Google Outlines iPhone Vulnerabilities That Let Malicious Websites Steal User Data for Years, Now Fixed

[falainber]

Bull. Where's your proof for the ridiculous statement that Google has "higher caliber software developers and security experts than Apple"?

Based on all the Apps/malware that sneak into Google Play, the fact Google can't even develop a good messaging system (after half a dozen tries) or can't figure out a way to update all Android devices after years of failed attempts (just a couple quick examples) I'd call that claim a straight up lie.

Google can't update Android devices that they do not manufacture. they are not even the ones who releases an OS for them. All Google messaging apps are just fine. Perhaps you are confused about those apps not working with Windows and MacOS computers but then, again, your finger pointing is misdirected. Apple does not have a good messaging app (working with Android and Windows devices) either. Suckers.

 

[nvmls]

 

[NickName99]

Meanwhile in Android related news, this week alone:

https://arstechnica.com/information...0-million-downloads-executed-secret-payloads/

https://arstechnica.com/information...wnloads-drained-batteries-and-slowed-devices/

https://arstechnica.com/tech-policy...keptical-of-googles-new-web-privacy-strategy/

 

[mdatwood]

Are you serious?
Cause of the vulnerability were, as the researcher pointed out


„cases of code which seems to have never worked, code that likely skipped QA or likely had little testing or review before being shipped to users“


https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html


So Apple has a lot of homework to do.

It's also always easy in hindsight to see code and think "that's an obvious flaw if it was reviewed." If it was so obvious why was it written to begin with? Every time I git blame a piece of idiotic code and see *my* name I wonder WTF was I thinking. It happens because at those times I didn't know then what I know now.

Of course in a perfect world every line of code would be independently audited before shipped. Every piece of software would be developed to the same standards that NASA wrote the code that powered the space shuttle. Unfortunately, that world is one in which none of us would ever be able to afford the software.

Every time I talk about security, I never talk about if but when. That's why all PII data should be encrypted at rest, passwords hashed and salted. So when a security lapse occurs it's possible to minimize the fallout. Clearly Apple has learned from this situation. The announcement that verified security researchers will get rooted developer iOS devices shows that Apple is serious about improving this process.

 

[quietstormSD]

I'm thinking the website name is facebook.com

 

[macfacts]

Bull. Where's your proof for the ridiculous statement that Google has "higher caliber software developers and security experts than Apple"?

Remember that time you could jailbreak an iPhone by visiting a web site?

 

[realtuner]

Google can't update Android devices that they do not manufacture. they are not even the ones who releases an OS for them. All Google messaging apps are just fine. Perhaps you are confused about those apps not working with Windows and MacOS computers but then, again, your finger pointing is misdirected. Apple does not have a good messaging app (working with Android and Windows devices) either. Suckers.

Still waiting for your proof Google has “higher caliber software developers and security experts than Apple”.
[doublepost=1567195908][/doublepost]

Remember that time you could jailbreak an iPhone by visiting a web site?

And this proves what exactly?

 

[mrkite77]

Google allows you to remove google search from a android and replace without another search engine,

I missed where they allowed that, could you show the option in chrome or system wide android thanks.

https://support.google.com/chrome/answer/95426?co=GENIE.Platform=Android&hl=en

 

[FFR]

https://support.google.com/chrome/answer/95426?co=GENIE.Platform=Android&hl=en

Is that system wide?
Google assistant will start using another search engine?

 

[FFR]

Remember that time you could jailbreak an iPhone by visiting a web site?

I can. But this isn’t one of those times is it?

It’s such as obscure exploit the jailbreaking community couldn’t even take advantage.

Great point mate.

 

[BC2009]

Same question. Read the articles, and didn’t see them listed. Maybe I missed them... I feel google has the responsibility to disclose them.

The blog post mentions Apple and IPhone dozens of times but does not list one of the websites that got hacked so users can know if they have been compromised. I am betting some of the sites may have been Google properties or else they would have been mentioned.

 

[realtuner]

It's also always easy in hindsight to see code and think "that's an obvious flaw if it was reviewed." If it was so obvious why was it written to begin with? Every time I git blame a piece of idiotic code and see *my* name I wonder WTF was I thinking. It happens because at those times I didn't know then what I know now.

Of course in a perfect world every line of code would be independently audited before shipped. Every piece of software would be developed to the same standards that NASA wrote the code that powered the space shuttle. Unfortunately, that world is one in which none of us would ever be able to afford the software.

Every time I talk about security, I never talk about if but when. That's why all PII data should be encrypted at rest, passwords hashed and salted. So when a security lapse occurs it's possible to minimize the fallout. Clearly Apple has learned from this situation. The announcement that verified security researchers will get rooted developer iOS devices shows that Apple is serious about improving this process.

This.

You can always tell who’s written code from those who haven’t (especially those who claim it “should have been caught”).

 

[aka777]

Well oh well. I have to laugh at those who mock microsoft and google for their regular updates.

 

[Blaze4G]

I call BS on this.

I mean, Apple is pretty much selling users data indirectly. They accept the money from Google to make them their default search engine in safari then when apple users uses safari and google gets the data they sell it.

I mean what's the difference?

Apple is selling google their customers data, are they not?

 

[foodog]

This is why regular updates matter on iOS. They need them.

This is why regular updates matter on [insert OS, application, etc...]. They need them.


I fixed that for you.

 

[mrkite77]

This is why regular updates matter on [insert OS, application, etc...]. They need them.


I fixed that for you.

Security updates on Android are separate from OS updates.

 

[TecnoMuzik]

All this Android vs iOS BS... I use an iPhone for personal use but my work phone is an Android Galaxy S8. My work phone I’ve had for almost 2 full years now and it has never once shown that there are updates available. Every time I check it says I am up to date which is not true. When I looked into it, I’d have to go to an AT&T store to have to “push” the update out again. Wtf?? That is not practical at all. If I buy a dell computer running Windows, I don’t go to Dell for OS updates. How stupid is that??

 

[C DM]

This is why regular updates matter on iOS. They need them.

That is to say that regular updates matter to any OS. Fairly basic reality that has been known for a long long time.
[doublepost=1567199853][/doublepost]

Security updates on Android are separate from OS updates.

They are still updates that are needed.

 

[I7guy]

I mean, Apple is pretty much selling users data indirectly. They accept the money from Google to make them their default search engine in safari then when apple users uses safari and google gets the data they sell it.

I mean what's the difference?

Apple is selling google their customers data, are they not?

Nonsense. If Apple didn’t accept payment the outcome would be the same. That’s the internet. You want Apple to maybe block google?

 

[C DM]

So many critical vulnerabilities considering how dumbed down iOS is. Perhaps that's why Apple is reluctant to, for example, add code to allow placing icons anywhere on the home screen since it can add new vulnerabilities.

UX and OS coding are fairly different things. Seems like an unrelated apples vs. oranges type of comparison at best.
[doublepost=1567199714][/doublepost]

The exploit has been around for two years!

Also your solution is not possible for users of older devices ie iphone 6 and below who can't update to latest ios.

iPhone 6 can run iOS 12. Even iPhone 5s can run it.

 

[ignatius345]

Not really ,certainly not in this case. Not sure why people keep trotting this out and then telling people that they don't understand.

This Security vulnerability allowed a monitoring agent to track the users message, photo, and location data in real time. Clearly that is also a privacy issue.

A security breach may compromise privacy by accident, but contrast that with business practices that compomise privacy by design and for profit.

 

[FFR]

This is why regular updates matter on iOS. They need them.

Well if updates didn’t matter on android, google wouldn’t be holding their iO developers conference every year, now would they?




Oh and regarding the security updates myth.

Security updates are determined by the oem and are not universally applied.

Ie: the September security update for the pixel 3 isn’t the same September security update released for the s10.

https://mobilesyrup.com/2018/04/12/android-manufacturers-lie-security-updates/

“We find that there’s a gap between patching claims and the actual patches installed on a device. It’s small for some devices and pretty significant for others,” said Nohl. “Sometimes these guys just change the date without installing any patches. Probably for marketing reasons, they just set the patch level to almost an arbitrary date, whatever looks best.”

And

How Android Phones Hide Missed Security Updates From You
https://www.wired.com/story/android-phones-hide-missed-security-updates-from-you/





Anyone else wants to falsely claim android doesn’t need OS updates because security updates are enough?

 

[C DM]

Serious question: If Apple values privacy so highly why do they not have a division like Googles Project Zero doing this kind of work? If they do have such a division, what has it exposed over the years?

So Apple employees did not find these bugs but Google employees did?

Companies have their own people looking for issues and working to resolve them, but ultimately the more complex something is the more likely that all the issues won't get surfaced initially or even after some time. There are companies that have people that look for issues not only in their own software but in that of others as well.

 

[1098474]

What they don't tell you is the vulnerability only affected apps made by a company named Alphabet Inc.

The sites that infected iPhones were web sites that the majority of iPhone users never visit. IE: pr0n sites.

As an apple employee, I can assure many Apple Customers use porn sites. They come in to the Apple store asking how to remove the pop ups caused by JavaScript
[doublepost=1567200541][/doublepost]

Well if it sells more hardware or services, you can bet apple values privacy.

Samsung sells more than Apple, do they value privacy?

 

[nickgovier]

.