
A Message about iOS Security - css
https://www.apple.com/newsroom/2019/09/a-message-about-ios-security/
======
bjornedstrom
What is Apple trying to gain by publishing this article? The tone is
accusatory and defensive in a combination that does not make me sympathetic
towards Apple.

When Google posted the Project Zero articles, that did not impact my view of
Apple in any way. However this press piece affects my view of Apple
negatively, so from my perspective this press article has turned a more or
less neutral event into one that is negative.

~~~
smachiz
I disagree with your assessment here - mostly because you're implying that
your views reflect the majority of people.

You're reading hackernews, you're not an average iPhone user. The Project Zero
announcement was sensationalized - press is good for them. It was then picked
up and further sensationalized by large news outlets whose readers are nowhere
near as technically literate as HN's audience is.

They didn't understand what was being written other than "zomg, website can
hax my entire phone and could've for two years, I assume all my data is on the
darkweb".

The nuance, and details were completely lost to an average iPhone user.

Google has some responsibility when identifying flaws in _consumer devices_
and software to be more clear about the actual impact, ramifications, and
likelihood that your device was compromised.

~~~
akersten
> Google has some responsibility when identifying flaws in consumer devices
> and software to be more clear about the actual impact, ramifications, and
> likelihood that your device was compromised

I don't think that's Google's job at all, especially for a competitor's
product.

Their project is to identify security vulnerabilities and disclose them to the
public, in the name of public interest. We _always_ have to assume worst case
for security vulnerabilities, it's kind of the whole job of being a security
researcher to determine what _could have_ happened. Their job isn't to make
Apple's users feel better.

It's also not Google's fault that media known for being wildly off-base when
reporting on technical news was predictably off-base again.

~~~
jedberg
> in the name of public interest.

It's funny how their public interest seems to stop at the line where Google
looks good and their competitors look bad.

I would say that their public interest mission should include not inciting
unnecessary mass panic by exaggerating claims or by using imprecise language
that would allow the media to make exaggerated claims.

You know, like how they use much more toned down rhetoric when releasing info
on Android bugs.

~~~
DSingularity
Absolutely. These articles erode trust in the competitors of Google. The fact
that Apple was aware of the vulnerabilities and in the process of fixing them
is lost on the public. They were apparently working on fixing these bugs for
10 days prior to Project zero.

Maybe this sensationalism furthers the public interest by turning software
security into a weird zero-sum game where every company is trying to break
their competitors products. But I can also see how cases like this creat a
negativity that prevents companies from collaborating to fundamentally improve
security.

~~~
monocasa
> But I can also see how cases like this creat a negativity that prevents
> companies from collaborating to fundamentally improve security.

The security community works like this (public responsible disclosure),
_because_ companies overwhelmingly proved that they couldn't be trusted to
collaborate with security researchers.

------
thothamon
Apple has done its best to secure customer privacy not only from bad actors
and the government, but even from Apple itself, something that is certainly
not true of Google. Apple went to the mat to protect its customers from the
FBI. That earns ️<3 from me. Do I think Google would look out for me like
that? Hahah, no, I do not think so.

Does this mean these vulnerabilities were not real and serious? Not at all.
But Apple took them seriously and reacted quickly. Nobody's perfect, but they
deserve a lot of credit for their hard work on security.

~~~
shazow
> Do I think Google would look out for me like that? Hahah, no, I do not think
> so.

This article is literally about things that Google's Project Zero did which
were for your benefit.

~~~
thothamon
I appreciate the good things Google does for me; they are many. But I don't
think protecting my privacy, much less securing my data even from themselves,
is their priority.

~~~
mda
Funnily, I don't think there is any other company that protects users private
data better than Google. Not military, not Apple, none of them come closer to
it.

~~~
TazeTSchnitzel
Google are good at preventing people hacking their servers, but they also
broadcast your private data to thousands of third parties every time you open
a webpage. Facebook and Google's approach to data security is lock it down so
only they and their partners can access it. It does nothing for your privacy.

~~~
plexicle
What are you talking about? Google neither sends nor sells any of your data to
"third parties". I don't know why people parrot this nonsense.

~~~
TazeTSchnitzel
It's not nonsense, it's a standard part of adtech: [https://brave.com/adtech-
data-breach-complaint/](https://brave.com/adtech-data-breach-complaint/)

~~~
lern_too_spel
Google gave an ID to these third parties. iOS does the same with its IDFA.

~~~
TazeTSchnitzel
Far from just an ID.

~~~
lern_too_spel
Then what?

------
saagarjha
Honestly, I really dislike Apple's recent policy of publishing "statements"
for everything that ends up in the press. They did it for the Bloomberg
article, and that was fine, but the one against Spotify and this one sound
whiny and more importantly they fail to address the actual issues being
brought up. It's just a bad look.

~~~
mehrdada
Is this a recent policy? "Thoughts on Flash" was undersigned by Steve Jobs
himself.

~~~
saagarjha
That's the only one that I can think of that compares. Apple wasn't publishing
those three times a year, though.

------
scarface74
Let’s see. If Google finds a vulnerability in IOS, Apple patches the
vulnerability and it’s patched for at least all iOS users on the current OS,
as of right now, that’s all phones dating back to 2013.

But Apple has also within the past three months released an update for phones
back to the iPhone 4s released in 2011.

If Google finds a vulnerability in Android, what percentage of the phones
would actually receive the patch?

~~~
berkes
> If Google finds a vulnerability in Android, what percentage of the phones
> would actually receive the patch?

100% of the vendors that have solid update in their pipeline.

That means: all Google flagship phones and tablets. A lot of phones from
companies that take updates serious.

But also: hardly any planned-obsolence phones. And also hardly any phones that
ship with a FUBAR Android "theme/skin/variant".

The latter is, by definition of Open Source, out of Google's control.

~~~
scarface74
_That means: all Google flagship phones and tablets. A lot of phones from
companies that take updates serious._

It’s estimated that Google sells at most 2.5 million phones a year and has
0.2% market share of the Android market. Where are all these other companies
that “take updates seriously”? How many Android phones still get updated after
2 years? 3 years? 4 years?

Think that’s too much to ask for? I bought an iPhone 6s in 2015 and my son is
still using it, it’s running the latest OS, and according to many benchmarks
it was faster in single core performance than high end phones released last
year. It’s still faster than most midrange phones.

 _The latter is, by definition of Open Source, out of Google 's control._

Google has plenty of control over any Android phone that runs Google Play
Services. In fact, it has so much control that it had to pay a fine and is
under a consent decree with the EU about forcing anti competitive conditions
on Android manufacturers.

------
Despegar
"iOS security is unmatched because we take end-to-end responsibility for the
security of our hardware and software."

Good stuff

~~~
kerng
Definelty highlighting their approach vs Google's.

~~~
mkozlows
Project Zero's whole brief is "end to end security" even outside of Google's
corporate borders.

~~~
kerng
As long as it's not involving Google itself I would add....

~~~
SquareWheel
Then you'd be mistaken, because Project Zero has covered both Android and
Chrome vulnerabilities.

~~~
panpanna
And lots of windows exploited.

Google engineers basically fuzzed all vulnerabilities out of Microsoft's font
rendering system for free

------
hacker_newz
> When Google approached us, we were already in the process of fixing the
> exploited bugs.

If Apple already knew about the flaw, then why did they never notify those
affected?

~~~
AceJohnny2
Who was affected? The flaw was distributed through a website. They can infer
from the contents of the website who was the likely target audience, but they
don't know who visited the website and got hacked.

~~~
jedberg
Unless they had a way to test if a phone had been hacked and distributed that
along with the patch. It's quite possible that they had pretty good telemetry
on the extent of the exploit.

I agree that they should have told those who were affected, but perhaps they
did?

~~~
AceJohnny2
> _It 's quite possible that they had pretty good telemetry on the extent of
> the exploit._

Why would they? This is Apple, one of their selling points is how they don't
have fingers in your phone

~~~
jedberg
There are a ton of places in iOs that report back to Apple. When you first set
up the phone it asks if you want to "share your usage". You also agree to let
them have stats on how long you use each app as part of the app store
agreement.

Apple's selling point is that they don't make money selling your private data
(or transitive access to it) to third parties, but they don't make any claims
about not doing it themselves.

I don't see anything that would preclude them from installing some telemetry
for this specific attack. And I think it would be perfectly justified in the
name of security too.

~~~
saagarjha
> I don't see anything that would preclude them from installing some telemetry
> for this specific attack.

Why can't an exploit just disable this?

------
freewizard
Very bold move for a global company like Apple to point fingers almost
explicitly to China’s Xinjiang policy, which is also supported by 37
countries[1] worldwide.

[1] [https://www.reuters.com/article/us-china-xinjiang-
rights/chi...](https://www.reuters.com/article/us-china-xinjiang-rights/china-
says-almost-40-states-openly-back-its-xinjiang-policy-idUSKCN1U721X)

------
ummonk
> When Google approached us, we were already in the process of fixing the
> exploited bugs.

Wait, so Apple had already discovered the bugs / exploits before Project Zero
disclosed them to Apple?

~~~
mda
I call bullshit, maybe they found some of the issues in parallel, but it is
obvious they did not have all of it and the scope of the problem. I am utterly
disgusted by their tone as well.

------
mavhc
How does the sandboxing of applications compare on iOS and Android? Reading
that iOS had trouble blocking applications from calling OS functions they
weren't supposed to, plus they're running native code, not Java, seems to
imply a security bug in an application is more severe on iOS than Android.

See the Whatsapp root exploit for an example.

Or are there additional protections in iOS, comparable to Android?

~~~
mavhc
[https://www.wired.com/story/ios-security-imessage-
safari/](https://www.wired.com/story/ios-security-imessage-safari/)

------
saagarjha
> First, the sophisticated attack was narrowly focused, not a broad-based
> exploit of iPhones “en masse” as described. The attack affected fewer than a
> dozen websites that focus on content related to the Uighur community.

Of course, being 0-days, this is speculation on Apple's part.

> When Google approached us, we were already in the process of fixing the
> exploited bugs.

This is an interesting twist: Apple apparently knew about these bugs prior to
Google Project Zero's involvement? The media overhyped the vulnerabilities (as
they normally do), but this statement seems like it's blaming Google for
making a big deal of something that Apple supposedly didn't need help on. Not
a good look for Apple to be throwing shade in a public statement :/

~~~
ajconway
> The media overhyped the vulnerabilities

No, the media underhyped it. It's a remote code execution vulnerability that's
triggered by visiting a website.

~~~
saagarjha
I'm not denying that they're serious vulnerabilities–made especially
concerning because it looks like they're the work of a nation state against an
ethnic minority–but headlines of "1 billion iPhones hacked" do not convey the
issue accurately.

~~~
ajconway
Right, probably. No one knows who else might have used it, though.

What's kind of sad is that this story was not used to enlighten the general
population on how exactly the modern information security works (which can be
reduced to "nothing is secure").

~~~
godelski
Which it can be. Especially because Apple's statement shows who the attacker
was and who they were attacking. I mean if Trump used an attack like this to
target Muslims people would be screaming their heads off about government
overreach and violations of privacy. And that's essentially what happened
here.

------
cavisne
The original blog says this is a failure case for China, what went wrong
specifically? Would this attack normally not be indexed/scraped by google?

Apple PR seems to be trying to muddle the 2 years that the attack was likely
available, and the 2 months where these sites operated.

------
blackflame7000
I do detect just a bit of snark in that press release although to be fair, no
one likes to be called out on their mistakes.

------
rkagerer
Got a link to the original post and/or a good summary?

~~~
saagarjha
Original post: [https://googleprojectzero.blogspot.com/2019/08/a-very-
deep-d...](https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-
into-ios-exploit.html). TL;DR: five web-based 0-days that Google saw being
used in the wild for versions of iOS ranging from 10 to 12.

------
cromwellian
Security researchers have a culture of being both overly paranoid and sticking
to just the facts and not actively trying to minimize.

It seems Apple doesn't want them to say "here are the exploits we found, and
we found them on X websites, and estimate a few thousand visits per week",
they appear to want them to say: "Only the Uighurs really need to worry. And
by the way, it wasn't just us! They were going after Uighurs on Windows and
Android too!"

Even if PZ added "context" they seem to want, "just the Uighurs!", or "other
platforms were attacked too", in what way that that actually diminish the fact
that multiple 0-days with remote code execute on multiple OS versions were in
the wild?

The fact that we have one case where a single geographic group was targeted
does not mean that these exploits weren't being used elsewhere. Imagine
there's Windows 0-day and your an IT admin, but the advisory says only
Ukrainians were targeted by Russia. Does that mean you shouldn't go back and
look at your logs and look to see if you've been exploited, rotate
credentials, install new countermeasures, etc?

Shouldn't iPhone users be encouraged to rotate passwords on non-2FA sites
after a reboot for example? To me, Apple's response looks like damage control.

And why doesn't Apple have their own Project Zero that publishes deep dives on
iOS/OSX vulnerabilities and would allow the press to have more context and not
fly off the handle? Wouldn't it help to engender their development community
and security researchers to be more active, by educating them on how these
vulnerabilities typically work and how they're discovered, so more people can
learn to spot them? It would make the claim "we already knew about these and
were fixing them before other people discovered them" look better.

------
xtat
For some reason this reminds me of trump obsessively defending that hurricane
tweet-- really a bad look for Apple.

------
fpgaminer
I didn't follow this story beyond reading Google's deep dive on the bugs. So
I'm curious about a few things. (Deep Dive:
[https://googleprojectzero.blogspot.com/2019/08/a-very-
deep-d...](https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-
into-ios-exploit.html))

The deep dive actively avoided mentioning information on who the targetted
group(s) were. Was it later revealed who the targeted demographic was? Or did
Apple just now reveal that information in this statement? It's a rather big
piece of the puzzle. This attack being orchestrated by a nation-state was a
strong possibility. Knowing that it was a targeted attack against the Uighur
makes that case significantly stronger, and adds even darker tones to the
story.

And then there's this bit from Apple's statement:

> all evidence indicates that these website attacks were only operational for
> a brief period, roughly two months, not “two years” as Google implies

Interesting. So I re-checked Google's post and:

> This indicated a group making a sustained effort to hack the users of
> iPhones in certain communities over a period of at least two years.

A week ago, I read that to mean that these exploits were being actively used
for two years. Reading it today ... it still reads the same to me. I guess
what it is actually supposed to say is that the exploits were developed over
the course of two years; not that they were actively used for two years.

So that's definitely poor wording on Google's part. I wouldn't say it's
nefariously worded, though. I think the author of the blog post was just
trying to drive home the sophistication of the malicious group.

But I know that I certainly came away from Google's article thinking that the
exploits were _active_ for two years, which is significantly more frightening.
So it makes sense that Apple would want to rebut that point.

~~~
garaetjjte
>Was it later revealed who the targeted demographic was?

It is speculation based on list of targeted apps (listed in implant teardown
post)

>I guess what it is actually supposed to say is that the exploits were
developed over the course of two years; not that they were actively used for
two years.

I don't know what evidence Apple has, but Google definitely meant that it was
exploited for two years: (from exploit chain 1 post)

>This exploit provides evidence that these exploit chains were likely written
contemporaneously with their supported iOS versions; that is, the exploit
techniques which were used suggest that this exploit was written around the
time of iOS 10. This suggests that this group had a capability against a fully
patched iPhone for at least two years.

------
marcosscriven
Why don’t they write a blog post thanking Project Zero!

~~~
sigzero
Why would they? Their post points out that Project Zero was incorrect in a few
assumptions.

~~~
lern_too_spel
For reporting actively exploited vulnerabilities?

------
CodeSheikh
Is Uighur community the one that Chinese government is partaking in ethnic
cleansing? Is it fair to deduce from this information that hackers were pro-
Chinese govt?

~~~
Rafuino
More likely part of the gov't of PRC

------
panpanna
> First, the sophisticated attack was narrowly focused, not a broad-based
> exploit of iPhones “en masse” as described.

The Chinese government decided to limit the attack to a 1 million population.
Nothing technically stopped them from targeting the entire planet, so I don't
understand why some is trying to downplay this.

------
droithomme
> The attack affected fewer than a dozen websites that focus on content
> related to the Uighur community.

Ah, so the exploit was written and placed by the Chinese government.

------
jedberg
> The attack affected fewer than a dozen websites that focus on content
> related to the Uighur community

Is this new information or did we already know this? If it's new, this is very
interesting. It's well known that China is doing everything it can to harm the
Uighur community, which would imply a state sponsored attack.

Making a slight logical leap, it makes me think that China took some iPhones
that were in various states of construction so they could discover these
exploits. Given that the iPhones are made in China, it is not much of a leap
to assume they have effectively unfettered access to the same things that the
factories do.

I wonder, is there iOs source code access from the Chinese factories? Does
this mean the Chinese government has access to "test" iPhones? Lots of
interesting questions here.

~~~
saagarjha
You can buy a development iPhone by DM'ing the right guy on Twitter and paying
him a couple grand. I don't think the Chinese government needs any additional
access to factories to be able to exploit them.

~~~
jedberg
They may not need the access, but they have the access, so perhaps they used
it. Definitely safer for them to just go into a factory and get a test phone
than "DMing a guy on Twitter".

------
acoye
> targetting the Uighur community

I read between the lines "A state actor was actively tracking a group based on
religion"

~~~
musicale
Yeah, it is too bad that Google or Apple didn't say more about that. For
example, they could say that this example shows exactly why security and
privacy matter: smartphones, computers, and the internet should not be used as
tools for governments to track citizens based on their religion, culture, or
political views.

------
thesquib
Bad apples.

------
godelski
Edit: I don't want a fight.

~~~
acqq
> The 11 million people China is placing in concentration camps

There are certainly no 11 million people in concentration camps there. Also
nobody cites any sensible proof of the estimates pushed by the US-supported
organizations and the US directly. For example, here Zenz, who claims that 1.5
million are detained, quotes that:

"Zenz found abundant local county budgets and procurement bids indicating that
large police or security guard units were hired for the camps. In one example,
a county’s 2019 budget stated that its “training centers” employ 212 teaching
staff, but more than twice as many security guards."

400 security guards can't guard 1.5 million.

[https://www.inkstonenews.com/politics/china-calls-
xinjiang-c...](https://www.inkstonenews.com/politics/china-calls-xinjiang-
camps-training-centres-governments-own-documents-say-otherwise-researcher-
finds/article/3016918)

The whole "China oppresses Muslim Uighurs in millions" is supported in the UN
by 22 countries (1), while 37 specifically deny that:

[https://www.businessinsider.com/china-joint-letter-
condemn-m...](https://www.businessinsider.com/china-joint-letter-condemn-
muslim-oppression-no-islamic-signatories-2019-7?r=US&IR=T)

Those 22 signatories of a "joint letter condemning oppression" are: Australia,
Austria, Belgium, Canada, Denmark, Estonia, Finland, France, Germany, Iceland,
Ireland, Japan, Latvia, Lithuania, Luxembourg, the Netherlands, New Zealand,
Norway, Spain, Sweden, Switzerland, and the UK.

[https://www.businessinsider.de/syria-saudi-nk-support-
china-...](https://www.businessinsider.de/syria-saudi-nk-support-china-uighur-
prison-camps-xinjiang-2019-7)

Note that there are 47 Muslim countries in the UN and not a one is in the
above list. Whereas among those who apparently support China's treatment are
Pakistan, Saudi Arabia, Egypt, Algeria, United Arab Emirates and Qatar, all
Muslim countries:

[http://www.xinhuanet.com/english/2019-07/13/c_138222183.htm](http://www.xinhuanet.com/english/2019-07/13/c_138222183.htm)

~~~
godelski
I'm saying there are 11 million Uighurs. I'm not claiming they are all in
"training center". I imagine only a small portion of them are.

~~~
acqq
> I imagine only a small portion of them are.

The way you wrote your sentence I've quoted and replied to doesn't make that
clear, anybody reading: "the 11 million people China is placing in
concentration camps" can conclude that 11 million are supposed to be there.

~~~
godelski
That's a fair statement. I can see how you would think I meant that. That is
not what I meant.

------
hmx48
"Dont worry people, it just affected Uyghurs, who cares?"

~~~
dymk
Not at all the content nor tone of the article

------
ianferrel
> The attack affected fewer than a dozen websites that focus on content
> related to the Uighur community.

Nice use of the passive voice there. "The attack" did it.

~~~
musicale
Not exactly passive voice, but I agree: this does dance around who the likely
attackers were and why the specific victims were targeted.

------
m0zg
>> focus on content related to the Uighur community

Yeah, Tim, perhaps making your $1K phones in a Chinese sweatshop to save a few
bucks wasn't such a brilliant idea.

------
dev_dull
> _The attack affected fewer than a dozen websites that focus on content
> related to the Uighur community._

When we refuse to work on defense technology (E.g., weapons), let’s remember
who our rivals are, because they are surely investing their best technology
and minds into weapons of war at full speed. What do you think they'll do once
we finally and willingly lose our technological edge?

Whatever they want.

~~~
jrockway
Diplomacy seems to be working better than weaponry.

~~~
dev_dull
Leverage brings people to the table.

------
matmann2001
"...we take end-to-end responsibility for the security of our hardware and
software"

Remember that Apple said this.

~~~
musicale
Pretty sure that's what they are trying to do? But I agree that they should
probably try to make it harder for authoritarian governments to exploit
iPhones for use against political dissidents and unpopular minorities.

------
duckqlz
Having read all of the posts on the related blog from google I don’t think
customers fears are unwarranted. I think apple spent a large amount of money
“fighting” the fbi publicly on one case, built an image of a security focused
phone company and is terrified of losing that image and going back to being
seen as the Orwellian overload we saw painted by the Snowden dump. Not that
google is any better though

------
trolololooo
By now, many of us have experienced an oddly targeted ad delivered to them
after having a conversation. Facebook and Instagram deny it very publicly.
Coincidentally there's an exploit that allows audio access to iOS devices
after someone hits an infected webpage. I can imagine an ad company trying to
use this kind of exploit.

But Apple PR says it's all okay. It must be true so don't even think about it.
Those Google security researchers are probably just jealous.

~~~
saagarjha
> I can imagine an ad company trying to use this kind of exploit.

I can't imagine that they would, considering that this would be expensive to
procure and highly illegal to use.

~~~
Spooky23
Have you read much about Facebook?

