With its flagship iPhone event just a few days away, it appears that Apple is getting a little nervous about recent reports regarding the state of its lauded security features. On Friday, it took the unusual step of publishing a blog post to refute some recent claims about its operating system made by Google researchers and to clarify the impact its failures have had on users around the globe.
In recent years, Apple has seen two big strategic openings to keep its business alive and growing: services and privacy. Few companies can hold their head as high as Apple when it comes to protecting users’ data, and even fewer can say that they don’t monetize user data to a significant degree. But Apple’s experienced a few security black eyes recently, and the company published a brief blog post on Friday that accuses the team at Google’s Project Zero of “stoking fear” about iPhone security with a report it issued at the end of August.
Project Zero and Google’s Threat Analysis Group (TAG) found 14 vulnerabilities in Apple’s products that were being exploited by a group of watering hole websites that were designed to indiscriminately target iPhone users and take over control of their devices. Apple hasn’t disputed the existence of the vulnerabilities, and it claimed that they were patched back in February. But yesterday, new reports came out that outlined the broad strokes of an operation by the Chinese Government to track its persecuted minority Uighur population in part by hacking iPhone and Android devices. It appears that the potential for confusion has given Apple motivation to clarify that the Project Zero report and Chinese Government hacks are related and that it feels Google’s report was unfair.
For one thing, Apple says that it was “already in the process of fixing the exploited bugs,” when Google’s researchers first came to them to point out the vulnerabilities. Can’t pwn Apple when they already know they’ve been pwned. In fact, Apple claims the issue was resolved “just 10 days after we learned about it.”
Apple also said in its post that “all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not ‘two years’ as Google implies.” The word “implied” is actually generous. Google’s exact language in its report claimed that a group of sites was involved in “making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.” But Google seems to be basing its number on how long the websites existed, and Apple is going with how long they were “operational.”
Apple also clarified that “the attack affected fewer than a dozen websites that focus on content related to the Uighur community.”
What may be the most egregious failing on Google’s part was the fact that it only mentioned Apple in its report, but it has subsequently come to light that Android and Windows systems were being targeted by the same hackers. When asked for comment on Apple’s post today, a Google spokesperson told Gizmodo:
Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies. We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online.
Cutting through the corporate-speak in that statement, it is important to acknowledge that the Project Zero crew does great work, and there’s no reason to believe that their work is motivated by malice. It’s also worth emphasizing that Apple’s reputation for making secure products has been earned by making secure products. What’s at issue here is who will have the best reputation for security in the future, and the answer is up for grabs.
Earlier this week, Wired reported that Android’s security is getting so good that the price of finding exploits for the open-source mobile OS is skyrocketing. Zerodium, which buys and sells so-called zero-day exploits, is the only outfit of its kind that releases an annual price list for discovering secret software vulnerabilities. This year, Android zero-days topped the iPhone for the first time, fetching a $2.5 million price tag “for a so-called zero-click hacking technique that fully, silently takes over an Android phone with no interaction from the target user,” Wired wrote. Someone who discovers the same level of risk in iOS would reportedly bring home $500,000 less in profits.
The reward for discovering certain iMessage hacks was cut in half by Zerodium. One has to surmise that the laws of supply and demand are working in full effect—the more iMessage vulnerabilities that are being reported, the less valuable they are. And the most recent major report of flaws in the iMessage client came in July from, you guessed it, Project Zero.
The most embarrassing public disclosure of a recent security fuckup by Apple came last month when it issued an iOS patch that omitted bug fixes that it had patched in earlier updates. The floodgates were suddenly thrown open and enthusiasts were able to issue a jailbreak before Apple fixed it—an illicit practice that Apple had managed to make all but extinct over the last few years.
Apple is still great at security. And it will likely tell you that over and over at next week’s iPhone event. The problem for Apple is that Android is getting really good at security too, and Google will likely tell you that over and over when it releases the next batch of Pixel phones. Maor Shwartz, an experienced independent security vulnerability researcher, told Wired that the open-source nature of Android is finally paying off, and the number of eyes on its code has resulted in fewer vulnerabilities “because a lot of them have been patched.”
The problem with making a big deal out of having strong security as a business strategy is no one is safe, and everything can change in an instant. Apple’s walled garden has protected it for years, as has the prospect of finding a nasty bug for big money and endless glory. That environment seems to be changing. And when Tim Cook takes the stage next week to tout the latest and greatest way to store your dick pics, his case will be a little weaker. But the good news is that’s mostly due to the other guys getting better.