Apple responds vehemently to concerns about iOS security vulnerabilities (Updated)

How to download iOS 13 developer beta 1 to your iPhone or iPad
How to download iOS 13 developer beta 1 to your iPhone or iPad (Image credit: iMore)

What you need to know

  • Apple released a statement addressing Google's blog about iOS exploits.
  • In the message, it reaffirmed customers that it keeps their security as a high priority.
  • It also dispelled some false information that came of Google's blog.

Concerns about iOS security have been swirling since Google published a blog that outlined some vulnerabilities it discovered within iOS. Apple fixed these back in February, but that didn't stop the concerns. To reaffirm customers, Apple released a special message (opens in new tab) outlining exactly what took place with the vulnerabilities while dispelling false information regarding the situation.

In a brief summary of Google's blog, it found malicioius websites were accessing user's phones and stealing privata data like messages, location, photos and more.

Apple's response to it was short but to the point. Its first goal was to curb speculation about how wide this vulnerability really was. In reality, it affected less than a dozen websites.

First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones "en masse" as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.Google's post, issued six months after iOS patches were released, creates the false impression of "mass exploitation" to "monitor the private activities of entire populations in real time," stoking fear among all iPhone users that their devices had been compromised. This was never the case.

It then went on to correct some false statements made about the website attacks including how long it lasted.

Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not "two years" as Google implies. We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.

Apple finished the message with a strong statement on security: "Security is a never-ending journey and our customers can be confident we are working for them." It concluded: "We will never stop our tireless work to keep our users safe."

As is the case with most issues regarding Apple, they tend to be overblown. This was no different. You can read the complete statement on Apple's site (opens in new tab).

Google responded to the Apple's message in a statement to CNBC saying it stands by its in-depth research and its end goal was to understand security vulnerabilities.

See more

With neither Apple nor Google backing down, the situation has turned into a he said, she said situation.

Updated 12:16 pm PT: The post was updated to include Google's response to Apple.

9 Comments
  • When it comes to internet security I really should trust NOBODY, but I trust Apple because they've gained that trust until they break it.
  • Which they've broken on multiple occasions: https://www.theatlantic.com/technology/archive/2019/01/apples-hypocritic... https://www.usatoday.com/story/tech/talkingtech/2018/04/17/apple-make-si... Among other times....
  • “In reality, it affected less than a dozen websites.” This is where most publications would replace the words, “in reality,“ with, “according to Apple.” But, nope, not imore. “ It then went on to correct some false statements made about the website attacks including how long it lasted.” Again, if this website had a shred of integrity, you would include the words, “according to Apple.” Saying “false statements,” in an absolute manner implies this is factual proof. Yet, all we have here is a press release. “ As is the case with most issues regarding Apple, they tend to be overblown. This was no different.” So, the official stance of imore is that Project Zero is lying...because Apple says so. I thought garbage like this is usually reserved for Rene, but it looks like he has his disciples totally locked in. Again, this was a press release. It offered no evidence - only Apple’s word that things weren’t as bad as they seemed. And I’m completely not surprised that that alone is good enough for the people here.
  • Google grossly misstated the facts surrounding this issue either directly or by omitting other pertinent facts (Android was also subject to vulnerability). Google acolytes trip over themselves trying to defend the indefensible.
  • "With neither Apple nor Google backing down, the situation has turned into a he said, she said situation." Wow... This isn't a matter of 'he said, she said' at all! The vulnerabilities were there and without question! Geezus.. Hard facts are now 'rumor' at iMore?? Site is becoming worse than BGR.
  • The vulnerabilities were there, but Google exaggerated how bad they were, which is the problem at hand
  • Whats interesting is even iverge (theverge) is reporting on how Apple screwed this up. If anyone actually read the release Project Zero made you would know that pretty much ALL the things apple quoted or added " " to were not taken from Googles post. Google never said en masse. Google never said there was a mass exploitation. Fact is there was a vulnerability in Apples software and Project Zero helped them by notifying them. Apple should say thank you and move on. The purpose of Project Zeros release is so that the public knows their are safety concerns even in the beloved iphones we use and that Project Zero was designed to find these exploits in all operating systems and help get them patched up expeditiously. Th
  • Honestly, the tech press has helped blow this up to something it shouldn't have been.
  • “Fact is there was a vulnerability in Apple’s software and Project Zero helped them by notifying them”. The truth is that Apple was already aware of the vulnerability and already working on a patch. Don’t let the facts stand in the way of your fantasy,