The two tech giants had a public back and forth this week about an embarrassing and now patched iOS vulnerability discovered by Google researchers. Apple takes issue with the way it was disclosed, and sought to “clarify” things in typical Cupertino fashion. Google stands firmly on its research, but Apple argues it was used to paint a false picture about its flagship product.
A week ago Google’s Project Zero team disclosed it had discovered several websites that were serving malware to iPhone users through a serious security flaw that had fortunately been patched earlier this year. The malware would be downloaded by simply visiting an infected website and was capable of taking control of an iOS device and monitor its location in near real-time.
While Apple acknowledged some of the details about the flaw, it doesn’t like the way Google disclosed it to the public, so it went on to write a statement in which it accuses it of “stoking fear among all iPhone users that their devices had been compromised.” The Cupertino giant says the tone of the disclosure created “the false impression of mass exploitation,” even though there were just about a dozen websites that only targeted the Uighur community in China. Google chose not to name them, and experts believe it was the result of a state-sponsored effort to spy on a specific group of people who happen to be Muslims.
Apple goes on to debunk Google’s claim that the website attacks were operational for “two years.” The company explains that all evidence points to a brief period of “roughly two months,” and that it patched the issue just 10 days after it was notified by Google. “When Google approached us, we were already in the process of fixing the exploited bugs,” Apple wrote.
The problem with Apple’s response is that it chose to defend its reputation by downplaying Google’s findings and taking things out of context. It also chose to reiterate its overused marketing message that “iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software.” That would be easy to forgive if this wasn’t about a serious vulnerability that could have been used against any group of people, not just the Uighur community.
On the other hand, Google declined to comment about whether Android devices, which are more popular in Asian markets, are just as vulnerable to the attack. There have been reports that Windows and Android devices can also be affected by the same websites, but Google only offered a generic response that it “stands by its research and that it will continue to work with Apple and other leading companies to help keep people safe online.”
In any case, this highlights a flaw in the current corporate culture at Apple that predates the Tim Cook era, where the focus is more on keeping the appearances of a company whose products are flawless and less on being transparent to its customers.