“The sophisticated attack was narrowly focused, not a broad-based exploit of iPhones ‘en masse’ as described,” the company said. It said the hacked websites used to exploit the vulnerabilities numbered fewer than a dozen and mainly featured content related to the Uyghur community, a predominantly Muslim ethnic group from China’s western Xinjiang region.
“Google’s post, issued six months after iOS patches were released, creates the false impression of ‘mass exploitation’ to ‘monitor the private activities of entire populations in real time,’ stoking fear among all iPhone users that their devices had been compromised,” Apple said. “This was never the case.”
The smartphone maker also countered Google’s claims about the duration of the attacks.
“All evidence indicates that these website attacks were only operational for a brief period, roughly two months, not ‘two years’ as Google implies,” Apple said, adding that it fixed the vulnerabilities in February, 10 days after finding out about them.
“When Google approached us, we were already in the process of fixing the exploited bugs,” the company said.
“Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies,” the company said in a statement. “We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online,” it said.
As it downplayed the impact of the vulnerabilities found by the Google researchers, Apple sought to reassure iPhone users about the security of their devices.
“Regardless of the scale of the attack, we take the safety and security of all users extremely seriously,” it said. “Our product security teams around the world are constantly iterating to introduce new protections and patch vulnerabilities as soon as they’re found. We will never stop our tireless work to keep our users safe.”