You may have heard earlier this month that Google published a report detailing how attackers were exploiting vulnerabilities in Apple's iOS software that allowed malicious websites to take over your iPhone, just by visiting the sites. Google's findings came from its Project Zero security research team, who claimed that the sites received thousands of visitors a week and had been compromised for as long as two years.
On Friday, Apple made it clear it was having none of this, and issued a response to clarify that Google's report misrepresented the scope and scale of the hack attempts, though it did not deny that the vulnerability previously existed (it was patched in iOS 12.1.4).
Apple, in a statement, said that "Google's post, issued six months after iOS patches were released, creates the false impression of 'mass exploitation' to 'monitor the private activities of entire populations in real time,' stoking fear among all iPhone users that their devices had been compromised. This was never the case."
For example, Google's blog post said that "there was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant." Further, the researchers estimated that "these sites receive thousands of visitors per week." That's all pretty ominous sounding, right?
The details matter
Apple has a point. Not only had Apple already patched the vulnerability when Google published its report, that report also failed to detail some important facts--mostly that the attack was focused on a very specific population, and likely perpetrated by that group's own government. That's certainly bad, but the vast majority of iPhone users were never at risk.
Those details were left out of the dozens of articles published that talked about how bad this was for iPhone users. I won't link to them, since they contain inaccurate or incomplete information, but a quick search of Google will certainly satisfy your curiosity--if you are so inclined.
There is also at least a little bit of irony that Google has a research division dedicated to pointing out areas where its competitors' products are vulnerable or being exploited. Especially when you consider there is no company on earth (other than maybe Facebook) more dedicated to exploiting what you do on your devices for its own purposes.
I'm sure the end goal of publicly sharing these vulnerabilities is presumably to eliminate security threats for everyone, but it's hard to overlook the fact that there are several ways Google could have published this information without creating fear for users who were never at risk.
Trust is everything
Which leads to another point, and it's one that shouldn't be overlooked in all of the conversation about trust. Trust is your brand's most important and valuable asset. Once users stop trusting you, it's very hard to recover.
In this case, both companies have something to lose. Google's Project Zero depends on trust for its research to be taken seriously. If it appears that it's simply a tool for throwing shade at Google's competitors, people will stop paying attention to its warnings. That's a real problem when no one believes you the next time a real security risk rears its head.
On the other hand, Apple has frequently positioned itself as the tech company that cares about your privacy and promises that it isn't interested in monetizing your personal information. Apple's brand promise is trust.
One of the key aspects of that promise is that it does everything it can to keep your devices and information secure. It has a lot at stake when researchers publish information that seems as though every iPhone user might have been compromised just by surfing the internet.
You can understand, then, why Apple would go to the effort to respond, and why the company wasn't too thrilled that Google's published report left out quite a few important details.
In reality, we're counting on both companies to get it right. They are our first and last line of defense in a world of bad actors that are constantly trying to get ahold of our personal information, and the last thing we need is confusion. Confusion is the opposite of trust, and trust--it turns out--is everything.