Hacker News new | past | comments | ask | show | jobs | submit login
A Message about iOS Security (apple.com)
432 points by css 10 days ago | hide | past | web | favorite | 290 comments
 help




What is Apple trying to gain by publishing this article? The tone is accusatory and defensive in a combination that does not make me sympathetic towards Apple.

When Google posted the Project Zero articles, that did not impact my view of Apple in any way. However this press piece affects my view of Apple negatively, so from my perspective this press article has turned a more or less neutral event into one that is negative.


I disagree with your assessment here - mostly because you're implying that your views reflect the majority of people.

You're reading hackernews, you're not an average iPhone user. The Project Zero announcement was sensationalized - press is good for them. It was then picked up and further sensationalized by large news outlets whose readers are nowhere near as technically literate as HN's audience is.

They didn't understand what was being written other than "zomg, website can hax my entire phone and could've for two years, I assume all my data is on the darkweb".

The nuance, and details were completely lost to an average iPhone user.

Google has some responsibility when identifying flaws in consumer devices and software to be more clear about the actual impact, ramifications, and likelihood that your device was compromised.


> Google has some responsibility when identifying flaws in consumer devices and software to be more clear about the actual impact, ramifications, and likelihood that your device was compromised.

https://googleprojectzero.blogspot.com/2019/08/a-very-deep-d...

"Earlier this year Google's Threat Analysis Group (TAG) discovered a small collection of hacked websites."

"We estimate that these sites receive thousands of visitors per week."

"TAG was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12. This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years."

Google was responsible in identifying estimated scope. They didn't say it was widespread or impacting millions of devices. And that there are vulnerabilities of 2 years worth of iOS versions is pretty reasonable evidence that this has been a 2 year project.

Meanwhile Apple's counter-claims sound like pure damage control with no supporting evidence. They claim it was only operational for 2 months. Yet they provide no justification or evidence for that claim. They are in no position to monitor what happens on the web as they don't crawl it, and don't even attempt to explain why there would be exploits for 2 years of OS versions if this was only operational for 2 months.

But I'm not seeing any reason to believe Google was anything but responsible in its disclosure, nor that they sensationalized it in any way.


«[Apple] claim it was only operational for 2 months. Yet they provide no justification or evidence for that claim. They are in no position to monitor what happens on the web as they don't crawl it, and don't even attempt to explain why there would be exploits for 2 years of OS versions if this was only operational for 2 months.»

I agree. Google provided ample evidence why they believe the websites must have been exploiting phones for about 2 years (https://1.bp.blogspot.com/-97vEtS5TpiM/XWfds8hYAyI/AAAAAAAAN...). Meanwhile Apple appear to be playing down the severity of all this with zero evidence.


I may be mistaken, but I'm interpreting the bars as meaning the span of dates during which that particular exploit chain worked against the latest version of iOS.

Chain 1: iOS 10 launched 13 Sep 2016 and 10.1.1 lost relevance when 10.2 was launched on 12 Dec 2016

Chain 2: iOS 10.3 was launched 27 Mar 2017 and lost relevance when iOS 11 was launched on 19 Sep 2017.

Chain 3: iOS 11 was launched 19 Sep 2017 and lost relevance with the release of iOS 11.4.1 on 9 July 2018

Chain 5: iOS 11.4.1 was launched on 9 July 2018 and worked until the release of 12.1.3 on 22 Jan 2019.

Chain 4: iOS 12 was launched 17 Sep 2018 and worked until 12.1.1 which was released on 5 Dec 2018.

The span of dates during which a particular version of iOS was the latest release does not necessarily mean that exploit chain was active contemporaneously. I can think of several reasons for someone to be unable to upgrade to the latest version of iOS, requiring an attacker to maintain and deploy exploit chains for multiple versions of iOS simultaneously.

1) Apple has historically dropped support for older iPhones with each new iOS major version.

2) Users who jailbreak tend to refuse to update until a jailbreak emerges for the new version.

3) Some users are slow to update

4) Some users might just refuse to update

Because of this reasoning I find it plausible that Apple only has evidence that the exploit chains were active for only two months and that the attacker chose to deploy the five chains for only two months. I do not find Google's chart insightful for understanding this attack.


None of the exploit chains Google found support iPhones too old to receive the latest iOS version, probably because that would require 32-bit versions of the exploits. There also doesn't seem to be any 10.0.x or 10.1.x-only jailbreaks, so that doesn't explain the ancient exploits for those versions either; there seem to have been a few months at the end of 2017 where the best jailbreak was a 10.2.1-only one, but that version ain't supported by any of the exploits here and it was quickly obsoleted by jailbreaks which supported all 10.x versions. (Interestingly, those jailbreaks used the same bug as exploit 2 here, but they supported more versions and used different techniques to exploit it. That strongly suggests this exploit was developed and used prior to the release of those jailbreaks in late 2017/early 2018.)

Also, note that the exploit used in chain 4 was unpatched when Google discovered it. It looks like the reason it doesn't support newer iOS versions is because they abandoned it in favour of the cleaner chain 5, which entirely obsoletes it in terms of versions and devices targeted. Just this pair of exploits alone suggest that the attack was live in the wild for at least a year.

In theory I suspect that most recent exploit could be backported to cover all the iOS versions covered by all the other exploits too (and some they missed) but they just didn't bother.


>Meanwhile Apple's counter-claims sound like pure damage control with no supporting evidence.

I guess Apple could go back and look at their crash report telemetries to determine when the exploits were active. Google doesn't have that type of historical data for iOS devices. Of course there were no mentions of that as evidence.


Also presumably these are exploits to burn - lower value exploits for whatever reason.

E.g. once an exploit is detected by Apple, you might as well use it. Or an exploit that only relevant to an iOS version with low install base - just use it.


> And that there are vulnerabilities of 2 years worth of iOS versions is pretty reasonable evidence that this has been a 2 year project.

My thought was that they could be to target old versions, even if the site is new, but if the new exploits work on old versions that seems unlikely (though it could be to limit the exposure of the new zero-day - fingerprint an old version, present an old exploit - but if the exploits are new, that seems like a lot of work for next-to-no benefit).


> My thought was that they could be to target old versions, even if the site is new

That would make a lot of sense if we were talking about Android but how many iOS devices are still on iOS 10? Apple's stats show 97% of devices are iOS 11+ ( https://developer.apple.com/support/app-store/ ). It seems rather unlikely that someone would invest in finding & weaponizing a zero-day exploit against iOS 10 for less than 3% of users. Possible, sure, but Apple's claims needs evidence here.


Apple figure show that 97% of devices that can be upgraded were upgraded. A lot of people keep using Apple devices that are out of support.

Depends on how many people in the target group are running those versions.

> Google has some responsibility when identifying flaws in consumer devices and software to be more clear about the actual impact, ramifications, and likelihood that your device was compromised

I don't think that's Google's job at all, especially for a competitor's product.

Their project is to identify security vulnerabilities and disclose them to the public, in the name of public interest. We always have to assume worst case for security vulnerabilities, it's kind of the whole job of being a security researcher to determine what could have happened. Their job isn't to make Apple's users feel better.

It's also not Google's fault that media known for being wildly off-base when reporting on technical news was predictably off-base again.


> I don't think that's Google's job at all, especially for a competitor's product.

To be credible, it would be especially true for a competitors product. If you're even remotely insinuating that they can or should go softer on themselves than others, they're 100% not credible, and that would only make Apple's stance that much more legitimate. If they aren't at least as tough on themselves - and they should probably be tougher on themselves than others - it's just a marketing team.

But I do think they have that responsibility. Disclosing flaws and vulnerabilities for consumer use cases requires nuance and less "just the facts, ma'am" otherwise you're actually doing more harm than good.

The stories will be blown out of proportion, and the world will go numb to them. Because the little, low impact issues are constant background noise - when they get blown out of proportion and 0.000001% are affected, and 90%+ were patched 6 months ago, all this does is contribute to the noise, and doesn't improve the signal.


> To be credible, it would be especially true for a competitors product.

At this point, I don't think it matter much to the typical consumer. Both camps have their fair share of zealots, and short of a press release stating something horrific, most people don't care to switch to the other side. iOS users claim superiority for their device features like iMessage, cameras, and UX, while Android users pretend like their device is for the technologically enlightened.

Credibility in a report like this is a non-issue for most users. It's not about responsible disclosure, facts, and the truth. It's about marketing.


> in the name of public interest.

It's funny how their public interest seems to stop at the line where Google looks good and their competitors look bad.

I would say that their public interest mission should include not inciting unnecessary mass panic by exaggerating claims or by using imprecise language that would allow the media to make exaggerated claims.

You know, like how they use much more toned down rhetoric when releasing info on Android bugs.


Absolutely. These articles erode trust in the competitors of Google. The fact that Apple was aware of the vulnerabilities and in the process of fixing them is lost on the public. They were apparently working on fixing these bugs for 10 days prior to Project zero.

Maybe this sensationalism furthers the public interest by turning software security into a weird zero-sum game where every company is trying to break their competitors products. But I can also see how cases like this creat a negativity that prevents companies from collaborating to fundamentally improve security.


> But I can also see how cases like this creat a negativity that prevents companies from collaborating to fundamentally improve security.

The security community works like this (public responsible disclosure), _because_ companies overwhelmingly proved that they couldn't be trusted to collaborate with security researchers.


> They were apparently working on fixing these bugs for 10 days prior to Project zero.

That’s not what the Apple press release says. It says that it took them 10 days from when they learned about the bugs until they had “resolve[d] the issue” (fix implemented? released?).

Presumably Google contacted them sometime in between when Apple first learned about the bugs and when they finished fixing them.


> Maybe this sensationalism furthers the public interest by turning software security into a weird zero-sum game where every company is trying to break their competitors products.

This isn't a Maybe. Narrowing in on the statement of fact "where every company is trying to break their competitors products," query Ben Hawkes of Project Zero for an exact quote, but this about 100% lines up with it.


P zero attacks Google's projects just as much as anyone elses, and there even more aggressive in things like sticking to their disclosure timeline. They definitely don't pull punches or play favorites.

What mass panic? Did I miss the part where entire towns were burning their iPhones? Most people don’t know or care about security, and even if this was “sensationalized” do you honestly believe everyone didn’t just forget about it a week later? Is there anyone who actually believes this will have any effect on iPhone sales?

It seems you did miss all the press coverage of this event.

Here's one: https://www.vice.com/en_us/article/mbmgqp/this-is-worst-year...


No, I saw that -- maybe you missed every other flavor-of-the-week coverage for the past 10 years? Panic refers to user's reactions -- not what the news cycle generates for a given week. When information about Uber came out, at least #dumpuber trended or whatever, actual users wanting to change their behavior in response to events relating to a company. I didn't see that at all with this. This article is entirely about how members of the industry feel about Apple I guess? At least when the assertions aren't completely passive like "Apple’s perception as the secure consumer device is starting to crack." -- Apple's perception has cracked WITH WHOM??

The general population is completely burnt out about security stuff -- they hear about their bank getting hacked and releasing all their records like twice a year now. No one "panics" over that anymore either. This is no different, if they'll even be able to recall them being separate events a year from now.


Ironically Google behaves differently on their own products.

https://arstechnica.com/information-technology/2019/09/andro...

Waiting for the patch to come to my devices...


> Waiting for the patch to come to my devices...

And the 5 post write up on the PZ blog.

Security with mobile devices is definitely a don't throw stones in glass houses situation.


Why would PZ write up a post on what they didn't find?

And in the past they've definitely written posts on issues that only affect Android (as far as mobile goes), like their super deep dive into remote broadcom wireless exploits.

https://googleprojectzero.blogspot.com/2017/04/over-air-expl...


Probably not a great example, given that Broadcom bugs affect anyone using Broadcom, which, yep, includes iPhones:

> A partial list of devices which make use of this platform includes the Nexus 5, 6 and 6P, most Samsung flagship devices, and all iPhones since the iPhone 4.


That report was published by trend micros zeroday team, not Google's. Also, bear in mind that project zero and android arent the same team. And pz does sometimes get the same response from Android as trend micro did. And it results in public disclosures just like this one.

May be, what about me actually getting those patches?

> I don't think that's Google's job at all, especially for a competitor's product.

I think that any level of care they would take in describing the impact of a flaw in their own product, ethically, the same level care must be taken when describing the impact of security flaws in a competitor’s product.

Otherwise this goes from white-hat to grey-hat hacking, and it serves to undermine the stated goals and intentions of Project Zero.


> I don't think that's Google's job at all, especially for a competitor's product.

If they want security professionals to pay attention to them, it is.

I accept that maybe P0 just didn't carefully think through what they were saying; they've been straight shooters in the past. But the definitely gave both a misleading impression about the situation they described _and_ downplayed other risks.

If that keeps happening, I (for one) will end up treating them more like Oracle's security/marketing department. And that would be a serious loss, because P0 has been doing really good work.


> I don't think that's Google's job at all, especially for a competitor's product.

I don't think you quite understand why Google Project Zero team exists in the first place. Their job is to make the world a more secure place. They seem choose whatever they want to work on to maximize their impact on the world –ranging from Intel processors to iPhones to some first party technologies like Chrome.


How do you know why project zero exists?

It says on their website:

> Project Zero's mission is to make 0-day hard. We often work with other companies to find and report security vulnerabilities, with the ultimate goal of advocating for structural security improvements in popular systems to help protect people everywhere.


Why they say they exist and why they actually exist are two different things entirely. There’s not a single corporation (except maybe B corps) that spends money like this without a competitive agenda. Off the top of my head are a couple obvious reasons for PZ: to help with recruitment, to give the company some good press, to make their competitors look bad, or to fix their own Android exploits before anyone else knows.

> It's also not Google's fault that media known for being wildly off-base when reporting on technical news was predictably off-base again.

It is at least plausible that Google structured the posts and announcements to exploit that ignorant media coverage for their own competitive advantage.

So at least arguably their “fault” as they have ample experience with that media coverage process themselves.


I don't think that's Google's job at all, especially for a competitor's product.

It's in their financial interest to do so. They don't want their users gmail data (or from other googles services) to leak, even if it's not their fault.


Given the dire situation of security, this can't be a "let the market figure out the solution" situation. When it comes to whether Google's IoT devices work with Amazon's, I would personally love for them all to work together, but for profitability, maybe that's not in Google's best interests. That's fine.

But for security, they need to be working together. This is definitely a "rising tide lifts all boats" situation.


>> We always have to assume worst case for security vulnerabilities, it's kind of the whole job of being a security researcher to determine what could have happened.

Many people will be annoyed by this "assume the worst" drama.

For example, drinking too much water, if we assume the worst, can kill you.

Also, walking around can kill you, if we assume the worst.

Also, just being around can kill you, if we assume the worst, hey, you could die of a stroke.

So, how is this "assume the worst" statement useful?


> It's also not Google's fault that media known for being wildly off-base when reporting on technical news was predictably off-base again.

Er, yes it is? Or rather, to make a finer point, it was their responsibility—i.e., they knew the causal chain that would inevitably result from their action and chose to perform that action anyway.

If you knowingly give an alcoholic a drink, you’re responsible for them falling off the wagon.

If you leave your pet mouse out next to your pet cat and leave the room, you’re responsible when the mouse is eaten.

If you can clearly foresee something bad happening, and you have an alternative path that avoids that thing happening, and you choose to go down the path where the thing happens: your responsibility.

That’s not to say that nobody else is responsible. Responsibility is not exclusive. A war, for example, is the responsibility of two parties—either side can just give in to the demands of the other, to avoid it. Both parties, in their choice to not give in, are responsible for the war.


You're not wrong that the people who read Hacker News do not represent the average iPhone user. But then again, Average Jane and Joe are already used to bullshit PR speak that attempts to downplay issues, and will see through most of it.

Apple could have written "Google is correct that the bugs existed for 2 years, but Google as well as us only found evidence that the bugs were actually exploited for a total of about two months and targeted a very narrow group of specific users." and so on.

Instead they opted for a "Google is lying about us!!1! They are IMPLYING THINGS". If a company as big as Apple with well stocked legal and PR departments publishes a press release like that, my mind immediately goes to "what are they trying to hide or downplay".


>They didn't understand what was being written other than "zomg, website can hax my entire phone and could've for two years, I assume all my data is on the darkweb".

Seriously... did you overhear me talking to my relatives?

If not, you absolutely nailed the public perception.


I suppose you are both right but what it has done is further polarized and emphasized the tribalism between those that support google and those that support Apple. Not that bad of a marketing play from Apple...

iOS zero-day RCE vulnerabilities were used, for a significant period of time, by the PRC to target its threatened Uighur minority and friends of that community. People probably died as a result. If anything, the findings of Google's report weren't sensationalized enough.

Apparently it was Uighurs outside of China that were also targeted by Android vulnerabilities, as per this article: "Confirmed: Google’s Android Suffers Sustained Attacks By Anti-Uighur Hackers" https://www.forbes.com/sites/thomasbrewster/2019/09/03/confi...

(Edit: added title, changed wording to remove unclear usage of expat).


When Google posted the Project Zero articles, that did not impact my view of Apple in any way.

Google claimed an exploit was being actively used for two+ years (with no evidence beyond a variety of versions being exploited, which could also simply be the targeting of different versions). They also added editorial narrative like "we'll see cases of code which seems to have never worked, code that likely skipped QA or likely had little testing or review before being shipped to users." They then obviously sideband released the group that was targeted, making it a big news story. Unstated was that the same sites had Android and Windows exploits on them.

Project Zero is hugely valuable, but this was the first time it seemed like it became a marketing tool, using classic media release patterns for the biggest bang. Android is by far the most popular OS, with many serious exploits over its history (a 0-day privilege elevation just released by third-parties) -- does anyone remember Project Zero doing such an analysis of Android bugs?


> "we'll see cases of code which seems to have never worked, code that likely skipped QA or likely had little testing or review before being shipped to users."

This really ground my gears as well. You've just published lengthy posts on how to exploit these complicated vulnerabilities and chain them together, it's unlikely testing could have caught all of them.

And testing for security is entirely different from QA.

Do tell me Google, how is Stagefright going? Did you try QA'ing it?


I suggest you read the actual case of code that contained a trivial bug: https://googleprojectzero.blogspot.com/2019/08/in-wild-ios-e...

If it was so trivial, why didn't anyone find it before? The source is open. PZ only found it after finding these sites exploiting it. Unused code is not uncommon.

The point is, all software has bugs; but there's no way Google can know what "QA" iOS goes through, and to pretend it's nothing is ridiculous. There's plenty of examples out there of code being reviewed by several super clever people, and yet they miss something. Trying to work backwards from a bug without the context of actually working in the team that wrote the code never works.


> If it was so trivial, why didn't anyone find it before? The source is open. PZ only found it after finding these sites exploiting it.

No; as the first sentence states, Project Zero found this independently:

> This exploit chain is a three way collision between this attacker group, Brandon Azad from Project Zero, and @S0rryMybad from 360 security.

(For what it's worth, this ended up in a jailbreak too, and has its own blog post: https://googleprojectzero.blogspot.com/2019/01/voucherswap-e...).

> Unused code is not uncommon. The point is, all software has bugs; but there's no way Google can no what QA iOS goes through, and to pretend it's nothing is ridiculous.

It isn't uncommon, but it is clear that the code was not QA'd, for the reasons given in the article: trying to call this method would instantly panic the kernel (which is easy to triage–you don't even have to have much knowledge of the iOS QA process to guess that).


> No; as the first sentence states, Project Zero found this independently:

Oops, my bad, I had in my head the opening of the first post talking about how they had come across the sites using these exploits.

I think we agree that this piece of code was not well tested. Where I think I set my expectations of Apple lower is that this code was never used, essentially forgotten about and that I've literally done this myself. And I simply don't believe you can tell simply from a bug whether "QA" happened or not.

Why I give the benefit of doubt to Apple here is that it's not in something that is called everyday in normal devices. It's not in part of the OS that sees constant use. If this error occurred (and yes I'm aware that the end result is the same) in say the network stack or media stack, then I'd start having my doubts, since they regularly process untrusted data, and Apple should have proactively checked, just like Android now does with Stagefright. But this was in an essentially undeclared api that was never even used by Apple themselves. I think this was more a fuck up rather than not doing their jobs.

As a side note, whilst I do have an iPhone, my 2015 MacBook runs Linux and i generally don't consider myself an "apple fanboy".


> Unstated was that the same sites had 0-day Android and Windows exploits on them.

Have any source of that?


I was lazy in saying 0-day because details of them are not out (though coincidentally a privilege elevation 0-day was just revealed for Android). However reports are that any Android version was being used to report a comprehensive list of information about the device, and that there were Windows exploits as well. Which of course there was as presumably they'd comprise the vast majority of the targeted group.

> does anyone remember Project Zero doing such an analysis of Android bugs?

Yes, many times in fact. So besides that "question" just being a terrible "Whataboutism" fallacy, it's also just wrong.

From 2019 alone here's a handful of deep-dives into issues with Google software (well the last is linux but is done against Android specifically): https://googleprojectzero.blogspot.com/2019/03/android-messa... https://googleprojectzero.blogspot.com/2019/04/virtually-unl... https://googleprojectzero.blogspot.com/2019/02/the-curious-c... https://googleprojectzero.blogspot.com/2019/01/taking-page-f...


Which fallacy is it when you dismiss something cogent and pertinent by misappropriating a fallacy? Remarkably it's probably the most common fallacy of all.

"Whataboutism" is entirely off base because that isn't what I did whatsoever.

We're talking about the motives of literal Google employees. Finding and reporting bugs is hugely important for everyone, but they sure are making a lot of noise, and adding a lot of narrative and PR tactics, for a long patched iOS bug.

Or maybe it's just that Android bugs are expected, so they don't get much attention any more?

"handful of deep-dives into issues with Google software"

First one I went into -- third party reported, widely known problem in external graphics library. Project Zero did not find it, did not report it, and this is just tourism after the fact that points the finger outwards.

Second one -- Linux kernel. Pointing the finger outwards.

Third one -- Clear fault in Chrome, but conclusion is that it's actually the fault of ASLR and that the OS isn't memory-bounding Chrome. Pointing the finger outwards.

Fourth one -- Tiny post that says it found a "couple" of bugs that are probably not exploitable. Bug minimization.

They have another that attacks Samsung software. Pointing the finger outwards.

This isn't a hugely compelling example of their intentions. Show me one where they make the extraordinary claim that it was long exploited without any evidence whatsoever (elsewhere you claimed that Google knew because they "crawl", but in actuality this Project Zero claim was made purely based upon the span of versions the bug targeted), or make editorial comments about QA or source control processes. Instead it looks an awful lot like hand-washing.


> elsewhere you claimed that Google knew because they "crawl"

I most certainly did not.

> PFirst one I went into -- third party reported, widely known problem in external graphics library. Project Zero did not find it, did not report it, and this is just tourism after the fact that points the finger outwards.

You specifically asked if Project Zero did such a public analysis of a bug, which that post is exactly. If you wanted Project Zero discovered issues there's a whole boatload of them on their issue tracker.

> Or maybe it's just that Android bugs are expected, so they don't get much attention any more?

More whataboutism. And also wrong.

> This isn't a hugely compelling example of their intentions. Show me one where they make the extraordinary claim that it was long exploited without any evidence whatsoever (elsewhere you claimed that Google knew because they "crawl", but in actuality this Project Zero claim was made purely based upon the span of versions the bug targeted), or make editorial comments about QA or source control processes. Instead it looks an awful lot like hand-washing.

Show me one where they do that about iOS. You are reading things that aren't there. Google did not make any extraordinary claims. Kinda like how you accused me of claiming "Google knew because they "crawl"".

The "editorial comments" on code review/QA are covered in the follow-up posts. Notably task_swap_mach_voucher when called with a valid voucher would kernel panic. There is no charitable explanation for kernel calls that are reachable by any application and never work. The "editorial comments" that are you objecting to are, if anything, too soft in their phrasing.


"You specifically asked if Project Zero did such a public analysis of a bug, which that post is exactly."

What I "specifically asked" is if they've done anything like this regarding an Android bug. Not if they've ever reported in a passing sense, and in a blame-everyone-else-way about an Android bug.

"More whataboutism"

You keep using that word. I do not think it means what you think it means.

Ergo, again we're talking about a huge reporting cycle based upon a Project Zero release. If you think it's whataboutism you're digging really deep to try to prove your rightness (in a very Trumpian sense -- Alabama Alabama Alabama).

"I most certainly did not."

Yeah, you did. You claimed that Apple couldn't know how long it was exploited, yet Google -- because of their crawling -- could. The only possible basis for your argument was what I said (because obviously a widely targeted version base is because there are users out there with that version base, in the same way that a 0-day today for Android 8 doesn't suddenly mean it was invented two years ago, which would be a monumentally stupid claim that would be instantly discredited by anyone who put even a modicum of thought into it).

https://news.ycombinator.com/item?id=20899249


You are responding to the wrong query. Of course PZ has done articles on Android. The point is that none of those articles read like

> a marketing tool, using classic media release patterns for the biggest bang

OP's point is that the article on the iPhone definitely reads like this.


The iPhone article doesn't read like that, either. The news articles sensationalized it, but the PZ post didn't.

To me, the weird thing was that Google failed to mention that the hack was carried out by a by a nation state (China), and that it was narrowly targeted at China's often oppressed Muslim ethnic minority.

Google also failed to mention that Android and Windows had been targeted by China as well.

These omissions certainly leave me less sympathetic towards Google.


Right, no respect for the work and effort they put in. Arm chair critics being "less sympathetic".

I certainly lost respect for them.

If you want to discuss the exploit itself, that's great.

If you are going to bring how it is targeted into the discussion, there is simply no excuse for leaving out the fact that this is a narrowly targeted attack from a nation state adversary who is also actively targeting your own devices.

I don't know if their motivation was to harm a competitor or to avoid annoying China while you are hoping to resume doing business there, but they certainly left themselves open to both interpretations.

If you don't intend to tell the truth, then it's better avoid bringing up the topic altogether.


So it's okay to not tell the world about the exploit in the first place ? If Apple posted this against Google you wouldn't say a word. You'd just be happy for Google to get bad press no matter what they do. This post made the world's iOS devices more secure. Have fun countering that in your head with "but but HN says Google is bad..."

Completely agreed. Security is a collaborative endeavor. Project Zero was not accusatory and did not over-hype the scope of the vulnerability.

Project Zero is an amazing team that has only helped the state of security worldwide. Apple's defensive and accusatory response makes zero sense and goes against the very spirit of security today.



https://googleprojectzero.blogspot.com/2017/04/over-air-expl...

They have no problem covering Android bugs, they just don't write about bugs they didn't find.


That just seems too super convenient to me. Why would they not laser focused on Android bugs?

I suspect they are, but backchannel them to the development team, versus airing them.


They're some of the top security researchers in the world and are given autonomy is why. Which is what the security community has settled on being the right incentive structure when optimizing for end user security.

In the case of these recent iOS bugs, they didn't "air them" until after the fix was released. So any "back channel", if you could call it that, seems to exist for Apple too.

>ZDI's Wednesday post said researchers notified Google of the vulnerability in mid-March and that by the end of June, the company had confirmed that the flaw would be fixed. When ZDI asked Google for an update last month, Google responded there would be no further updates. Google released the Android Security Bulletin for September on Tuesday, and the flaw still wasn't fixed. Google didn't respond to a request for comment.

If that's true, that's interesting. Because there have been cases where vendors have asked Google for more time to vet a fix that was going to lapse the responsible disclosure's window and Google (or perhaps more specifically, Project Zero) wouldn't allow it. Mid-March to end of June is a bit over 90 days at my estimation (depending on specific dates, obviously) and yet by September nothing and no updates.

The ZDI disclosure is rather vague, but I suspect this is a vendor-specific vulnerability and the speculation otherwise in the Ars Technica article is just wrong. There is no single "v4l2 driver" used by across all of Android - every device has its own v4l2 driver with its own implementation of the userland-facing v4l2 APIs, and vendors being what they are some of them are of pretty poor quality.

The general population of iPhone owners don't have the technical knowledge to understand the nuance of the actual vulnerability and exploit, so for many of them it probably wasn't a "neutral event". The subject of the article does come off as a bit defensive - though much less so than it could've - but I understand why they felt the need to tell their side of the story.

I mean, it is by definition defensive. They're pushing back against some of P0's claims.

Project Zero (whether it's housed at Google or not) has a vested interest in making their detections as newsworthy as possible. Apple has a vested interest in downplaying those claims as much as possible.


Edit: This article points out that some of Apple's wording wasn't as good-faith as it may've seemed: https://www.theverge.com/2019/9/6/20853393/apple-iphone-ios-...

While I do admit that I agree with a few of those points, the Verge isn't exactly reporting in good-faith either, IMO. They are very biased against Apple, for whatever reason.

I had only seen the headlines, but I learned new facts from this personally. So in that way it was effective. That said, I agree with you that Apple should be THANKING Google for bringing potential issues to them (no matter the intent behind it, even if in this specific case they already were aware of it).

I'm sure they thanked in private, but once you start going to press with false information the good will is dead. The fact of the matter is that while Project Zero might be good for the general population; its most good for Google who stands to gain from bad press of their competitors.

What I'm suggesting is that it scares me a bit, as an Apple user, to see Apple acting in such a hostile way PUBLICLY to a party letting them know about a security issue. I understand where they're coming from -- as I said, I also found the facts in their message useful for understanding the situation. The original headlines gave me a very different impression than what the facts seem to indicate happened.

But as a PR piece, which is what this was, Apple needs to keep in mind that they want to project how much they ENCOURAGE folks reporting security issues to them. Sounding defensive is not helpful to them in that regard.

Not everybody is Google. Will the next person be scared to report their findings because they think Apple will come after them rather than be appreciative simply because they don't approve of how it was framed? I'm not suggesting this is easy, only that as a PR matter it's probably best for Apple to take the high road even when their competition is being unfair.

Correct falsehoods, yes, but the tone was off here.


Apple credits people who report vulnerabilities after every update. There are no public comments from Apple aside from those routine acknowledgements.

Apple patched this within days of finding out about it. This press release is about everything other than the strictly business aspect of reporting and fixing a flaw.


What information in the P0 blog posts on this topic was false or misleading? I read Apple's response, then I read the P0 blog post, but I don't see anything in Apple's response that actually rebuts anything that the P0 blog post said about this vulnerability.

Apple says "Google’s post ... creates the false impression of 'mass exploitation' to 'monitor the private activities of entire populations in real time,'". But Google's post doesn't do that. Those sentences occur late in the blog post, and aim to educate about the risks posed by software vulnerabilities in general, not these specific vulns. That is abundantly clear from the text. The only way to get the impression that Google was doing otherwise is to merely skim the post.

It seems like Apple is mostly annoyed that the press latched on to this, although honestly I question how much it matters since nobody seems to pay any lasting attention to these types of stories anyway.


Timeline, Google said 2 years, Apple said 2 months.

2 months for those particular websites. There's a difference between the timeline that a vulnerability existed, and the timeline of a specific known usage of them. Apple is trying to confuse the two.

If I discover a security hole that's been present in Windows for 10 years, but only know of an active usage of it say, in the Ukraine by Russia, I'm going to say that the vulnerability is 10 years, not 2-months. 10 years is the length of time you could have been exposed. 2months, Ukraine, tells you how much more likely you were in danger for that location.

But you should not act as if the vulnerability existing for 10 years didn't affect you, because you don't know about how many other people were using it.


I think the point being made here is why are both numbers not disclosed, and only one was?

I think both the time the bug existed and the relevant timeframe of known exploits should be part of a responsible security disclosure.

Omitting either one is a disservice to users.


What fact was false in the P0 article? Apple is downplaying the severity of hacking thousands of people a day and sending them to concentration camps as a result.

I'm going to guess the Project Zero article pissed some people off at Apple in a major way, because Apple is right that the headline and the content of the article vastly overstated several aspects about the vulnerabilities. The impression most people would come away with after seeing the headline and skimming the Project Zero article is that most iPhones have been compromised for years. That is emphatically untrue, and so I think it's reasonable for Apple to take a strong tone with this message.

Your assessment is based on a feeling of doubt derived from behavioral queues rather than an objective analysis of the available facts. You have better information now because of this statement from Apple, there is no rationale for thinking less of Apple because of this.

They are in a no-win position and keeping silent is worse.

Android security has always been a bit of a contradiction of terms, and while Google has improved the OS, the combination of limited availability of upgrades due to carrier nonsense and the state of apps on the platform. An Android zeroday isn’t news.

The iOS defects are particularly jarring as they have been rare to date.


Apple uses the same carriers as Google. The poor state of Android updates is no one’s fault but Google’s.

No matter where I buy my Windows PC from, my upgrades come from Microsoft. In fact, I have an ancient Mac Mini that can still receive Windows 7 updates.


> The poor state of Android updates is no one’s fault but Google’s.

I don't know if I would go that far. That problem comes from the way Android is organized. It's open, and it invites third party involvement. That in turn makes it nearly impossible for Google to control the OS lifecycle. You can argue that they should have kept it closed, like Apple. But if that were the case, they'd be in even worse anti-trust waters than they already are with the device.

More likely, they'd simply have failed. They had the software know how, but in no way had the expertise to build out a new type of device. It seems unlikely anyone else could have bankrolled a realistic challenge to Apple's dominance. So we would probably be in a situation where there was iPhone, and a bunch of shit phones from random manufacturers.

In light of all that, I think Google made the best decision possible. Maybe that's what you mean -- that Google made a good decision and that, despite that good decision, there are tradeoffs. But to me it sounds like you think Google failed in some way by making the choices that have led us to the current state of affairs w.r.t. updates. I don't think that's a fair read on the subject. At least, when I see someone doing the best they can, and there are flawed aspects to the performance, I don't say, "It's nobody's fault but yours that there's a flaw in this work." I would phrase it differently.


It seems unlikely anyone else could have bankrolled a realistic challenge to Apple's dominance. So we would probably be in a situation where there was iPhone, and a bunch of shit phones from random manufacturers.

It would have obviously been Microsoft. They already had a mobile operating system and companies would have had no choice but to use it.

But if that were the case, they'd be in even worse anti-trust waters than they already are with the device.

Microsoft never got in trouble for having a closed operating system. And despite all of Rubin’s BS about the “definition of open”, everything that makes Android,Android outside of China is closed source and controlled by Google.


They weren't referring to the networks themselves. Carriers release (or work with manufacturers to release) versions of phones with a bunch of custom stuff added onto a vanilla Android OS. When Google releases a new OS or an important security fix to Android, carriers need to merge this stuff in with all of their custom stuff, assuming that they still care to do so and support that device. As a result, phones running Android can fall years behind on patches.

The phones sold by Apple don't have this problem. The phones sold by Google also don't have this problem. But the phones sold by carriers but running Google's OS have this problem. Phones sold by carriers but running Apple's OS would also have this problem, but Apple doesn't let anyone else sell phones with their OS.

The difference between your computer's patches and your phone's patches is that you are allowed to update your computer's operating system, but your phone has probably been carefully locked down by your carrier to prevent you being able to do this, which is very upsetting but that's a different matter.


Carriers release (or work with manufacturers to release) versions of phones with a bunch of custom stuff added onto a vanilla Android OS.

PC makers also put various crapware on phones and use to do shell replacements. That never stopped anyone from upgrading...

When Google releases a new OS or an important security fix to Android, carriers need to merge this stuff in with all of their custom stuff, assuming that they still care to do so and support that device. As a result, phones running Android can fall years behind on patches.

Microsoft also allowed various carrier changes to Windows Phones but they could still offer upgrades across devices.

Phones sold by carriers but running Apple's OS would also have this problem, but Apple doesn't let anyone else sell phones with their OS.

Microsoft has had a vibrant ecosystem of third parties selling PCs running its OS for decades. The entire idea behind WinHec and Plug and Play in the mid 90s was to solve this very problem. The issue that either Google doesn’t know how to properly run a platform or didn’t make it a priority. You see that Google can architect a system where Google Play Services can be updated across manufacturers. They care enough to keep their spying mechanism updated.

The difference between your computer's patches and your phone's patches is that you are allowed to update your computer's operating system, but your phone has probably been carefully locked down by your carrier to prevent you being able to do this, which is very upsetting but that's a different matter.

That’s only because Apple wrested control from the carriers before any iPhone shipped to keep carrier crap off their phone and to keep control over its devices. Google never cared to. Android is just a badly architected system in this regard. Microsoft solved this problem two decades ago.


> Microsoft also allowed various carrier changes to Windows Phones but they could still offer upgrades across devices.

They definitely didn't update phones quickly when exploits were found for IE and Windows would got a security update.

We had some test Windows Phone/Mobile devices at work, and the cheaper models didn't really get upgrades. I would also guess if you had 7.5/7.8 devices, they stopped getting updates? I'm sure some devices kept getting regular updates.

We also had a cheap 32GB Toshiba tablet, which couldn't upgrade Windows 10 because it lacked drive space (even though it had nothing apart from Windows installed on it - it was for testing touch on Windows browsers).


> Microsoft also allowed various carrier changes to Windows Phones but they could still offer upgrades across devices. ... Microsoft has had a vibrant ecosystem of third parties selling PCs running its OS for decades.

And for all that, they still failed to make a dent in the market. Partly, OEMs and carriers were not as interested in supporting Microsoft's offering precisely because of how they could not put their own stamp on it. In many ways, Microsoft's offering was better on the fundamentals than Android's. So why didn't it succeed? Perhaps because of the very features you are praising.

The only reason Apple was even able to pull it off was because of their first mover advantage, combined with their extreme consumer appeal. Their phones were so much better than anything that was available at the time, but even with all that, they had to enter into an exclusive contract with AT&T for the first couple of years in order to get the control they wanted. Only after they had established a foothold were they able to say "no" to carrier and OEM customization. If they had been second to market, like Android, it's hard to picture them having that level of control and leverage.


It's honestly surprising that people still continue to insist that anyone but Google is responsible for the current state of affairs. It's completely because of Google's business incentives. Google's pivot, from a Blackberry clone to an iPhone clone, was about quickly obtaining market share. That meant ceding control to OEMs and carriers so they could effectively market devices against the iPhone.

Microsoft didn't lose because of those things (it shows how much better they are at being a platform company that they didn't repeat Google's mistakes), they lost solely because Android was free to OEMs. That's entirely a business model question.


This is not what Zerodium says[1]. They claim, and are backing it up with millions of dollars, that current Android exploits are more valuable than current iOS, because of a large supply of iOS issues.

[1]: https://www.wired.com/story/android-zero-day-more-than-ios-z...


In the article they discuss that it’s lkelly a publicity stunt.

0dium's actual prices are likely a publicity stunt, but it says quite clearly, citing several different, independent sources, that attacks against a fully patched Android system are now worth more than the equivalent attack against a fully patched iOS machine. That is in part because Android has hardened up recently, Safari and iMessage in particular are highly vulnerable, and also because there was more money recently in iOS and so there was more attention on it.

To a certain extent, of course, attacks against Android outside of flagship Samsung and Google phones are much cheaper- look at any patchset and attack, and given that 30+% of the Android user base is on Nougat/Oreo and 10% is on Kitkat or earlier as a whole they are far more exposed.


No, it says they might be trying to influence market prices. Another researcher quoted in the article confirms that the market price for an exploit of a high end Android device is 30% more than an equivalent iOS exploit and gives Safari's poor security as the reason. Despite Safari having such a large attack surface, iOS cannot update it without a reboot, which only exacerbates the problem.

I'm very glad they published it because up until now I have been fretting over whether my phone was affected and whether I needed to reset every password in my keychain. As far as I knew until now, all iPhone users were at risk and Apple had secretly patched the affected devices without notifying anyone. I'm glad that doesn't appear to be the case.

Seems to me that they felt they had to respond to FUD reporting such as https://www.zdnet.com/article/apple-has-let-down-every-iphon...

To me it does the opposite. It shows that Apple communicates and cares about security for their users. I don't see how them addressing and responding to Google's claims makes them appear in a worse light. To each his own I guess.

I think they are fighting the sensational headlines and poorly researched mass media articles, not the original Project Zero post.

There were subtle jabs at Apple in the original post.

What in the post did you consider to be "jabs"? Nothing read that way to me.

> a combination that does not make me sympathetic towards Apple

Apple does not want sympathy and is not concerned with what someone in the tech community with advanced knowledge (and opinions) think. They are concerned with what is thought of them in the broader community that they sell to and that buy their products. This was the right thing to do. To point out what they could to clear up the issue.

> When Google posted the Project Zero articles, that did not impact my view of Apple in any way. However this press piece affects my view of Apple negatively, so from my perspective this press article has turned a more or less neutral event into one that is negative.

The vast majority of Apple customers not only don't know what Project Zero is or does but don't care. What they do care about is what is written in the mainstream media about Apple. And what the mainstream media digs up to stoke fear in order to continue to sell advertising.

Apple did the right thing here. I was glad to read this info. I have been using Apple products since the 80's and computers prior to that (mainframes in college).


I know. What Apple should do is setup a crack privacy team to expose and publish all the ways the Android platform allows Google and third parties to collect data and generally invade privacy.

Pretty sure the P0 team would love that. And maybe Microsoft spins up their own team.

That would be fantastic for all involved.


Microsoft does already, its the MSRC, but they take a different approach to disclosure: https://www.microsoft.com/en-us/msrc/cvd

They should, everyone would benefit.

Google has very conveniently used Project Zero to target its competitors, while omitting key facts about itself.

It's to assure government and enterprise customers that iOS is a secure platform and they need not worry.

> What is Apple trying to gain by publishing this article?

John Gruber's take:

> Reading between the lines here, what Apple is pushing back on is the fact that Google’s report on this attack against the Uyghur [1] community only mentioned iOS. Coverage of Google’s report created the impression that only iOS users were hacked, when in fact, the Chinese government also exploited Windows and Android users, [2] and that these exploits may have been targeting people everywhere.

* https://daringfireball.net/linked/2019/09/06/apple-pushes-ba...

Though he does also comment:

> Conspicuously unmentioned in Apple’s response: “China”.


China was also Conspicuously unmentioned in Google's / P0's original disclosure

:P


The tone is matter of fact to me.

Not only that, but it comes across as downplaying the incident because it "just affected Uyghurs"

I agree! It felt like reading a (less egregious version of a) Trump denial, with the same impact -- no one cared before, but now it's a thing.

As sibling points out though, we may just not be the target audience.


They’re trying to refute false information and unwarranted insinuations, and share factual context. It seems to me like this is all relevant information.

I totally agree with your reading of the tone and I was kind of floored by it. To me, it seems that there must have been a tempest about it that I (we) missed.

What I mean is that it's extremely reactive, accusatory, and defensive, but in response to something that we aren't seeing. It can make sense if someone was running a huge news story about it, that we're just not in the audience for.


I feel part of this is Google published a very large article about the iOS vulnerabilities, but did not do the same for the Android and Windows attacks that were also reported - just not by Google.

Given Google has already gone down the "use our security posts to discuss competitors bugs but not our own", it seems entirely reasonable for other companies to start treating the PZ blog as a marketing tool.


> Given Google has already gone down the "use our security posts to discuss competitors bugs but not our own"

Project Zero finds and publishes bugs for most major platforms. Just look through their archives: https://googleprojectzero.blogspot.com


How many Google bugs have received the same volume of exposition as this Apple bug?


Now see if any of those were reported in the mass media. Not The Verge. Not Vice. No tech publications. Front page of BBC news, The Washington Post, NY Times, etc.

That is not PZs problem.

The OP was using examples from PZ as a rebuttal to the GP asking if any Google products getting widespread coverage. The provided links are completely and utterly irrelevant. Your average commuter was reading about how terribly insecure iOS is based on PZs report being sensationalised in the media at large. The “tech” journalists write based on these articles, therefore PZ need to lay out the all the facts.

PZ posts on it's blog. What gets picked up by other media as news is not their mandate.

It is when they submitted the Apple releases to all these venues the day Apple's keynote invites dropped.

Make up stories to prove your point.

Independent security researchers are comparing this to the "Aurora" hack of Google[1].

While that was undoubtedly of a larger scope, it was also the event that led to the creation of P0, so it would make sense that this gets more exposure than your average bug report. Most security bugs aren't multi-exploit zero-day chains found in the wild being currently used to oppress people by a state actor.

[1]: https://twitter.com/alexstamos/status/1170064458003054594


To be fair, this is a highly unusual situation, with long chains of interesting and complex vulnerabilities and multiple zero-days against probably the most scrutinized consumer device currently.

Most Google bugs are… much less interesting.


Yet this very large post detailed only the iOS vulnerabilities in the "large scale untargeted attack" that also had android and windows vulnerabilities.

It does not take a genius to read that article and realize that the omission of the other targeted platforms was intentional.


They dropped five 0-day web chains against a platform where this was largely unheard of. I think this is significant enough for a blog post. FYI, Project Zero mentions when other bugs they find were found being exploited: https://googleprojectzero.blogspot.com/search?q=in+the+wild

Frankly, it does feel like they publish more heavily on non-Google products. Which isn't to say that they don't publish many articles on Android and Chrome and other core Google things, but just look down that list and you'll see many many more iOS/Windows articles than Google ones.

You can interpret this many ways. Maybe they're casually discouraged from publicly talking about threats against Google software. Maybe competitors' software is just more vulnerable. Maybe the team shifts focuses every once in a while, and in 2019 they've just been on a real Apple/Microsoft kick. I don't know.

My general position is: Google The Company has done nothing at all to deserve the public's trust and good intentions, and I don't see why that position shouldn't extend to the Project Zero team. Its a garbage company, and the publications from the very talented and dedicated people on that team may be better interpreted in a more unbiased environment where we don't have to constantly be raising questions like "are they unfairly focusing on competitors products" or "are they giving internal teams the same time to remediate that they give competitors"?


It's a "garbage company". Yeah right. Go outside your bubble and travel a little. See how many peoples lives have changed due to Google.

PZ has regularly posted against its own (Google) bugs.

If I found a bug in your code and told you about it (responsible disclosure style), watched you fix it, help you validate that it was fixed, and then write a blog post about it that would be pretty predictable and reasonable.

But waiting 6 months? To release an embellished piece about a non-exploitable bug that was patched 6 months earlier?

2 WEEKS before Apple unveils the iPhone 11 no less. And you all STILL downvote me when I post about how I believe PZ is a clandestine group of hackers paid to dig up zero-days on competing products so competitors can get bug-doxxed days before large/important events.


Apple has done its best to secure customer privacy not only from bad actors and the government, but even from Apple itself, something that is certainly not true of Google. Apple went to the mat to protect its customers from the FBI. That earns ️<3 from me. Do I think Google would look out for me like that? Hahah, no, I do not think so.

Does this mean these vulnerabilities were not real and serious? Not at all. But Apple took them seriously and reacted quickly. Nobody's perfect, but they deserve a lot of credit for their hard work on security.


> Apple went to the mat to protect its customers from the FBI. That earns ️<3 from me. Do I think Google would look out for me like that? Hahah, no, I do not think so.

Google literally led the charge on pushing back & publishing government data requests and Google is almost entirely why it's legal to disclose ranges of FISA and NSL requests in the first place. They've been doing transparency reports on this for years, far longer than Apple.

There's a lot you can complain about with Google. But this isn't one of them.


No dog in this race really, I'm pretty much against all of big tech on privacy grounds.

That said, I have to say that from my perspective, it seems pretty clear that Apple is light years ahead of Google where privacy and security are concerned.

I try never to even touch Google properties or products, because it's tantamount to making whatever information you provide to that service public. That's kind of how I think about it. Everything I put into google maps, google apps, gmail, whatever, will be open for the entire world to see at some point. Either a leak by google, or google shares with someone who gets hacked, or maybe through a court case where stuff from 10 years ago pops up in court records or whatever. I mean, if that doesn't happen, great. If it does though, no biggie, I behaved as if it would happen from day one.

Of all the dangerous big tech companies out there, Google and Facebook are, to my mind, unquestionably the most dangerous. And by far the biggest threats to the privacy and security of the average person.


> Apple is light years ahead of Google where privacy and security are concerned.

Privacy I'd agree, but security? Apple's security track record is straight up hot garbage. Their cloud security is a complete joke (iCloud has been hacked how many times now?). Google's cloud security meanwhile has a stellar record. Outside of cloud yeah Apple has lots of security buzzwords, but they still are repeatedly hacked. We are, after all, talking about a post where 5 different 0-days were actively exploited on iOS. And just about every release of iOS has had critical escalation vulnerabilities (aka, jailbreaks) - such as the CoreTrust bypass exploit in iOS 12 ( https://gist.github.com/pwn20wndstuff/a57b213a6f8c75cb3b9a8c... )

Android has an update problem, but between all the hardening that's been done there (such as extensive selinux policies) it's pretty fucking solid, and is backing that up with results.


>iCloud has been hacked how many times now?

The platform itself has not been hacked, so I'm not sure what you're trying to say here. All the "hacks" against iCloud have been social engineering and/or user exploits. I don't see how users re-using passwords across sites or using weak passwords makes iCloud security a joke. Some of the impetus has to fall on users to be responsible for their own data.


> All the "hacks" against iCloud have been social engineering

Which would be a strike against Apple...

> I don't see how users re-using passwords across sites or using weak passwords makes iCloud security a joke.

Logins from new locations is the type of thing other cloud services (like Google or Facebook) protect against by requiring a challenge to proceed even if 2-factor is not enabled.

iCloud only working when the user holds it properly is a very Apple-esque thing, but also still bad. Particularly their 2FA is pretty bad and can be easily bypassed. Because, you know, that good UX flow is preferred to actual security.


Back when Chrome was based on WebKit, IIRC Chrome team found and fixed oodles and oodles of bugs in WebKit, because WebKit wasn't even using fuzzing, or not enough fuzzing. Even as late as 2017, fuzzing was still finding significantly more security issues in Safari than other browsers: https://www.securityweek.com/fuzzing-reveals-over-30-web-bro...

Also, when discussing iCloud, you need to distinguish between the backend service, and the frontend service. There have been significant CVEs found in the front-end client. Apple doesn't run many front end Web services, so there's less to exploit. They also don't allow you to host executable code like AWS, Azure, and GCP, so the attack surface is much more confined.

That Google has exposed their infrastructure to the unforgiving nature of the Web for 2 decades, with exploits few and far between, is a testament to the quality of the security engineers.

The most secure device on the planet, isn't iOS, it's Chromebooks. Look at the defense-in-depth used on Chromebooks to isolate execution: https://www.youtube.com/watch?v=pRlh8LX4kQI


> The platform itself has not been hacked

Not true. For example an unintentional backdoor allowed hackers dump all your data from icloud, bypassing the 2-factor authentication.

This was live for 2-3 years before the Hollywood hacks finally made apple to fix it.


Oh come on man. Are we really saying that Android has no security issues?

I'm gonna do you a favor and just not talk about how naive and fanboy-like that statement was man.

And google cloud's security, I assume you mean the AWS competitor, is being compared to iCloud social engineering hacks? Uh, yeah, I mean, since iCloud is consumer level, no surprises there. As far as consumer level offerings, hey, Google already has the location or whatever other data, so they can already use it to try to sell you cheap plastic Oklahoma City Thunder dart boards or whatever. Your privacy and security are violated every time it happens.

Maybe I'm just being too fundamentalist in my view? But that's just how I see it. Every time an entity uses my data for something I did not intend, it is a security and privacy violation. Google's entire business model is literally built on violating both, which is why I avoid their products like the Plague.


> iCloud has been hacked how many times now?

Zero.

Phishing exploits managed to get targeted users' passwords. thats what the Celebrity iCloud leak was all about.


>Apple went to the mat to protect its customers from the FBI. That earns ️<3 from me. Do I think Google would look out for me like that? Hahah, no, I do not think so.

They implemented countermeasures on their devices to prevent the exact situation where the FBI would compel them to produce a signed, backdoored, firmware like they wanted Apple to do after San Bernadino.

https://android-developers.googleblog.com/2018/05/insider-at...

Unless you have the device's passcode, you can't update the firmware that deals with passcode checking, unless you wipe the data.


If this works as described and there are no tricks (such as Google changing your account password from their servers to a known password and then logging in), then that is a great step in the right direction.

A very important next step would be to make this a required feature for all handset developers who wish to use Google services such as the Play Store. As long as it's a niche feature only used on the Pixel, it's more of a good gesture than a substantive benefit for users.


> Do I think Google would look out for me like that? Hahah, no, I do not think so.

This article is literally about things that Google's Project Zero did which were for your benefit.


I appreciate the good things Google does for me; they are many. But I don't think protecting my privacy, much less securing my data even from themselves, is their priority.

Funnily, I don't think there is any other company that protects users private data better than Google. Not military, not Apple, none of them come closer to it.

Google are good at preventing people hacking their servers, but they also broadcast your private data to thousands of third parties every time you open a webpage. Facebook and Google's approach to data security is lock it down so only they and their partners can access it. It does nothing for your privacy.

What are you talking about? Google neither sends nor sells any of your data to "third parties". I don't know why people parrot this nonsense.

It's not nonsense, it's a standard part of adtech: https://brave.com/adtech-data-breach-complaint/

Google gave an ID to these third parties. iOS does the same with its IDFA.

Far from just an ID.

Then what?

Project Zero is no charity.

> Apple has done its best to secure customer privacy... That earns ️<3 from me. Do I think Google would look out for me like that? Hahah, no, I do not think so.

Both Apple and Google are NSA's PRISM partners, Hahah. It's amazing how short some people's memories are.


Apple and Google had no interaction with PRISM. Read the slides.

> Apple has done its best to secure customer privacy not only from bad actors and the government

Apple's marketing people would like you to believe that. In actual fact, only Apple has handed over the data of its iCloud and iMessage users wholesale to the Chinese government. Not Facebook. Not Google.

https://www.amnesty.org/en/latest/news/2018/03/apple-privacy...

> Do I think Google would look out for me like that?

Google has done this repeatedly according to its transparency reports. The only difference is that Apple lied to its customers that it was "not technically feasible" to comply with data requests and then silently removed that claim after the FBI showed that to be false.

https://slate.com/technology/2014/09/if-you-use-a-passcode-i...

If you want more lies that magically disappear, Apple is more than happy to comply. More recently, Tim Cook posted, “We have also never allowed access to our servers.

“And we never will.”

That's gone too after the China collaboration, with "our servers" replaced by "Apple servers." Maybe technically the servers that Apple set up in China are not "Apple servers" and instead Guizhou servers, but that is not a useful distinction to the users whose data is now freely accessible by the CPC, and so Apple deceives its users with a wording change without any announcement of policy change or any apologies.

https://www.sfchronicle.com/news/article/Battle-with-FBI-rev...


Apple will and did surrender iCloud data to LE, so would Google. they denied unlocking the device or implementing backdoor in the future, which I believe is not feature any other vendors have implemented. And let's not forget that the device apple was so eager to protect belonged to already dead terrorist, as far as average user is concerned that was a PR stunt.

Apple wasn't eager to protect the device of a terrorist. They were eager to protect everyone's devices. Opening up access to "the terrorist's" device would open up that access to every device. I, personally, think they made absolutely the right call.

Honestly, I really dislike Apple's recent policy of publishing "statements" for everything that ends up in the press. They did it for the Bloomberg article, and that was fine, but the one against Spotify and this one sound whiny and more importantly they fail to address the actual issues being brought up. It's just a bad look.

Is this a recent policy? "Thoughts on Flash" was undersigned by Steve Jobs himself.

That's the only one that I can think of that compares. Apple wasn't publishing those three times a year, though.

And before that “Thoughts on Music” in 2007.

Those one was more "here's why this technology sucks and we're not going to use it", less "Company XYZ made us look bad, here's OUR side of the story."

The trigger was Adobe was whining to the press and badmouthing Apple regarding Flash

I'm the opposite. I really like it, and I don't even really like Apple.

Companies like Spotify piss me off immensely in the way they lie and whine publicly pretending like they are some cool startup who cares about users or artists or some other causes. Google does the same thing, hiding behind their phono "do no evil" motto. It's something about how two faced tech companies have become.

Apple is arrogant. They always have been. This is just them being who they are, instead of pretending like they are something they aren't. I actually find it refreshing. I wish Spotify would be that honest.


I really enjoy it, when Apple reacts in anger to a hit-piece, like with Spotify, it makes them seem almost human in their response and it’s exactly how I may react if someone were to roast me in the group chat.

Granted, CEOs individually making angry statements in the heat of the moment is nothing new, but when Apple publish statements like this it really makes it appear as though the entire company feels this way (at least in the executive).


Let’s see. If Google finds a vulnerability in IOS, Apple patches the vulnerability and it’s patched for at least all iOS users on the current OS, as of right now, that’s all phones dating back to 2013.

But Apple has also within the past three months released an update for phones back to the iPhone 4s released in 2011.

If Google finds a vulnerability in Android, what percentage of the phones would actually receive the patch?


> But Apple has also within the past three months released an update for phones back to the iPhone 4s released in 2011.

Note that these were fixes for GPS rollover issues, and not security bugs: https://support.apple.com/en-us/HT210239


> If Google finds a vulnerability in Android, what percentage of the phones would actually receive the patch?

100% of the vendors that have solid update in their pipeline.

That means: all Google flagship phones and tablets. A lot of phones from companies that take updates serious.

But also: hardly any planned-obsolence phones. And also hardly any phones that ship with a FUBAR Android "theme/skin/variant".

The latter is, by definition of Open Source, out of Google's control.


That means: all Google flagship phones and tablets. A lot of phones from companies that take updates serious.

It’s estimated that Google sells at most 2.5 million phones a year and has 0.2% market share of the Android market. Where are all these other companies that “take updates seriously”? How many Android phones still get updated after 2 years? 3 years? 4 years?

Think that’s too much to ask for? I bought an iPhone 6s in 2015 and my son is still using it, it’s running the latest OS, and according to many benchmarks it was faster in single core performance than high end phones released last year. It’s still faster than most midrange phones.

The latter is, by definition of Open Source, out of Google's control.

Google has plenty of control over any Android phone that runs Google Play Services. In fact, it has so much control that it had to pay a fine and is under a consent decree with the EU about forcing anti competitive conditions on Android manufacturers.


So, none of the vendors except Google and Nokia: https://www.theverge.com/2019/9/4/20847758/google-android-up...

All of Google's phones. Why would you expect them to patch other companies' devices? When Redhat fixes a security vulnerability in Linux, they don't manage how those updates get to Linksys's routers.

For a messaging app vulnerability like this, those devices would get a fix automatically without a reboot and without the user even noticing, which iOS still can't manage to do.


>All of Google's phones.

I have a Nexus 6P I got in 2016 running stock Android, never rooted or unlocked. Android version: 8.1.0 Android security patch level: December 5, 2018.

No updates available as of posting this comment.


You are outside the three year patch window that was explained when you purchased the device. No iPhone 3g is going to get patches either, nor a RHEL version that has reached EOL.

No but the iPhone 5s from 2013 does. Apple’s mobile processor performance increased a lot during the first five years and went 64 bit.

And the iPhone 4 does not. The point is that every phone eventually stops updating. Unfortunately for iPhones, they update poorly even when they have updates, requiring a reboots to patch highly vulnerable apps like the browser or messaging. If you care about security updates, the best option by far is upgrading to a new fast-updating Android phone every two years.

So it’s worse to have a reboot to patch than none at all....

You will never have no patch at all if you upgrade to a new phone regularly as I recommended. It is better to have a patch that doesn't require reboots like an Android browser patch than it is to have a patch that requires a reboot like an iOS browser patch than it is to not have a patch like an old iPhone or Android.

So you should buy new phones to avoid clicking on “yes” when it asks you whether you want to upgrade “later on tonight” and enter your security code?

Yes. Better to upgrade immediately without any action than "later tonight" with a security code

Who gives a shit about having to reboot their phone?

The people who leave their devices vulnerable instead of rebooting. Why not require a reboot for updating any app then?

Look, I get it. You spent hundreds of dollars on something, and want to feel good about it. On the particular issue of security updates though, it is a poor choice.


Way to build a strawman.

What strawman? Am I arguing a point other than updates? I merely gave a motivation for why GGP ignores the obvious update failures of iOS.

By claiming that my argument is a strawman, you are yourself strawmanning.


It’s a strawman because it’s an absurd notion. Much like your tu quoque. You are actually claiming that iOS is inherently insecure because firmware updates require a reboot. You are actually claiming that end users don’t upgrade because of this?! It’s absurd, not to say obtuse. I’m a huge fan of radical candor, so at the risk of reproach, what a stupid hypothesis!

I'm saying that iOS is insecure because it requires reboots for updating your browser. Remember when Windows required that? I have seen plenty of people with reboot notifications on their phone that they ignore for days or even weeks at a time, so no, it is not absurd.

Also, you should familiarize yourself with the definition of strawman. It does not a synonym for absurd.


I know perfectly well what a straw man is and your post is a classic example. You've deliberately and intentionally misrepresented the proposition that iOS is inherently insecure because updates require a reboot. It isn't. It is a stupid position to take, and seeing as I do not believe for a second that you as an individual are stupid, I can only assume that you're doing it deliberately to get one over on "fanboys". Please stop with your absurd propositions and stop being obtuse.

A strawman is misrepresenting the other person's argument. It is not stating falsehoods in general. Now that we have increased your vocabulary....

> iOS is inherently insecure because updates require a reboot. It isn't.

And why not? When applications with many dangerous exploits like iMessage and Safari require reboots to update, this puts users at risk. I already told you that I have seen people delay updates because they don't want to reboot, and I find it hard to believe that you haven't seen this behavior as well.


"iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software."

Good stuff


Definelty highlighting their approach vs Google's.

Project Zero's whole brief is "end to end security" even outside of Google's corporate borders.

As long as it's not involving Google itself I would add....

Then you'd be mistaken, because Project Zero has covered both Android and Chrome vulnerabilities.

And lots of windows exploited.

Google engineers basically fuzzed all vulnerabilities out of Microsoft's font rendering system for free


> When Google approached us, we were already in the process of fixing the exploited bugs.

If Apple already knew about the flaw, then why did they never notify those affected?


Who was affected? The flaw was distributed through a website. They can infer from the contents of the website who was the likely target audience, but they don't know who visited the website and got hacked.

The content and tone of the article gave me the impression that they believe they know the scope of exploited devices. This implies knowing something about which devices were exploited or at the very least which subset of devices were vulnerable where the majority weren't.

  attack was narrowly focused, not a broad-based
  exploit of iPhones “en masse”
  
  “mass exploitation” ... This was never the case.
If they don't, then they really shouldn't be making claims that the exploit wasn't widespread. They really don't know one way or the other. Otherwise, they could have notified those that were vulnerable / exploited.

Unless they had a way to test if a phone had been hacked and distributed that along with the patch. It's quite possible that they had pretty good telemetry on the extent of the exploit.

I agree that they should have told those who were affected, but perhaps they did?


> It's quite possible that they had pretty good telemetry on the extent of the exploit.

Why would they? This is Apple, one of their selling points is how they don't have fingers in your phone


There are a ton of places in iOs that report back to Apple. When you first set up the phone it asks if you want to "share your usage". You also agree to let them have stats on how long you use each app as part of the app store agreement.

Apple's selling point is that they don't make money selling your private data (or transitive access to it) to third parties, but they don't make any claims about not doing it themselves.

I don't see anything that would preclude them from installing some telemetry for this specific attack. And I think it would be perfectly justified in the name of security too.


> I don't see anything that would preclude them from installing some telemetry for this specific attack.

Why can't an exploit just disable this?


Probably because it was a nation state actor that produces a lot of iPhones attacking a minority group.

A simple restart with an OS update would be sufficient for those affected, so no need to do anything extra, at least how I understood the exploit in question.

Did they know who was affected?

Very bold move for a global company like Apple to point fingers almost explicitly to China’s Xinjiang policy, which is also supported by 37 countries[1] worldwide.

[1] https://www.reuters.com/article/us-china-xinjiang-rights/chi...


> When Google approached us, we were already in the process of fixing the exploited bugs.

Wait, so Apple had already discovered the bugs / exploits before Project Zero disclosed them to Apple?


I call bullshit, maybe they found some of the issues in parallel, but it is obvious they did not have all of it and the scope of the problem. I am utterly disgusted by their tone as well.

Perhaps Apple have crash telemetry.

How does the sandboxing of applications compare on iOS and Android? Reading that iOS had trouble blocking applications from calling OS functions they weren't supposed to, plus they're running native code, not Java, seems to imply a security bug in an application is more severe on iOS than Android.

See the Whatsapp root exploit for an example.

Or are there additional protections in iOS, comparable to Android?



Also turns out the Whatsapp exploit didn't get root, just lived in the sandbox, with access to your microphone, camera, contacts, call log because you give it those permissions

> First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones “en masse” as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community.

Of course, being 0-days, this is speculation on Apple's part.

> When Google approached us, we were already in the process of fixing the exploited bugs.

This is an interesting twist: Apple apparently knew about these bugs prior to Google Project Zero's involvement? The media overhyped the vulnerabilities (as they normally do), but this statement seems like it's blaming Google for making a big deal of something that Apple supposedly didn't need help on. Not a good look for Apple to be throwing shade in a public statement :/


> The media overhyped the vulnerabilities

No, the media underhyped it. It's a remote code execution vulnerability that's triggered by visiting a website.


I'm not denying that they're serious vulnerabilities–made especially concerning because it looks like they're the work of a nation state against an ethnic minority–but headlines of "1 billion iPhones hacked" do not convey the issue accurately.

Right, probably. No one knows who else might have used it, though.

What's kind of sad is that this story was not used to enlighten the general population on how exactly the modern information security works (which can be reduced to "nothing is secure").


Which it can be. Especially because Apple's statement shows who the attacker was and who they were attacking. I mean if Trump used an attack like this to target Muslims people would be screaming their heads off about government overreach and violations of privacy. And that's essentially what happened here.

> headlines of "1 billion iPhones hacked"

That wasn't an actual headline though. You can find: "Google Warns 1 Billion Apple Users They May Have Been Attacked." Which is quite different and doesn't conform to your complaint as well.


That was a generic headline I condensed from the results of a quick search. Here's one that was the top result for me in DuckDuckGo: https://www.pymnts.com/apple/2019/google-says-billion-apple-...

So you created it, and then used its wording as the focus of your complaint. And your link has the same headline I referenced above, which is quite different in tone and implication.

I just read the article I linked a bit more closely, and it's worse than I thought: pretty much everything in it is wrong.

> The details of the exploits are being kept a secret

They are not.

> Four out of the six bugs can trigger a malicious code on an iOS device, and a user doesn’t even need to do anything. Simply sending the message to the phone will execute the code once a person opens and looks at the message.

No.

The article also fails to mention that the the bugs targeted previous versions of iOS and have been fixed by Apple. And finally, the title makes it clear that "1B Apple users could be hacked", which is categorically false and much closer in meaning to my headline than yours.


Which to me is a big yawn because as long as we have javascript engines in our browsers this will probably be possible. Browsing websites is basically an RCE anyway.

The point of a browser's security model is to make it so that "remote code execution" does not mean "arbitrary remote code execution with elevated privileges".

If we really cared we'd only ship data and not code

That's assuming that parsers don't have bugs in them.

Code is data. There is no technical difference, only human interpretative models.

He's obviously talking about shipping only non-executable data.

Correct

Still, is there a difference? If there is a bug in the parser, trip it and what was once non-executable might be executable.

Yes. Without executable client side code you can't do things like heap spraying.

Oh, you totally can. You just have to do it by tricking the parser into going it for you.

I remember having been able to jailbreak my iPhone 3GS for a period of time entirely through visiting a website and letting it exploit such vulnerabilities enough to perform the task. Searching for a related article, appears to have been possible on iOS 4.0/4.0.1:

https://www.cultofmac.com/53323/jailbreakme-2-0-jailbreaks-i...

Edit: I use ‘letting’ above loosely meaning that the specific website mentioned allowed the visitor to control whether the exploit was actually executed or not.


The original blog says this is a failure case for China, what went wrong specifically? Would this attack normally not be indexed/scraped by google?

Apple PR seems to be trying to muddle the 2 years that the attack was likely available, and the 2 months where these sites operated.


I do detect just a bit of snark in that press release although to be fair, no one likes to be called out on their mistakes.

Got a link to the original post and/or a good summary?

Original post: https://googleprojectzero.blogspot.com/2019/08/a-very-deep-d.... TL;DR: five web-based 0-days that Google saw being used in the wild for versions of iOS ranging from 10 to 12.

Security researchers have a culture of being both overly paranoid and sticking to just the facts and not actively trying to minimize.

It seems Apple doesn't want them to say "here are the exploits we found, and we found them on X websites, and estimate a few thousand visits per week", they appear to want them to say: "Only the Uighurs really need to worry. And by the way, it wasn't just us! They were going after Uighurs on Windows and Android too!"

Even if PZ added "context" they seem to want, "just the Uighurs!", or "other platforms were attacked too", in what way that that actually diminish the fact that multiple 0-days with remote code execute on multiple OS versions were in the wild?

The fact that we have one case where a single geographic group was targeted does not mean that these exploits weren't being used elsewhere. Imagine there's Windows 0-day and your an IT admin, but the advisory says only Ukrainians were targeted by Russia. Does that mean you shouldn't go back and look at your logs and look to see if you've been exploited, rotate credentials, install new countermeasures, etc?

Shouldn't iPhone users be encouraged to rotate passwords on non-2FA sites after a reboot for example? To me, Apple's response looks like damage control.

And why doesn't Apple have their own Project Zero that publishes deep dives on iOS/OSX vulnerabilities and would allow the press to have more context and not fly off the handle? Wouldn't it help to engender their development community and security researchers to be more active, by educating them on how these vulnerabilities typically work and how they're discovered, so more people can learn to spot them? It would make the claim "we already knew about these and were fixing them before other people discovered them" look better.


For some reason this reminds me of trump obsessively defending that hurricane tweet-- really a bad look for Apple.

I didn't follow this story beyond reading Google's deep dive on the bugs. So I'm curious about a few things. (Deep Dive: https://googleprojectzero.blogspot.com/2019/08/a-very-deep-d...)

The deep dive actively avoided mentioning information on who the targetted group(s) were. Was it later revealed who the targeted demographic was? Or did Apple just now reveal that information in this statement? It's a rather big piece of the puzzle. This attack being orchestrated by a nation-state was a strong possibility. Knowing that it was a targeted attack against the Uighur makes that case significantly stronger, and adds even darker tones to the story.

And then there's this bit from Apple's statement:

> all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not “two years” as Google implies

Interesting. So I re-checked Google's post and:

> This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.

A week ago, I read that to mean that these exploits were being actively used for two years. Reading it today ... it still reads the same to me. I guess what it is actually supposed to say is that the exploits were developed over the course of two years; not that they were actively used for two years.

So that's definitely poor wording on Google's part. I wouldn't say it's nefariously worded, though. I think the author of the blog post was just trying to drive home the sophistication of the malicious group.

But I know that I certainly came away from Google's article thinking that the exploits were _active_ for two years, which is significantly more frightening. So it makes sense that Apple would want to rebut that point.


>Was it later revealed who the targeted demographic was?

It is speculation based on list of targeted apps (listed in implant teardown post)

>I guess what it is actually supposed to say is that the exploits were developed over the course of two years; not that they were actively used for two years.

I don't know what evidence Apple has, but Google definitely meant that it was exploited for two years: (from exploit chain 1 post)

>This exploit provides evidence that these exploit chains were likely written contemporaneously with their supported iOS versions; that is, the exploit techniques which were used suggest that this exploit was written around the time of iOS 10. This suggests that this group had a capability against a fully patched iPhone for at least two years.


The press found out that it was targetting Uighur Muslims in China a few days ago. I think the story about that got flagged off the front page of HN so you might have missed it.

Why don’t they write a blog post thanking Project Zero!

Why would they? Their post points out that Project Zero was incorrect in a few assumptions.

For reporting actively exploited vulnerabilities?

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: