First up, Google's Project Zero security team said that they'd found a "small collection of hacked websites" that were used to hack iPhones over a period of "at least two years". Google said that simply visiting one of these sites was enough for the exploit server to attack your device and insall a monitoring implant.
Google's security researchers say that they found 14 vulnerabilities across five exploit chains, including seven for the iPhone's Safari web broswer, five for the kernel, and two separate sandbox escapes. These exploits are said to have targeted iOS 10 through iOS 12.
Google says that it told Apple about the vulnerabilities on February 1, 2019. Apple patched the vulnerabilities in its update to iOS 12.1.4 days later.
Fast-forward to today and Apple has taken issue with some of what Google said. "Google’s post, issued six months after iOS patches were released, creates the false impression of 'mass exploitation' to 'monitor the private activities of entire populations in real time,' stoking fear among all iPhone users that their devices had been compromised," Apple says. "This was never the case."
Apple goes on to say that the attack affected fewer than 12 websites which were focused on the Uighur community. It adds that these website attacks were only operating for about two months, not two years like Google claims.
"Security is a never-ending journey and our customers can be confident we are working for them. iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software," Apple says in its message. "Our product security teams around the world are constantly iterating to introduce new protections and patch vulnerabilities as soon as they’re found. We will never stop our tireless work to keep our users safe."