Last week, we reported on how Google’s Project Zero team had uncovered a flaw affecting iPhones, which meant that specific websites could siphon off your personal data if you visited one of the malicious sites.
According to the reports, the websites were capable of installing a monitoring implant onto a victim’s device. This implant had access to ‘Keychain’, a feature of iOS (the iPhone / iPad Operating System) that manages passwords and stored credit card information. As a result, the researchers at Project Zero highlighted how the attackers could have access to authentication tokens from your device, meaning that they could access your accounts even after the implant disappeared from your device following a reboot.
But Apple has now hit back at Google, suggesting that their report into the security flaw was ‘inaccurate and misleading’.
“All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly (…) Treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.”Ian Beer, Project Zero
On Friday of last week, Apple fired back at Google, suggesting that they had exaggerated the scale of the attack. A spokesperson for Apple, Fred Sainz said that Google’s research generated false impressions of the scale of the problem and the number of affected users. He went on to say that the problem was ‘narrowly focused’ and impacted ‘fewer than a dozen websites that focus on content related to the Uighur community, an ethnic minority in China’.
“Google’s post, issued six months after iOS patches were released, creates the false impression of ‘mass exploitation’ to ‘monitor the private activities of entire populations in real time,’ stoking fear among all iPhone users that their devices had been compromised (…) This was never the case. Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not ‘two years’ as Google implies.”Apple responds
How to manage Keychain
You may not have heard of Keychain before, but the chances are that you may have used it without realising. If you’ve ever visited a website and had your iPhone suggest auto-filling a form with your name, address, email address or even your card details, then you’ve seen Keychain in action. But locating and managing it within the Settings application isn’t always so obvious, as it’s not listed under its name.
To see what information is being stored about you by your iPhone, as well as managing Keychain settings, you’ll want to launch your Settings application and then scroll down to the option for Passwords & Accounts.
Here, you’ll be able to view all of your stored usernames and passwords for every website that you use. It’s also a useful way of reminding yourself of a password you might have forgotten, but you’ll need to input your phone’s PIN or biometric security (FaceID or fingerprint) in order to access the list of saved logins. You can also toggle off AutoFill Passwords if you want your iPhone to stop automatically suggesting your login data whenever you visit a website that you have an account with.
The safest way to keep yourself protected against newly-discovered vulnerabilities on iOS devices is to keep your phones and tablets fully up-to-date with the latest patches to your operating system. However, bear in mind that your devices won’t always download these automatically; you will often need to trigger the update yourself whilst connected to Wi-Fi and a charging cable.
If you need help checking whether your devices are running on the latest iOS, then get in touch with Which? Trusted Trader WiseGuys on 0808 123 2820. We can provide you with security advice, as well as helping you to understand everything your iPhone or iPad can do.