowly focused, not a broad-based exploit of iPhones ‘en masse’ as described,” explains Apple. “The attack affected fewer than a dozen websites that focus on content related to the Uighur community.” Subsequent reports have revealed that these websites also targeted Windows and Android users, but Google didn’t detail this aspect of the attacks. “All evidence indicates that these website attacks were only operational for a brief period, roughly two months, not ‘two years’ as Google implies,” says Apple.
Apple fixed the vulnerabilities back in February, just 10 days after it learned about the security issues. “When Google approached us, we were already in the process of fixing the exploited bugs,” explains Apple. It’s not clear whether Google was aware of the reported attempts to hack Android devices with the same websites or why the company didn’t reveal that the overall attack was very narrow as Apple claims.
“Security is a never-ending journey and our customers can be confident we are working for them,” says Apple. “Our product security teams around the world are constantly iterating to introduce new protections and patch vulnerabilities as soon as they’re found. We will never stop our tireless work to keep our users safe.”
For its part, Google says it stands by its original report. Here’s a statement forwarded to The Verge:
Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies. We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online.
Update, 3:11 PM ET: Added Google statement.