In August 2019, Google rattled Apple. Researchers from Project Zero, the search giant’s high-profile security team, released details of a zero-day attack targeting iPhone users. Anyone with a device running iOS 10 through to iOS 12 (the latest version of Apple’s software at the time), and who visited one of a handful of websites created for the attack, could be affected.
The sites were created specifically to target Uighurs, a Muslim minority victimised by the Chinese government. The websites used a slew of iPhone vulnerabilities – 14 in total – to break through security systems, in an attempt to conduct surveillance on the Uighur population.
The attack was one of the worst seen against iPhone and iPad security. Google’s researchers called it a “sustained” hacking effort that had been undetected for over two years. Apple disputes the length of the attack and claims that thousands of people may have been hit by the hack – but has conceded that it was a sophisticated effort designed to break its systems. Apple fixed the vulnerabilities in February 2019, one month after Google had, privately, raised the alarm.
iPhones and iPads are among the safest devices that people can buy. Apple spends huge sums on protecting its products and frequently touts its security credentials. But this attack proved that it is not infallible. “Its hardware is the least likely to get broken into, but it is by no means secure,” says Dan Guido, CEO and co-founder of cybersecurity firm Trail of Bits.
Project Zero’s findings haven’t been the only high-profile vulnerability found in Apple’s code in recent months. The first iPhone jailbreak in years, called Checkm8 and made possible by Apple accidentally reintroducing buggy code it had previously removed from iOS, was revealed in September 2019. The jailbreak, which removes protections put in place by Apple, allows a device’s core code to be accessed and modified. And in January 2019, Apple disabled Group FaceTime calls after it discovered users could listen to the person they had called before they picked up the phone – ”a really embarrassing security flaw for an extremely public piece of software”, Guido says.
But while 2019’s iOS security flaws were embarrassing for Apple, the company is still miles in front of competitors (including Google) when it comes to privacy – and knows it. Apple attempts to use its data-minimisation principles as a competitive advantage over Android, spending millions on online advertising and installing billboards in cities to promote its campaign to collect as little identifiable user information as possible.
Apple is able to do this because its business doesn’t rely on advertising. “Apple doesn’t have that need to have access to data,” independent security researcher Robin Wood says. Google, on the other hand, is one of the world’s biggest advertising companies and can sell ads for greater sums if it knows more about users and their interests. “Because Apple doesn’t have to have the data, they can put the effort into not having it,” Wood says.
One such example is found in Apple Maps. Apple says it doesn’t collect detailed journey information: when you travel from home to work, for example, it breaks up the journey into small chunks. This way, it doesn’t hold a complete record of your route (from which it would be easy to identify you). It has also introduced a new technique it calls “fuzzing”: when you search for a destination on your phone, Apple will change the location information it stores to be less precise 24 hours later, meaning it can’t be used to identify where you have been.
“They definitely seem to be taking this as a marketing opportunity as a company, to push as a competitive advantage,” says Thomas Reed, director of Mac & Mobile at cybersecurity firm Malwarebytes.
One of Apple’s key strengths is the control it has over its platforms. The company has in effect built a closed ecosystem in which app developers are not able to collect excessive amounts of data from iPhone users. If developers abuse the system, they can be locked out: Facebook had a temporary ban in 2019 when it used a developer version of its app to conduct research on children.
But there are downsides to centralising its platform. “China is kind of a troubling case,” Reed says. It is one of the most important iPhone markets, and Apple has acquiesced to a lot of China’s demands. During sustained protests in Hong Kong in 2019, it pulled a mapping app from its App Store that police said had been used to target officers (a claim disputed by protesters). It has also removed privacy-protecting VPN apps at the request of the Chinese government, and moved users’ iCloud data to a local data centre, to comply with new laws. (Previously, data wasn’t necessarily stored in China.)
China’s stance on privacy and surveillance is something Apple will have to grapple with as the US-China trade war plays out. As Guido puts it: “Apple has all this control, but once you have control, other people can force you to use that control.”
Matt Burgess is WIRED’s deputy digital editor. He tweets from @mattburgess1
Coronavirus coverage from WIRED
📖 How coronavirus kills, one organ at a time
🏘️ Failing care homes are the real coronavirus scandal
🔒 The UK’s lockdown rules, explained
❓ The UK’s job retention furlough scheme, explained
💲 Can Universal Basic Income help fight coronavirus?
👉 Follow WIRED on Twitter, Instagram, Facebook and LinkedIn