Apple criticises Google for creating 'false impression' about the scale of iPhone hack

Apple claims that the attack on iPhones was not "a broad-based exploit of iPhones" as described by Google Project Zero

Apple has accused Google of "stoking fear among all iPhone users" by creating a "false impression" about the scale of the alleged iPhone hack it reported last month.

In a statement, Apple spokesman Fred Sainz said that the sophisticated attack on iPhones was "narrowly focused" and was not "a broad-based exploit of iPhones", as described by Google Project Zero security researchers. Sainz also claimed that the attacks affected fewer than a dozen websites that provided content about the Uighur people living in China.

Last month, Google revealed a major hacking attack, which it claimed "indiscriminately targeted" users of Apple devices. The company said that its Project Zero researchers had uncovered several hacked websites, which used a set of previously undisclosed security flaws in iOS to spread malware to any iPhone visiting them.

"There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device," Ian Beer, a security researcher at Project Zero, wrote in a blog post.

According to Beer, a successful attack on an iPhone enabled hackers to track users' locations in near-real time and also to steal photos, passwords, and messages saved on the device. Beer added that the attacks appeared to be on-going for at least two years.

While Apple doesn't question Google's findings, it has expressed its unhappiness over the omission of key details in Google's online post.

Apple claimed that the attacks had been operational for just two months, and not two years as claimed by Google. Apple also stated that it was already in the process of fixing the vulnerabilities in February when Google notified it about the bugs.

Last week, some reports also suggested that the hacked websites targeted Android and Windows users as well, but Google didn't provide any details about that aspect of the attacks. Google claimed that it had not been aware that Android was affected in the attacks.

Tim Willis, a researcher with Project Zero team, tweeted that Google's Threat Analysis Group (TAG) saw only iOS exploitation on those sites "when TAG found them back in Jan 2019 (and yes, they looked for everything else as well)".

Google says its Project Zero's technical research endeavours to advance the understanding of security vulnerabilities, and that the company will continue to work with Apple and other organisations to strengthen online security.

Apple, in general, has a good reputation on security matters. Last month, the company announced that it was increasing its maximum bug bounty from $200,000 to $1 million to ensure that security researchers turn-in any security flaws they find to Apple - rather than selling them on the grey market.

Also in August, the company released a fix for an iOS critical-security flaw that was accidentally reintroduced in its last update.

"Security is a never-ending journey and our customers can be confident we are working for them," Apple stated. "We will never stop our tireless work to keep our users safe."