Google Outlines iPhone Vulnerabilities That Let Malicious Websites Steal User Data for Years, Now Fixed

[I7guy]

Serious question: If Apple values privacy so highly why do they not have a division like Googles Project Zero doing this kind of work? If they do have such a division, what has it exposed over the years?

One doesn't know if they do or don't, but from your tone, you are assuming they don't? As an aside, privacy and security are not synonymous. Neither are end-points and both are goals to which the company has to have robust internal processes to move the needle.

Based on the way some past vulnerabilities were patched and released, it seems in general, Apple is committed to patching up those things that are reported (after the fact).

 

[ipponrg]

Apple should retaliate and release a free privacy friendly search engine, video site, release Safari for Windows, make Apple Maps multi platform, and create a free GDocs competitor.

that will teach Google not to publicly shame Apple again

Out of curiosity, do you ever wonder why they haven’t done this?

 

[Blaze4G]

Another false equivalency.

What Google gets is very limited. Absolutely zero identifying information about the user or device used. How can Google be getting “my” information if there’s nothing about “me” in the data?

Then why are many here so against using Google because of privacy concerns on their iPhones if Google is not getting your information if there's nothing about you in the data?

So all these members here using duck duck go is just crying wolf? I see.
[doublepost=1567212411][/doublepost]

You’re conflating a whole bunch of things in order to attempt to substantiate some negative points against Apple. That is the issue with this post, which is nothing more than a continued criticism from you of just about everything Apple.

What users say and what they do are irrelevant. What matters is how the internet works. Or is google just some noname brand that nobody uses anyway. I don’t particularly like a whole lot of customization but lumping in picking a search engine with customization is just continued folly and disingenuous at that.

Yeah, you never fail at being hypocritical which I have pointed out many times to you which you were unable to defend. I cant be bothered pointing it out again because you never change.

 

[realtuner]

Then why are many here so against using Google because of privacy concerns on their iPhones if Google is not getting your information if there's nothing about you in the data?

So all these members here using duck duck go is just crying wolf? I see.

Another logical fallacy.

Some users choosing DDG over Google doesn’t mean Google is getting your data.

 

[Rob_2811]

Then why are many here so against using Google because of privacy concerns on their iPhones if Google is not getting your information if there's nothing about you in the data?

So all these members here using duck duck go is just crying wolf? I see.

Google is absolutely able to monetize iOS users regardless of the spin rolled out by some on here. Some estimates put iOS at as much as 75% of Googles mobile ad revenue.

 

[I7guy]

Google is absolutely able to monetize iOS users regardless of the spin rolled out by some on here. Some estimates put iOS at as much as 75% of Googles mobile ad revenue.

The question is who is giving google that information. Apple? (no) Users? (yes). Is Apple supposed to block google in the name of not being hypocritical (to some only)? Apple is committed to not misusing the data you give apple. Apple has nothing to do with the data you freely give away on the internet and third party apps.

 

[1098474]

Yes it does. Consumers that purchase budget android devices value the price over privacy.

How Android Phones Hide Missed Security Updates From You
https://www.wired.com/story/android-phones-hide-missed-security-updates-from-you/

“We find that there’s a gap between patching claims and the actual patches installed on a device. It’s small for some devices and pretty significant for others,” said Nohl. “Sometimes these guys just change the date without installing any patches. Probably for marketing reasons, they just set the patch level to almost an arbitrary date, whatever looks best.”

Read more at MobileSyrup.com: Some Android manufacturers haven’t told the full truth about security patches


It’s is a very accurate statement to make because they purchase smartphones android updates either through the os or through security updates.


That makes 2 and 3 extremely relevant.

OnePlus is considered a cheep phone and they get constant updates

 

[I7guy]

...
Yeah, you never fail at being hypocritical which I have pointed out many times to you which you were unable to defend. I cant be bothered pointing it out again because you never change.

If I am unable to "defend" my position, you are certainly unable to "prove" yours. But the above is more than disingenuous.

 

[Rob_2811]

The question is who is giving google that information. Apple? (no) Users? (yes). Is Apple supposed to block google in the name of not being hypocritical (to some only)? Apple is committed to not misusing the data you give apple. Apple has nothing to do with the data you freely give away on the internet and third party apps.

No. Nobody has said that they should block them, but when Apple have got their hands in the pot then there is a clear disconnect from the way they like to portray themselves.

They talk privacy and then profit from the monetisation of their users data. To say otherwise is just an obfuscation of the issue.

That services revenue Apple like to talk about. 25% of it comes from Google.

 

[I7guy]

No. Nobody has said that they should block them, but when Apple have got their hands in the pot then there is a clear disconnect from the way they like to portray themselves.

They talk privacy and then profit from the monetisation of their users data. To say otherwise is just an obfuscation of the issue.

That services revenue Apple like to talk about. 25% of it comes from Google.

Nothing changes, if Apple didn't get a stipend from google, which is why I don't view them as having any disconnect or being hypocritical. Users would still use google and still login and still do searches...

I'm okay with Apple using my data to sell me more Apple services, that would be a proper use of the information...no different than any other companies, like banks, attempting to sell more products. As long as my data remains within Apple I'm okay with that.

Are you suggesting Apple (other than cellular providers), sells your data to outside companies to make a profit? If you are saying that, than who? If you are not saying that, then we have a disagreement on legitimate use of user information.

 

[Rob_2811]

Are you suggesting Apple (other than cellular providers), sells your data to outside companies to make a profit? If you are saying that, than who? If you are not saying that, then we have a disagreement on legitimate use of user information.

Yes thats exactly what I am saying.

They accept tens of billions of pounds in what they like to call 'traffic acquisitions fees' from Google. Google monetises that traffic. So in effect Apple is selling that data to Google.

You can disagree as much as you like that is fact. Not opinion.

 

[I7guy]

Yes thats exactly what I am saying.

They accept tens of billions of pounds in what they like to call 'traffic acquisitions fees' from Google. Google monetises that traffic. So in effect Apple is selling that data to Google.

You can disagree as much as you like that is fact. Not opinion.

It's a fact apple gets a stipend. It's an opinion (and a bad one at that), that Apple is selling data. It's a pedantic use of the word sell alluding to the stipend. I suppose if Apple didn't accept a stipend, they would be "giving" your data away, which is why this has nothing to do with money and everything about how the internet works.

But I guess as you said, I'm going to paraphrase: "You can disagree as much as you like but that is opinion. Not fact".

At any rate, just wondering how this ties back to the headliner of apple fixing some vulnerabilities in 12.1.4.

 

[Rob_2811]

It's a fact apple gets a stipend. It's an opinion (and a bad one at that), that Apple is selling data. It's a pedantic use of the word sell alluding to the stipend. I suppose if Apple didn't accept a stipend, they would be "giving" your data away, which is why this has nothing to do with money and everything about how the internet works.

But I guess as you said, I'm going to paraphrase: "You can disagree as much as you like but that is opinion. Not fact".

No no nothing pedantic about my post at all. Pedantry is what you are using to try and obfuscate this issue.

Apple accepts a fee from Google for access to iOS users search data. They are in effect selling that data to Google. They are fully aware of how Google use the data and even adjust the fee based on how much revenue Google earn from mobile ads.

Apple even crow about their growing services revenue knowing that a large part comes from Googles mobile ad business.

 

[I7guy]

No no nothing pedantic about my post at all. Pedantry is what you are using to try and obfuscate this issue.

Apple accepts a fee from Google for access to iOS users search data. They are in effect selling that data to Google. They are fully aware of how Google use the data and even adjust the fee based on how much revenue Google earn from mobile ads.

Apple even crow about their growing services revenue knowing that a large part comes from Googles mobile ad business.

Apple accepts a fee for google to make google the default search engine. Something users can:
a) change in settings, or
b) in the search bar type in yahoo.com, google.com, bing.com etc.

Therefore they categorically not "selling" any user data as users have a choice, users are not locked down to "only google". This all comes down to preferences for users and the way the internet works.

Apple should crow about the service revenue, google is paying apple for something ios users would do for free (from apples' point of view) anyway.

I guess just another day in Appleland. Two MR posters disputing a (not so) fine point in an otherwise all-ready beat to death topic.

Maybe Apple should reimburse google for their good help in eliminating these vulnerabilities.

 

[CVVH]

So,...how do you tell if anyone ever targeted or used these exploits on one of your devices?

 

[realtuner]

Google is absolutely able to monetize iOS users regardless of the spin rolled out by some on here. Some estimates put iOS at as much as 75% of Googles mobile ad revenue.

Nobody is saying Google can’t monetize the search data they get from iOS users. You're deflecting from the real issue:

Does Apple pass search requests from iOS devices to Google while protecting your identity/privacy? The answer is an absolute YES.

Google gets useful data from the most valuable mobile users and Apple makes a bunch of money giving them that (limited) data while protecting users privacy. It’s a win for both sides.

 

[uroshnor]

So what were the malicious sites?

Google dropped a few hints, but they are likely unable to disclose right now. There’s a few comment scattered threw the report:

- relatively low traffic at a few thousand visitors per week
- the references to ethic group and the value of the “n+1” th dissident
- noting its a crazy expensive attack
- that such an attacker was fine transmitting data in the clear (this might imply the attacker had control of what it viewed as the relevant cellular and wi-fi networks)

Some of that may have been conceptually illustrative, rather than dropping hints, so it might be a misdirection (and what i’m Suggesting is wrong)

That kind of fits the model of an authoritarian nation state, conducting activities against a specific non-English speaking ethic group that it considers dissident, where somewhere between a few 10s of thousand & few 100 thousand compromised iPhones is significant target. (And inferring they have similar capabilities on Android , but delivered differently).

Oh and one where public disclosure identifying the state or the target group would be very politically sensitive.

That’s not a very long list.

 

[BuddyTronic]

So what were the malicious sites?

I think it was cnn.com and Facebook.com - it's just a rumour of course, but yeah.

 

[Tsepz]

The team reported these findings to Apple in February, and Apple's release of iOS 12.1.4 that same month addressed the issues.

Google's deep dive into the iOS exploit can be read on the company's Project Zero blog.

Article Link: Google Outlines iPhone Vulnerabilities That Let Malicious Websites Steal User Data for Years, Now Fixed

So it’s all fixed.

Thank you Google for finding the exploits, thank you Apple for fixing them.

THIS is what we want in the tech space! Companies helping each other keep customers safe, there is no agenda here.

 

[Tsepz]

Hey, at least Android 10 will fix the 193 security vulnerabilities Android has. That is, if your device even supports Android 10.

https://www.forbes.com/sites/daveyw...ity-vulnerabilities-need-fixing/#1d2c5846616b

Ouch!

Some of the latest and most popular Androids will not even have Android 10 before 2020.

 

[Kal-037]

Still better than Android or Microsoft... Apple needs to step it up still though.

 

[Lalatoon]

Just in the first page of the thread some are already accusing or blaming Google of something.

C'mon guys don't be a pathetic loser, we should be happy that a third party is trying to poke into Apple system and check for vulnerabilities. Apple is not invulnerable and being a close system its really hard to audit their security. Luckily we have some people outside of Apple way of thinking doing this kind of things. We should be thanking them because in system hacking/exploits/vulnerabilities its a cat and mouse game. If we will only leave everything to Apple then bad guys will have their way with it. We need third party to really test Apple systems and that's why we have bug bounty in the first place. Kudos to Apple, releasing updates to address the issues.
[doublepost=1567233357][/doublepost]

Serious question: If Apple values privacy so highly why do they not have a division like Googles Project Zero doing this kind of work? If they do have such a division, what has it exposed over the years?

I think its a drain of profit why do it when others are already doing it for you

 

[Ruggy]

Having read the Google Project Zero post, and the Macrumors article - the QUESTION that I would like to have clearly and unambiguously answered is: is the exploit persistent or does installation of the latest (or at least post iOS 12.1.4) clean any potentially compromised device?

It's mentioned in the blog somewhere that it's only memory resident meaning when you reboot your phone you clear it out but you would be infected again if you then re-visited the site.
So, no it isn't persistent.

 

[Nütztjanix]

Yes. By using Apple News you agree to let Apple track your reading habits. Apple arranges targeted advertisements on behalf of publishers for a 30% cut.

Also see here https://searchads.apple.com/news/

Didn't know that. But we don't have Apple News here, so maybe I'll get a pass on that?

Seems that the exploit made use of 14 (yes 14!) vulnerabilities that had been around for two years! Perhaps if Apple tested their OS as diligently they might have been aware sooner.

It's all very well preaching that Apple products can't get viruses, and this might have worked when it was a niche platform, but now the user base is vast and this perceived invulnerability is now very much worth taking the time and effort to exploit. Apple have done themselves no favours selling this line to their users who will now question what they've been led to believe.

Let's not also forget that anything before iphone 6S wont get a security update for this anyway.

Why wouldn't the 6S get a security update? iOS 12.1.4 fixed this flaw, and that's available for all iPhones down to the 5S.
Since this flaw existed in iOS 10 - 12, the only devices not getting fixed are the iPhone 5 and 5C, which can't be updated beyond iOS 10.3.4. Older phones than these are stuck at iOS 9.3.6, which seems to not be affected.

 

[Ruggy]

This is a really serious breach considering the amount of data they had access to and I am really disappointed in Apple for the system not being designed to prevent it.
Yes, they are still more secure than Android. Yes, they did something about it quickly but it still means that if you were unlucky, all your passwords to your online banking, Amazon account, Apple account, email etc were compromised meaning for 2 years you had no security at all.
Having access to keychain is a really big deal.