Credit: Unsplash/CC0 Public Domain
Apple announced this week that it will begin shipping out specially configured Security Research Device iPhones to researchers so that they can probe for vulnerabilities without interference from standard iPhone security walls.
This marks the first time Apple has released such research models that grant specialists virtually unlimited operating system permissions to run their own programs, custom commands and code. The iPhones will come with debugging tools and allow access root shell code.
Apple first announced plans at last year's Black Hat security conference to release modified iPhones to make it simpler for researchers to probe for vulnerabilities.
Security specialists currently have to rely on jailbreaks or third party emulators to study security issues. But those approaches have limitations. According to Apple, results achieved on jailbroken phones are not reliable because of the inherent differences between a legitimate model and a hacked one. Also, Apple notes, most jailbreaks work only older phones and older iOS versions.
At least in part in recognition of those obstacles, Apple is taking this step to work more closely with researchers.
"Security researchers have already proved to be rather successful at uncovering flaws in both iOS proper and security and privacy issues in third-party apps," Patrick Wardle, an Apple security researcher at the enterprise management firm Jamf, told Wired magazine. "Armed with these new devices, they are likely only going to find more. Being able to audit and analyze third-party apps more easily on modern devices running the latest version of iOS would be lovely. It's ultimately a big win for Apple's users and Apple itself."
Apple is accepting applications for the new program from researchers with established records of security research. Applicants must be account holders in the Apple Developer Program. The phones will be loaned to researchers and renewals must be made yearly.
The program will work alongside Apple's bug bounty program, which was expanded to all researchers last year. Researchers uncovering vulnerabilities can earn up to $1 million from Apple plus bonuses of up to 50 percent depending on the potential severity of the problems they find.
Restrictions will be placed on program participants. The phones cannot be used for personal calls. Vulnerabilities uncovered by researchers cannot be revealed to the public until Apple gives permission, presumably after patches are designed.
Some security groups are concerned about the secrecy provisions. One expert explained his concern about the possibility of a significant flaw that remains uncorrected being kept from the public. Will Strafach, CEO of mobile security company Guardian and an iOS security researcher, said he favors public disclosure of security problems as a means of pressuring sometimes recalcitrant companies from acting. Because of Apple's restrictions on disclosure, he said his company would not apply for the program.
And Ben Hawkes of Google's security research team Project Zero said his group, too, will decline participation for the same reasons. "We'll continue to research Apple platforms and provide Apple with all of our findings, because we think that's the right thing to do for user security. But I'll confess, I'm pretty disappointed," he said.
Originally published by
Peter Grad | July 23, 2020