[strcat]

Neither Apple or Google truly knows how widespread attacks on their products have been despite portraying it as if they have perfect insight into it. They're claiming to know something they cannot. GrapheneOS has published leaked data from exploit developers showing they're much more successful at exploiting devices and keeping up with updates than most people believe. We have access to more than what we've published, since we don't publish it without multiple independent sources to avoid leaks being identified. These tools are widely available, and it cannot be generally known when they're used whether it's data extraction or remote exploitation. Catching exploits in the wild is the exception to the rule, otherwise exploit development companies would have a much harder job needing to keep making new exploits after they're heavily used. They wouldn't value a single exploit chain nearly as much as they do if it stopped working after it was used 50k times. Law enforcement around the world has access to tools like Cellebrite Premium which are used against many people crossing borders, at protests, etc. That is usage at scale. There's far less insight into remote exploits which don't have to be distributed broadly to be broadly used.

[saagarjha]

Apple and Google have access to similar or more information than you do, they just don't publish it for similar reasons.

[strcat]

> Apple and Google have access to similar or more information than you do, they just don't publish it for similar reasons.

If that's the case, then many of their public statements about this are extraordinarily dishonest. There are widespread exploits targeting Safari, Chrome, iOS and Android. These are not only rare attacks targeting people heavily sought out by governments, etc. They do not have nearly as much visibility into it as they make it seem.

[ghostpepper]

Can you be more specific on what you consider "widespread" vs "rare"?

[strcat]

There are widely available tools for exploiting iPhones. These are available to low level law enforcement, border guards, etc. They're often abused. The same goes for remote exploits. Apple and Google have succeeded in making the exploits expensive, but not much success in stopping them for more than short periods of time. Perhaps they'll start having more success, but so far they haven't. Making the cost of developing the exploits more expensive does not change that the usage is widespread in many dozens of countries. The remote exploits are not only used in targeted attacks against a tiny subset of people. They're often broadly deployed on publicly accessible websites.

[commandersaki]

I don't think this constitutes as widespread at least in impact, but there's been times where malicious apps have made it on the App store and used to steal cryptocurrency.

[saagarjha]

I don't really agree with your framing.

[strcat]

I disagree with corporations marketing misrepresenting their security capabilities to sell more devices and services. Apple and Google are much better at security than most tech companies but definitely nowhere near as successful as Apple's marketing portrays it.

[saagarjha]

I agree but I really have no idea how to fix this.

[bigiain]

> tools like Cellebrite Premium which are used against many people crossing borders

I wonder when the first person will be turned away from a US border for having an iPhone Air that the CBPs phone extraction tool doesn't work on?