Google released a compilation of in-depth research on vulnerabilities in Apple’s operating system Thursday night.
The research is interesting and comprehensive, but the impact of the flaws on most iPhone users may not be huge. Also, Google is using the compiled research to publicly needle Apple, following Apple’s campaign to differentiate its products on privacy and security.
Here are some top takeaways from the report.
This is not one “bug,” but a series of related flaws or problems compiled together in one place by Google’s Project Zero. The release involved several in-depth studies Google’s Project Zero researchers have conducted over the years. In many cases, the bugs discovered were reported to Apple and fixed with subsequent iOS releases.
Most of the vulnerabilities have already been reported. In one case, a partner researcher from 360 Security, a mobile security application company, earned $200,000 in a November 2018 public hacking competition competition for discovering the previously unknown flaw.
Project Zero is Google’s test ground for finding so-called “zero-day exploits” in operating systems, software and hardware. “Zero day” is a reference to the number of days the public has had to use a known patch to a previously unknown vulnerability, so when a vulnerability is newly discovered, it is considered “day zero” of being able to fix it.
The flaws typically start, according to the research, with a targeted “watering hole” attack. In this type of attack, a hacker compromises a single website that is expected to be popular to a specific group of people that the hacker is targeting. Simply visiting the site infects the user’s device with malicious code that can be used for a variety of purposes. In this case, it was used to monitor what a user does on their iPhone.
It’s unclear how successful these attacks were. But it is clear from the research presented that some of the exploits have been observed “in the wild,” as opposed to merely in a research lab. Google says the issue could have affected thousands of devices, but it is not clear how or whether anyone has been directly impacted by these flaws.
Apple has not yet weighed in. Google’s claims encompass several issues that have been raised since at least 2014, so Apple may come back with a more nuanced answer to the claims made by Project Zero. It will be interesting to see how they craft a response given their full-throated marketing position of Apple as the most secure phone maker.
Tim Cook has personally lobbed attacks at the security and privacy issues affecting companies like Google and Facebook, and Project Zero has taken direct aim at that with this post.
Google is clearly using the compiled Project Zero research as a counter-measure to Apple’s privacy marketing. “Real users make risk decisions based on the public perception of the security of these devices,” Google’s report says. “The reality remains that security protections will never eliminate the risk of attack if you’re being targeted.”
The companies that have been targeted directly by Apple’s privacy campaign and by the words of its executives have taken a number of actions to fight back. Former Facebook chief security officer Alex Stamos responded to today’s Apple news on Twitter by saying, “This is a huge find by Google’s team. Attribution for these sites is going to be critical to understanding what impact they might have had.” Stamos has also criticized Apple’s work in China, and Google CEO Sundar Pichai has taken jabs at Apple, saying in the past “privacy cannot be a luxury good. ”
Expect to see more takedowns of Apple’s privacy and security. Google’s research is solid, but the impact on the average iPhone user is almost certainly negligible. In addition, most of these flaws have been fixed via iPhone’s frequent iOS update pushes. This is one of what will be a series of security and privacy pile-ons targeted at Apple in the coming years, as the company seeks to further differentiate itself on security and its rivals try to continue poking holes in that position.