On September 6th, Apple came out with a statement about iOS security. They were trying to shed some light on the recent findings of Google’s Project Zero. The more I looked into it, the messier and more complicated the situation seemed. So let’s keep it brief and sort out what’s been going on with iOS in 2019.
Google’s Side of the Story
Project Zero, a security research team at Google, released a deep dive into iOS security vulnerabilities. According to them, there have been numerous malicious websites which, upon visit, would insert malware into your iPhone without any notice. Project Zero claims that there hasn’t been any targeted audience for the attack. Everyone who visited the website had a chance of being tracked and their personal data extracted later on.
The implant from the malicious websites would get access to not only live location, but also the user’s keychain that contains passwords and encrypted messages from such websites as Telegram, iMessage and WhatsApp.
Project Zero believes that such attacks have lasted about two years before it came to Apple’s attention.
Apple’s Response
In a statement published on September 6th, 2019, Apple defends their position and tries to clear up a few details. However, they are not denying the security breach altogether.
First of all, Apple claims that Google got the timeline all wrong. According to them, the malicious website attacks were only operational for two months, not two years. They don’t disclose what information has been extracted or how many users might have been affected by the issue.
Moreover, Apple states that Project Zero has falsely created an image of a mass exploitation. ‘In reality’ there were no more than a dozen websites affected that focused on content related to the Uighur community in Xinijang, China. Whether to say if it’s better or worse is a very difficult statement.
What can be done?
Apple claims the issue has been fixed, and they are constantly working to improve their security. Unfortunately for them, this is not the first major security issue they’ve had this year (cough cough – your FaceTime app is eavesdropping on you), so their statements such as ‘we will never stop our tireless work to keep our users safe’ doesn’t make them trustworthy again. Not after the year they’ve had.
Even if you visited one of those undisclosed websites, there’s not much you can do at the moment. The implant from the websites doesn’t work long-term, so every time you restart your iPhone, the implant gets deleted.
2019 doesn’t sound like a good time to put your data into Apple’s hands. So I would strongly recommend taking every safety measure possible (VPNs, proxies, etc.) to keep your private data actually private.