Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Google Outlines iPhone Vulnerabilities That Let Malicious Websites Steal User Data for Years, Now Fixed

Northern Man said:
The defenders will soon be here trying to explain how Apple was not at fault and that the company is really trying to put privacy priority # 1 (ha...ha...ha).
Click to expand...

Do you realize that Apple was getting no benefit from these exploits, right?
You have exploits on all type of systems, on top of that you have some ecosystems where you are the product.
Unless you are confident that Apple's exploits are more and worst than the alternatives... oh well this is probably getting too complex for you.
[doublepost=1567236885][/doublepost]
M.PaulCezanne said:
Yeah, why no links?

;)
Click to expand...
Yes, I want to click on those links right now!
Oh, wait...
 
  • Like
Reactions: StyxMaker
iDiots said:
OnePlus is considered a cheep phone and they get constant updates
Click to expand...

One plus is in the same group as Xiaomi.
1-3 security patches missing.

As i posted above Android manufacturers lie about security updates.
 
Last edited:
fredrik9 said:
Google has reported it to Apple and probably reported the sites to the police. In addition, they probably have removed the sites from indexing in Google Search. I think this is sufficient, the public doesn't need to know exactly which sites.
Click to expand...

Respectfully, there are too many "what if" type scenarios in your post, and I disagree with your position.

Since Google releases unpatched vulnerabilities to the public, they also should release the names of the hacked websites that spread the infected code. Even if the sites have been fixed, the public should know if they were exposed.

Additionally, Apple should state if the newly released code removes any vulnerabilities that were installed, and if not, how to remove them - even if that mean a complete wipe.
[doublepost=1567242049][/doublepost]
supercoolmanchu said:
‘Vivid color’ indeed.

The ‘deep dive’ in the link, features a lot of conjecture and speculation by a Google employee about Apple methodology and motivations.

This is an opinion piece sprinkled with bug fix log details, best not to hyperventilate.
Click to expand...

No hyperventilating. I just want the whole story - which includes the compromised sites.
[doublepost=1567242174][/doublepost]
FamVR said:
These were iOS specific bugs. And no, not every iOS device is patched. Sorry. They are not. Seriously.
[doublepost=1567184742][/doublepost]
Apple knows. You don’t need to know. It’s on a need to know basis.
Click to expand...

I need to know because it's my data that is at risk. Pretty simple.
 
mdatwood said:
Sounds like working as intended. Bugs found, reported and fixed in the same month.
Click to expand...

More like bugs were found (by a company making a business selling surveillance software to governments), bugs were exploited by the said software. The said software exploiting the bug was spotted by others (Google?) after 2 years, got reported to Apple and then patched.
 
  • Like
Reactions: mdriftmeyer
Northern Man said:
That is very funny but equally sad. You give Apple a huge pass and thumbs up because they let you change Google to Duck Duck Go. If Apple really cared about privacy they would not have Google as the default. Unfortunately they know that the majority of iPhone or Mac users don't care what search vehicle they use or have no idea something other than Google exists. Google would not pay Apple the big bucks if they knew a majority of users changed from the default. This in no way shows that Apple has any interest whatsoever in users privacy.
Click to expand...

That’s just silly. Google is the 800lb gorilla of search. They are the best and most ubiquitous search provider. Of course they are the default. But Apple provides the option the change the default to a variety of providers, including DuckDuckGo. And as another poster said, Google gets anonymized data from iOS when searches occur, so they aren’t as valuable to google as searches from android devices or chrome, but it’s still worth it to Google for the sheer volume of searches performed, amongst other considerations.

It’s not “sad”, and it’s not that Apple “knows most people don’t care who the search provider is.”

To the contrary, most people DO care about the default search working well, and that’s why Google is the default. If there were some other option, or an in-house solution, that performed just as well or better, they would make that option the default. But that doesn’t exist, so Google it is.
 
  • Like
Reactions: realtuner
Rob_2811 said:
No. Nobody has said that they should block them, but when Apple have got their hands in the pot then there is a clear disconnect from the way they like to portray themselves.

They talk privacy and then profit from the monetisation of their users data. To say otherwise is just an obfuscation of the issue.

That services revenue Apple like to talk about. 25% of it comes from Google.
Click to expand...

You can’t have it both ways. You can’t say “they shouldn’t block Google” and then also be upset that they gain revenue through Google searches performed on their devices. Should they allow Google searches, but then refuse any revenue from them?

People using Google search on Apple devices represent such a large and profitable cross-section of the market that Google is willing to pay Apple for the default position, even though they don’t get as much user data from those searches as they do through other means.

And users like it too, because Google is the best search engine on the planet.

So what exactly are you suggesting should change? It’s clear that Apple has chosen user privacy as a key differentiator. It’s clear that Google has the best search engine, and which users prefer. So Apple makes them the default but only provides restricted, non-identifying data. What would you change about this arrangement and why? And would “average” users be on board with it?
 
  • Like
Reactions: realtuner and I7guy
heov said:
Yes, thank God for Google and PZ. It's too bad that iOS was basically insecure for 2 years though.
Click to expand...

Was? How do you know that another exploit that hasn't been discovered isn't still active today? Maybe we will find our about it in a couple of years.

We have to realize that when companies and fans argue which OS is safer, that the truth is that none of them is really safe....

And of course the problem is not Huwaei that wants to spy on us as governments all over the world are apparently utilising the exploits to do that...
 
Khedron said:
Apple sells ads. Apple only values blocking other companies tracking users because they want a monopoly on user data to sell their own targeted advertising service. They don't include themselves in their anti-tracking measures.
Click to expand...
I am absolutely ok with Apple using my data to recommend other products and services from Apple...similar to what banks do.

As an aside there is a big difference between stealing user data from zero day vulnerabilities and using user data in a responsible manner.

There is nothing Tim Cook values more than a profit margin
Click to expand...
Yes. Part of a CEOs primary responsibility for a for-profit company.
 
Rob_2811 said:
You haven't answered the question, they are talking privacy yet taking Googles money to be default search provider. Thats doesn't make any sense.
Click to expand...

Let us assume two hypothetical scenarios:

A) With the search engine market share as it is, Apple stopped taking Google’s money and switched the default browser to DuckDuckGo. What would happen?

  1. Users, analysts, Members of Congress, State Attorneys General, members of the media would all go crazy, maybe even file class action lawsuits.
  2. Switch their iOS devices to use Google as the default search engine.
This ends with customer dissatisfaction, negative press for Apple and a loss of revenue (both from lost device sales and from Google for default placement).

B) A privacy respecting search engine gets to somewhere between 35% - 50% penetration and is on a growth trajectory. Apple decides to drop Google as it default (maybe taking a smaller payment from the number 2 provider to make them the default).
  1. Apple runs ads talking about Google search abuses (data gathering, paid placement, favoring their own services, etc.).
  2. Some users, analysts, Members of Congress, State Attorneys General, members of the media would go crazy (maybe even file class action lawsuit), however, to counter that other users, analysts, Members of Congress, State Attorneys General, etc. would praise their actions.
  3. Some users would switch their default search engine to Google.

This ends with some short term customer dissatisfaction, but some positive feedback. Some loss in revenue, but not a great deal. Google losing a great deal of revenue. Lots more discussion of privacy by design, privacy by policy and privacy in general.

Explain to me how the first scenario makes any sense for Apple, its users and/or share holders? The net result would be more people in a reduced privacy world.

Cynics would say they care about privacy as long as it doesn't hurt their bottom line.
Click to expand...

Rational people would say that they are not in a position to force a change on this issue at this time, and so should do everything they can do to minimize the amount of information Google is able to receive (attacking cross site tracking, etc.) and to focus users attention to the privacy issue.

Rob_2811 said:
Some estimates have put the fee they take from Google a quarter of Apples services revenue. Not so sure they would be so quick to turn that down.
Click to expand...

As long as the scenario ends with a large loss of revenue, loss of customer satisfaction and the bulk of users switching their default search engine to Google, they would be stupid to do so. At the point they could do it without those things, I would expect them to do so (it would hurt a rival and improve their message).
 
Northern Man said:
I have no idea and don't care. I don't use their products. Convenient to try to deflect away from Apple is it?
Click to expand...
Exactly. I don’t care either that Apple doesn’t find their own bugs..or maybe they find some, who knows. It’s irrelevant.

Calling this a deflection doesn’t mean it is. It seems that most bugs come from outside. So why even ask the question?
 
There is no visual indicator on the device that the implant is running. There's no way for a user on iOS to view a process listing, so the implant binary makes no attempt to hide its execution from the system.

It' nice to live in a walled jail-garden, yeh?
Apple owns our devices, miscreants too. And our data. And happy prisoners still buy the old tale "all the restrictions are for your security".

There is no security where is no freedom.

And we still get a fantastic choice of what to carry on ourselves - Google's spyware or Apples shackles. Complete with buggy cellular modules' hard and soft, which nevertheless is allowed to control our devices - unlike us.
 
MacBH928 said:
Apple should retaliate and release a free privacy friendly search engine,
Click to expand...

DuckDuckGo is a privacy friendly search engine. Why would Apple need to build one, rather than supporting the existing one (which they do by allowing it to be a user’s default on iOS and macOS, and supporting it with Apple Maps integration).

release Safari for Windows,
Click to expand...

While they had Safari for Windows, they determined that they were unable to gain enough market share (at the time, everyone still used IE) and that Firefox offered a privacy respecting browser with enough market share to matter, so they no longer spent time on it.

make Apple Maps multi platform,
Click to expand...

Apple Maps is available on the web, and is used by DuckDuckGo among others for exactly this reason. It respects user privacy and provides a great experience.

and create a free GDocs competitor.
Click to expand...

Apple offers iCloud with free access to Pages, Numbers and Keynote (arguably better than Google Docs), and have for a long time.

that will teach Google not to publicly shame Apple again
Click to expand...

Google posting stories about security exploits they discover does shame Apple. Glad they found and disclosed these exploits and Apple mitigated them. Not sure how they determine the timing of these releases (past the minimum 90-day window they guarantee), and have not been able to find any information on it (meaning that immediately after I post this someone will find a link that explains it) :) so I will give them the benefit of the doubt and presume it was just the time for the release, not that it was timed to coincide with the new iPhone’s announcement.
 
Awesom-0 said:
That reads like Android 10 needs them before release unlike other versions of Android. We get monthly security updates without needing a new OS version. That's why there is a security patch level and OS version number.
Click to expand...
That’s great that they get frequent updates to patch their exorbitant amount of vulnerabilities, but if you look at their security bulletin, there's so many vulnerabilities that either say "high" or "critical" severity.

https://source.android.com/security/bulletin/2019-08-01
https://source.android.com/security/bulletin/2019-07-01
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back