Hatice Cengiz, the fiancee of slain Washington Post contributing columnist Jamal Khashoggi, said she used an iPhone because she thought it would offer robust protection against hackers.
“Why did they say the iPhone is more safe?” Cengiz said in a June interview in Turkey, where she lives. Her iPhone was among the 23 found to have forensic evidence of successful Pegasus intrusion. The infiltration happened in the days after Khashoggi was killed in October 2018, the examination of her phone found.
One reason that iMessage has become a vector for attack, security researchers say, is that the app has gradually added features, which inevitably creates more potential vulnerabilities.
“They can’t make iMessage safe,” said Matthew Green, a security and cryptology professor at Johns Hopkins University. “I’m not saying it can’t be fixed, but it’s pretty bad.”
One former Apple employee, who spoke on the condition of anonymity because Apple requires its employees to sign agreements prohibiting them from commenting on nearly all aspects of the company, even after they leave, said it was difficult to communicate with security researchers who reported bugs in Apple products because the company’s marketing department got in the way.
“Marketing could veto everything,” the person said. “We had a whole bunch of canned replies we would use over and over again. It was incredibly annoying and slowed everything down.”
Apple also restricts the access outside researchers have to iOS, the mobile operating system used by iPhones and iPads, in a way that makes investigation of the code more difficult and limits the ability of consumers to discover when they’ve been hacked, researchers say.
Former Apple employees recounted several instances in which bugs that were not believed to be serious were exploited against customers between the time they were reported to Apple and when they were patched.