Apple Disputes Some Details of Google's Project Zero Report on iOS Security Vulnerabilities [Updated]

[I7guy]

Its 8 months since the exploit was discovered Feb and its still September.

Its the opposite, understanding that every system has its zero day that could have been the end of it however Apple released their statement. In my opinion which I know you dont care about Apple just ridiculed itself.

This was patched in 12.1.4, as stated above. But sometimes it seems critics in the haste to get “the word” out, miss the facts.

 

[Lalatoon]

I think you are conflating security with privacy.

While I won't go so far as to claim that Apple's software is 100% secure, I think that most can agree that Apple has done a respectable job overall with iOS in particular and that it is far better than the vast majority of commercial OSes. Yes, there have been problems, but that’s to be expected. It’s not at all accurate to say or imply that iOS (or macOS) are any less secure than any other widely used operating systems.

That’s not to say Apple can’t or shouldn’t improve. Security is a constant game of whack-a-mole at the end of the day. They can and they should. But OSes are hard. Everyone knows this.

When it comes to privacy, however, I feel there is no contest. Apple does care more about user privacy moreso than other commercial OS providers and absolutely does more to protect and respect the privacy of its users. Sure, mistakes are absolutely made (as in the recent Siri fiasco), but as a whole, I find that Apple goes out of its way to protect users’ privacy even when it slows progress on software (again, see Siri). It’s easy to argue that this is easy for Apple since hardware is their main business, but who cares? The end result is the same. Increased respect for user privacy.

Security and privacy, while linked, are not the same. What happened was a security issue that was fixed in February (as of iOS 12.1.4), soon after Apple was made aware of it. What exactly are we arguing about again?

Privacy? Tell that to Apples China users.

Are you really that blind - Apple claims about privacy has double standard?

I dont know what we are arguing about too.. Your the one who comment on my post about Apple and China and here you are talking about something else. I am also lost.

 

[I7guy]

Privacy? Tell that to Apples China users.

Are you really that blind - Apple claims about privacy has double standard?

I dont know what we are arguing about too.. Your the one who comment on my post about Apple and China and here you are talking about something else. I am also lost.

Privacy refers to data handling in the context of misuse. Using your “logic” there isn’t privacy even in the US because cell carriers and govt entities have legal access to your data. Oh yeah...

 

[JosephAW]

Maybe it's time for an antivirus app on the iPhone. Would be nice to be alerted when a website or app is trying to use a current exploit or even a previous security exploit so we can blacklist or avoid them.
We are still in the dark when a site is attempting to root our iPhone or has been rooted.

 

[MrUNIMOG]

Maybe it's time for an antivirus app on the iPhone. Would be nice to be alerted when a website or app is trying to use a current exploit or even a previous security exploit so we can blacklist or avoid them.
We are still in the dark when a site is attempting to root our iPhone or has been rooted.

So how should that be possible? What could such an app (even were it not for sandboxing) do that iOS itself can't? How is it supposed to detect attempts of using a "current exploit", i.e. one that hasn't yet been found and fixed? Of what use would it be if it could only detect attempts of using "previous" exploits, i.e. known and fixed ones?

 

[Lalatoon]

Privacy refers to data handling in the context of misuse. Using your “logic” there isn’t privacy even in the US because cell carriers and govt entities have legal access to your data. Oh yeah...

pri·va·cy
/ˈprīvəsē/

noun

1. the state or condition of being free from being observed or disturbed by other people.

 

[I7guy]

pri·va·cy
/ˈprīvəsē/

noun

1. the state or condition of being free from being observed or disturbed by other people.

The cell companies and govt entities are not “people” and have a legal right (based on laws and need to know) to see certain information.

 

[rafark]

The replies in this thread remind me of this:

Today, we celebrate the first glorious anniversary of the Information Purification Directives. We have created, for the first time in all history, a garden of pure ideology—where each worker may bloom, secure from the pests purveying contradictory truths. Our Unification of Thoughts is more powerful a weapon than any fleet or army on earth. We are one people, with one will, one resolve, one cause. Our enemies shall talk themselves to death, and we will bury them with their own confusion. We shall prevail!

 

[Naaaaak]

Doesn’t really say much about android then which must be closer to windows 3.1 then.

Perhaps nothing is as bad as “log in as root without a password” macOS. https://www.macrumors.com/2017/11/28/macos-high-sierra-bug-admin-access/

That security + privacy Tim Apple.
[doublepost=1567963006][/doublepost]

At least Facebook and Google is not dancing with the Chinese totalitarian government.

Google worked on a special search engine for China’s totalitarian requirements.

Facebook I’m sure has done just as bad.

All these tech companies show their morals are empty as they’ve sacrificed them to access China’s market.

 

[I7guy]

Perhaps nothing is as bad as “log in as root without a password” macOS. https://www.macrumors.com/2017/11/28/macos-high-sierra-bug-admin-access/

That security + privacy Tim Apple...

Basically easy web search to devolve into..absolutely nothing of who has the worst vulnerabilities. Calling Mr. Cook “Tim Apple” doesn’t make your opinion correct.

 

[macfacts]

Security is a constant game of whack-a-mole

That's one of the problems with apple and security that the google report brought up. Apple is acting after flaws are found instead of using standard quality assurance processes to prevent them from even happening.

 

[Naaaaak]

The chief reason why Apple even felt compelled to release a statement of their own is precisely because Google was so vague and threatened to create more problems and uncertainty than it was supposed to address.

…

They know that journalists will pounce on whatever they say (all the more when it’s Apple) and whip it up into a compelling narrative.

Apple chose to respond to Google when it was the media that sensationalized it.

Apple’s response shows they were aware of the targeted-group and chose not to disclose that to their affected users. They had months to address it.

This comes just weeks after learning that ALL Siri audio was retained and listened to by contractors (and only after immense pressure and disclosure do they now ‘only’ retain transcripts).

I’d say the compelling narrative that Apple is *not* a competent security and privacy company is well-earned.

What if a bank didn’t disclose to an affected group of their customers that their personal details might have been stolen? In this case, Big Tech is more afraid of angering China and losing market than upholding their supposed morals.

When they imagine — without really knowing — that they see “code that likely skipped QA or likely had little testing or review before being shipped to users,” that’s a shot across the bow.

Apple cares more about shipping iPhones on a schedule than getting OS releases bug-free. Look at the state of disrepair of iOS and macOS. Radar and their response to bugs is a joke to devs.

 

[gatorguy2]

Perhaps nothing is as bad as “log in as root without a password” macOS. https://www.macrumors.com/2017/11/28/macos-high-sierra-bug-admin-access/

That security + privacy Tim Apple.
[doublepost=1567963006][/doublepost]

Google worked on a special search engine for China’s totalitarian requirements.

Facebook I’m sure has done just as bad.

All these tech companies show their morals are empty as they’ve sacrificed them to access China’s market.

Yet you have no idea how it would have worked, if privacy could be preserved within a curated search engine which may have been the intent, or whether Google's design would have been enough to appease the Chinese anyway and allow them to move forward. Not that it matters because Google has pledged to suspend even a consideration of doing so after much internal discussion. That's ethics at work.

If mo'money were more important than doing the right thing Google would have done whatever China asked in order to get back into their market and do the same as Apple: Just follow all the laws in order to PROFIT!, ethics and complaints be damned. It's all just business right? Making money is what counts, and how you get there is for PR to deal with.

Yet Google chooses to give up billions in profit and at the end of the day act according to ethics. All they had to do was just "follow the Chinese law" like Apple, rake in billions, and PROFIT!

Damn ethics got in the way again. There's no place in business for it. /s

 

[JosephAW]

The replies in this thread remind me of this:

Today, we celebrate the first glorious anniversary of the Information Purification Directives. We have created, for the first time in all history, a garden of pure ideology—where each worker may bloom, secure from the pests purveying contradictory truths. Our Unification of Thoughts is more powerful a weapon than any fleet or army on earth. We are one people, with one will, one resolve, one cause. Our enemies shall talk themselves to death, and we will bury them with their own confusion. We shall prevail!

Your showing your age. Kids today have no clue what your talking about.

 

[I7guy]

Yet you have no idea how it would have worked. if it would have worked, or whether it would have actually come to fruition anyway. Not that it matters because Google has pledged to suspend even a consideration of doing so. That's ethics at work.

If mo'money were more important than doing the right thing Google would have done whatever China asked in order to get back into their market and do the same as Apple: Just follow all the laws in order to PROFIT!, ethics and complaints be damned. If's all just business right? Making money is what counts. How you get there is for PR to deal with.

The “right” thing is a moving target. I’ll wait while the world stops buying products that have originated in certain locales. Either one does or doesn’t do it, there is no grey area.

 

[macfacts]

and I am going by Apple's word that only a small population of users was targeted by a state actor.

Apple uses that same excuse everytime, only a small number of users were affected. How can anyone believe that?

https://www.google.com/search?q=apple+affected+small+number+of+users

It's also interesting apple is reacting after google released this report. If google didn't release that report, no one in the public would have known. Apple says they fixed these exploits in February but didn't tell anyone. Just like they didn't tell anyone about the battery throttling.

 

[I7guy]

Apple uses that same excuse everytime, only a small number of users were affected. How can anyone believe that?

https://www.google.com/search?q=apple+affected+small+number+of+users

It's also interesting apple is reacting after google released this report. If google didn't release that report, no one in the public would have known. Apple says they fixed these exploits in February but didn't tell anyone. Just like they didn't tell anyone about the battery throttling.

Did you read the security notes associated with the release? Was this in there?

 

[macfacts]

Did you read the security notes associated with the release? Was this in there?

Nothing but smoke and mirrors hiding the truth.

 

[I7guy]

Nothing but smoke and mirrors hiding the truth.

Seems like we have a fundamental difference of what smoke and mirrors is. Smoke and mirrors would be Apple claiming this was fixed but not fixing it.”

edit: the truth was the vulnerability was fixed.

 

[MrUNIMOG]

This comes just weeks after learning that ALL Siri audio was retained and listened to by contractors (and only after immense pressure and disclosure do they now ‘only’ retain transcripts).

Now that's just not true. Audio data of less than 0.2 percent of Siri queries was retained for grading.

 

[Lalatoon]

Perhaps nothing is as bad as “log in as root without a password” macOS. https://www.macrumors.com/2017/11/28/macos-high-sierra-bug-admin-access/

That security + privacy Tim Apple.
[doublepost=1567963006][/doublepost]

Google worked on a special search engine for China’s totalitarian requirements.

Facebook I’m sure has done just as bad.

All these tech companies show their morals are empty as they’ve sacrificed them to access China’s market.

During the congress hearing Google CEO said that they dont have plans to launch censored search engine in China - Dragonfly.

Facebook as a company has tried launching apps in China however the Facebook platform itself is still ban in China like other services and apps that did not cooperate with the Chinese government.

Here is an old video about insight why Facebook, Twitter, Youtube, Google and others are ban in China.

I'm not saying Google or Facebook are saints because they are not and they will gather user data. Regarding China, at least they decided not to cooperate as oppose to Apple who did not think twice. Apple even ban VPN apps in their Chinese app store per request by the government.

Here is a video about Apple and privacy

We should really be critical and open minded instead of just being naive and believe everything a company like Apple says, a company whose mission is to profit.

 

[macfacts]

Now that's just not true. Audio data of less than 0.2 percent of Siri queries was retained for grading.

That's another way of saying it only affected a small number of users. It's like a broken record now.
[doublepost=1567985791][/doublepost]

Seems like we have a fundamental difference of what smoke and mirrors is. Smoke and mirrors would be Apple claiming this was fixed but not fixing it.”

edit: the truth was the vulnerability was fixed.

Everything that apple is "trying to correct", why weren't those facts in the iOS update notes. Apple is trying to hide it that's why.

 

[I7guy]

That's another way of saying it only affected a small number of users. It's like a broken record now.

Why was this a surprise. Wasn’t this in the TOS?

Everything that apple is "trying to correct", why weren't those facts in the iOS update notes. Apple is trying to hide it that's why.

Maybe there was an agreement not to publish this for reasons that are not public. Couldn’t be. Right? Has to be Apple tried to hide this.
[doublepost=1567986861][/doublepost]

...We should really be critical and open minded instead of just being naive and believe everything a company like Apple says, a company whose mission is to profit.

What’s being said by some in this thread is the exact opposite of critical and open minded. It’s biased and closed minded.

 

[Abazigal]

Apple says they fixed these exploits in February but didn't tell anyone. Just like they didn't tell anyone about the battery throttling.

If the number of people affected was indeed a very small number concentrated in a particular location, it would make sense (to me at least) for Apple not to publicise this incident. Considering that the fix is contingent on your device having installed a particular patch, won't announcing it essentially broadcast to all would-be hackers the existence of such a security hole. They would then be able to reverse-engineer the issue and use it to target other iPhone users whose phones are not on the latest patch.

It's also interesting apple is reacting after google released this report. If google didn't release that report, no one in the public would have known.

What's there to know? That there was a bug in February that has long since been fixed? Apple wasn't caught with their pants down here. It's not like Apple knew about the bug for years but elected not to fix it because they were on the Chinese government's payroll.

Apple chose to respond to Google when it was the media that sensationalized it.

And the media was able to sensationalise it (which is another issue I have, which I may address as well later on) because of Google's decision to report it in an extremely dishonest fashion. If Team zero didn't know how many people were affected, or how Apple's security team goes about addressing such issues, then they should never have insinuated otherwise in their report.

Which again, I suspect is (partly) due to them being part of Google, so there is definitely vested interest in them not only revealing a security flaw with one of their parent company's biggest competitor, but also blowing up the matter and making it seem like a way bigger deal than it really is, in order to make Apple look bad in comparison. Especially when the iPhone keynote is next week.

 

[rafark]

Your showing your age. Kids today have no clue what your talking about.

Im in my early twenties, but I love that commercial.