makes its mobile operating system iOS accessible to security researchers. It is responding to criticism that the restrictions on the OS that Apple wants to use to ensure the security of its users can also be to their disadvantage: They lock out independent security researchers and prevent them from finding vulnerabilities that can be exploited by hackers.
For this purpose, the iPhone manufacturer now offers the Apple Security Research Device Program. “As part of Apple’s commitment to security, this program is designed to help improve security for all iOS users, bring more researchers to iPhone, and improve efficiency for those who are already working on iOS security. It includes an iPhone dedicated to security research and with unique code execution and containment policies, ”said Apple’s developer website.
A security research device is a traditional iPhone that offers shell access and allows researchers to run any tools they like. In addition, the device should behave like an ordinary iPhone so that it can be considered a representative research object.
The devices remain the property of Apple and will be made available for a period of 12 months, which can however be extended. Apple expressly prohibits daily use – the devices must not leave the premises of the program participants. In addition, each participant must restrict access to Apple-authorized people.
Apple also requires all participants to report any security vulnerabilities they find or investigate to Apple. This also applies to weaknesses discovered by other researchers, which they are only intended to confirm. Vulnerabilities may also only be made public on an appointment specified by Apple. Apple, however, agrees to fix all bugs as soon as possible. In addition, all vulnerabilities found are qualified for a reward according to Apple’s Security Bounty Program.
Interested parties must apply to participate in the program. According to Apple, there may not be enough devices for everyone, but Apple plans to offer another sign-up option next year. Apple also limits the origin of the researchers to 23 countries, including Germany.
Some security researchers, including Google’s Project Zero, have already announced that they will not participate in the program. Among other things, they do not want to bow to the requirement that Apple determines when a vulnerability is disclosed. Of theEmployee Ben Hawkers even suspects that this regulation should specifically exclude researchers who have undertaken to disclose security vulnerabilities within 90 days.
“Deadlines for disclosure are a stand practice in the industry. They are necessary, ”said security researcher Axi0mX in an interview with ZDNet USA. “Apple requires researchers to wait indefinitely before they can disclose any errors found with the Security Research Device Program, at its discretion. There is no time limit. This is a poison pill. “
Apple’s reputation in the security community is not very good. One accusation is that Apple should only use its Security Bounty Program to silence researchers. Via Twitter Security researcher Jeff Johnson criticized in April that, as far as he knew, the company had not paid a single reward as part of the December program. “This is a joke. I think it’s just a matter of silencing researchers into mistakes for as long as possible. ”
Disclosure of vulnerabilities after a specified period is controversial. Above all, it is intended to increase the pressure on manufacturers to provide a patch promptly. After all, cybercriminals could encounter the same error at any time and turn a bug known to the manufacturer into a zero-day gap. Opponents of a rigid deadline argue, however, that not every security vulnerability can be remedied in time and that disclosure is primarily at the expense of users.
Collaboration platform Slack: work efficiently – no matter where
Before COVID-19, remote work was almost unthinkable for many companies. Today they realized that it can work very well if the general conditions are right. Find out in this webinar how you can optimally react to changing working conditions with the Slack collaboration solution.