Apple CEO Tim Cook
Spencer Platt | Getty Images
The report, posted online late last month, said a series of websites had exploited security holes in iPhone software that existed over a series of two years, but the report did not identify the nature of the websites.
On Friday, Apple said in a sharply worded statement that the attacks identified by Google were through websites targeted toward Uighurs, a Muslim ethnic minority in China, implying that the websites were not a serious threat to Americans or most people in other parts of the world. The United Nations has accused China of human rights abuses toward the Uighurs, which China denies.
“First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones ‘en masse’ as described,” Apple said in the statement. “The attack affected fewer than a dozen websites that focus on content related to the Uighur community.”
Apple’s statement confirmed the vulnerabilities while also challenging Google’s framing of the exploits. Apple said on Friday that the Google post creates the “false impression of ‘mass exploitation.'”
Apple also challenged Google’s claims that the attacks were operational for years and said the flaws mentioned by Google were fixed in February, 10 days after it learned of the exploits.
“Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not ‘two years’ as Google implies,” Apple said in the statement.
“We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities,” a Google spokesman said in a statement. “We will continue to work with Apple and other leading companies to help keep people safe online.”
The exploits were published by Google Project Zero, an elite bug-finding team that finds flaws in software from major companies. After finding a flaw, the team informs the company and gives it a time limit to fix the critical bugs, which are known as “zero day” vulnerabilities. The stated mission is to make all software harder to hack.
However, the report also doubled as a way for Google to publicly needle Apple’s security and privacy policies, which the iPhone maker has increasingly leaned on as a major marketing tool and a way to differentiate its products from Android.
The Project Zero post did not mention any attacks on Android, which is used by more people than Apple’s iOS. Security firm Volexity said earlier this week that Android malware is used in targeted attacks on Uighurs as well.