Apple accuses Google of ‘stoking fear’ over iPhone vulnerabilities

More than a week after researchers at Google detailed one of the most serious iPhone exploits in recent memory, Apple has responded.

In a statement published Friday, Apple went on the defensive, saying that Google researchers were “stoking fear” and had exaggerated the seriousness of the attack.

Cupertino’s statement comes more than a week after Google’s Project Zero researchers published a blog post detailing how malware embedded in specific websites could steal large amounts of personal data off users’ iPhones. This included messages, both encrypted and otherwise, real-time GPS locations, and passwords. 

“We estimate that these sites receive thousands of visitors per week,” Project Zero researcher Ian Beer wrote. Though Beer didn’t elaborate on who may have been impacted by the malware, it was subsequently reported that it was a state-sponsored attack targeting China’s Uighur Muslims.

In its statement, Apple noted that “the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones ‘en masse’ as described.” 

“The attack affected fewer than a dozen websites that focus on content related to the Uighur community,” Apple wrote. The company’s statement makes no mention of China, where the government has been accused of widespread hacking in order to track the country’s Muslim minority community. 

Though the malware could have infected any iPhone that visited the websites in question, Apple said Google overstated the scale of the exploit. 

Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.

Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not “two years” as Google implies. We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.

The company also made a veiled dig at Google’s Android operating system, writing, “iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software.”