Apple announced in the last week of July that it will begin shipping out specially configured Security Research Device iPhones to researchers so that they can probe for vulnerabilities without interference from standard iPhone security walls.
Apple first announced plans at last year’s Black Hat security conference to release modified iPhones to make it simpler for researchers to probe for vulnerabilities.
It’s ultimately a big win.
Patrick Wardle, Jamf
Security specialists currently have to rely on jailbreaks or third party emulators to study security issues. But those approaches have limitations. According to Apple, results achieved on jailbroken phones are not reliable because of the inherent differences between a legitimate model and a hacked one. Also, Apple notes, most jailbreaks work only older phones and older iOS versions.
With the July 22 launch of the Apple’s SRD program, security researchers will be able to go and hunt bugs much deeper within iOS. Apple said that the iPhones, which will be dedicated exclusively to such work, and known as security research devices, will come “with unique code execution and containment policies.” What this means, for example, is that the file system will be accessible for inspection rather than just looking at crash log snapshots or using jailbroken devices. The latter being far from perfect as jailbreak vulnerabilities are generally patched quickly, and so any research is more easily denied by Apple as being flawed.
The SRDs are only being distributed to those hackers enrolled in the program, and acceptance is subject to review by Apple. You need to already be in the Apple Developer Program, able to prove a track record of security issue discovery but not employed by Apple at the moment or within the last 12 months. There are also limitations regarding the country you are based in and even age, so those under 18 are unlikely to be accepted. Oh, and spaces are limited, with the next application period not being until sometime in 2021.
SOPA Images/LightRocket via Getty Images
The program will work alongside Apple’s bug bounty program, which was expanded to all researchers last year. Researchers uncovering vulnerabilities can earn up to $1 million from Apple plus bonuses of up to 50 percent depending on the potential severity of the problems they find.
Restrictions will be placed on program participants. The phones cannot be used for personal calls. Vulnerabilities uncovered by researchers cannot be revealed to the public until Apple gives permission, presumably after patches are designed.
Wait! This doesn’t end here. Senior Forbes security contributor Davey Winder has covered the other side of the story that reads ‘Apple Just Made It Easier To Hack An iPhone—Here’s Why That’s Mostly A Good Thing‘. Anyway, Happy Hacking!
