Google’s reporting of a major iOS security vulnerability has been criticised by Apple, which says its rival had exaggerated the impact of the situation.
Last month, Google’s Project Zero research team detailed a flaw that could see user data, such as files, messages and location data, compromised if a user with an affected device visited a malicious website.
“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” Google’s team had said.
The vulnerability was patched six months ago and Apple says it was already in the process of fixing the flaws when it was contacted by Google. Indeed, it says the issue was resolved just 10 days after the communication.
However Apple has taken issue with Google’s disclosure. It refutes the suggestion that the target was ‘indiscriminate’, arguing that fewer than a dozen sites were affected – mainly those serving the Chinese Uighur community, and says the post unnecessarily caused panic among iOS users.
“Google’s post, issued six months after iOS patches were released, creates the false impression of ‘mass exploitation’ to ‘monitor the private activities of entire populations in real time,’ stoking fear among all iPhone users that their devices had been compromised,” says Apple. “This was never the case.”
Apple regards the relative security of the iOS platform as a key differentiator, so the topic is a sensitive one for the company.
The company launched a bug bounty programme for iOS three years ago, offering up to $200,000 to ethical hackers that responsibly reported vulnerabilities. However it increased the upper limit to $1 million earlier this year, a move which would combat claims the rewards on offer were too low.
“Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies,” a Google spokesperson said.
“We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online.”