In an extraordinary statement, Apple has denied that the iPhone has significant vulnerabilities, despite it being possible to infect iPhones simply by visiting a malicious website, like a Windows XP PC in 2005.
The statement reads:
Last week, Google published a blog about vulnerabilities that Apple fixed for iOS users in February. We’ve heard from customers who were concerned by some of the claims, and we want to make sure all of our customers have the facts.First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones “en masse” as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not “two years” as Google implies. We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.Security is a never-ending journey and our customers can be confident we are working for them. iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software. Our product security teams around the world are constantly iterating to introduce new protections and patch vulnerabilities as soon as they’re found. We will never stop our tireless work to keep our users safe.
The statement shows little recognition of the fact that the only reason more iPhones were not infected were not because iPhone security was superior, but simply that the attack itself was relatively targetted.
It has been pretty clear, from government-sponsored attacks, that iPhones are as vulnerable as any other smartphone, and that they may actually be more risky, due to giving users the impression that the handsets are safer than they actually are, and by making it more difficult to detect infections, as malware-scanning software is impossible to install.
While Apple appears to be attacking Google’s Project Zero team, their post contains no apology for the vulnerability to end-users, including the vulnerable population in China.
Google was however clear that iPhones were vulnerable because Apple was negligent, saying:
The root causes I highlight here are not novel and are often overlooked: we’ll see cases of code which seems to have never worked, code that likely skipped QA or likely had little testing or review before being shipped to users.
While Apple claims they will “never stop our tireless work to keep our users safe“, it seems more likely the company will never stop defending their ill-deserved (as reality repeatedly demonstrates) reputation for safety and privacy.