Sep 8th, 2019 - Category: Apple
The relationship between Google and Apple has been a rocky one over the years. iPhones vs. Android, Apple Maps vs. Google Maps, Google Chromebooks replacing iPads in schools, and much more. Yet they also have a symbiotic relationship: Apple uses Google Cloud to power some iCloud services, Apple’s iOS design “inspires” Google’s Android phones, Google pays Apple $9 billion a year to be the default search engine, Apple Music on Android, iPhone users using Google services like Gmail, Calendar, Photos, etc.
Despite their competition, the two companies don’t usually openly attack each other. Yes, Apple criticized Google and Amazon at CES earlier this year with a massive banner on the side of a building that read “What happens on your iPhone stays on your iPhone” and a link to Apple’s Privacy Statement. Yes, Apple slapped Google for privacy violations when “Google also monitored iPhone usage with a private app,” but these were clear cases of either bringing attention to Google privacy issues or punishing Google for violating iPhone privacy rules. (By the way, if you remember it was much worse for Facebook when Facebook pulled a stunt like this earlier in 2019.)
However last week out of the blue, Google’s “Project Zero” team attacked Apple by publishing a 100+ page blog post called “A very deep dive into iOS Exploit chains found in the wild.” Project Zero is the security research group at Google whose “mission is to make 0-day hard.” Zero day (0-day) exploits are software vulnerabilities that make it possible for a hacker to access a system, like an iPhone, immediately before a fix is available. This is EXTREMELY rare for iPhones. As a result the tech news media went crazy starting with the Motherboard article, “Google Says Malicious Websites Have Been Quietly Hacking iPhones for Years.” Ouch! Less than 12 hours later The Verge published “Google reveals major iPhone security flaws that let websites hack phones.” Later that same day, ArsTechnica published “Armed with iOS 0days, hackers indiscriminately infected iPhones for two years.”
Even as the tone of the headlines spiraled downward, gaps in Google’s story began to emerge. None of these articles mentioned which websites were used to “hack iPhones” and none gave any examples of people affected by “indiscriminately infected iPhones.” Even the original Google blog post, while packed with technical details, was quiet on the subject. Was the whole attack a sham created by Google? No, research into the Project Zero team showed that they are widely respected for their in-depth research that improves security across the digital world. So while it didn’t seem like fake news, the timing was definitely suspicious.
At this point, it’s important to keep in mind that this happened on September 1st and Apple is scheduled to release new iPhones on September 10th so Google’s timing was perfect to maximize the negative impact on Apple’s biggest product announcements of the year. Also ArsTechnica reported that “The Google researchers reported those flaws to Apple on February 1, with a seven-day deadline for Apple to fix before Google publicly disclosed them. Apple responded with an unscheduled update six days later.” This “breaking news” story actually began SEVEN MONTHS AGO and ended with Apple releasing a fix immediately. Finally, and most importantly, Google never explained that the “attack affected fewer than a dozen websites that focus on content related to the Uighur community,” a statement came from The Verge article six days later, “Apple accuses Google of ‘stoking fear’ over iPhone security issues.”
Looking at the big picture, the misleading headlines and dire reporting about “major iPhone security flaws” masked the actual small scope and minimal impact of the vulnerabilities. So with new information coming to light every day, round two started. Six days later, Apple sent out a well balanced, impeccably written five paragraph press release that is definitely worth reading, “A message about iOS security.” As a result The Verge published “Apple accuses Google of ‘stoking fear’ over iPhone security issues” and the ArsTechnica published “Apple takes flak for disputing iOS security bombshell dropped by Google.”
Now that the furor has died down a bit, it’s worth noting that even the large, respected tech news sites gave into the temptation of sensationalistic headlining. Apple is obviously not perfect and iOS is a massive piece of software that certainly still has undiscovered “vulnerabilities” but Google scaring millions of iPhone users into thinking they might have been hacked is unacceptable behavior. This type of reporting used to be known as “spin doctoring” where truth is the basis for a misleading “spin” on a subject. The Verge even published a follow-up article “The stakes are too high for Apple to spin the iPhone exploits” with yet another “spin on the spin.”
At the end of the day, Google is well known for the insecurity of Android and while “cutting off the head” of their biggest competitor to make themselves look better is effective, it definitely shows a darker side of Google’s corporate personality.