Apple introduced a new type of iPhone on Wednesday, but not everyone can get a grip on it. The new modified iPhones have been specially optimized for security researchers as part of the technology giant's new Security Research Device program.
At last year's Black Hat Cyber Security Conference, Apple first announced plans to provide modified iPhones for security researchers. It started the program on Wednesday and said that it would accept applications immediately and that researchers who apply should expect to get their devices very soon.
The iPhones will be the latest models available, but they come with a special hardware fusion that supports programs used by security researchers. You couldn't do the same tests on a store-bought iPhone if the gadget hadn't broken.
Apple has different hardware for different levels of its iPhones, e.g. B. Hardware fusion, with which Apple's own developers can test software internally. These advanced iPhones are much sought after due to this access to the security research market, but are difficult to find.
The Security Research Device program offers a middle ground, as researchers can now get iPhones with privileged access directly from Apple. Compared to a normal iPhone, where you only use software from the App Store, researchers can run security test software with these devices immediately.
Typically, security researchers looking for vulnerabilities on an iPhone first have to break out of the App Store's limitations. This can be a challenging obstacle if you're not an iOS security expert. In some cases, researchers have also jailbroken iPhones, but that's also limited because jailbreaks often run on older versions of iOS with vulnerabilities that were fixed in later versions.
Apple started this program to help security researchers get started on vulnerabilities with their iPhones.
The phones are made available annually, so researchers have to renew at Apple every 12 months. According to the company, they are not intended for personal use. There is a limited supply of iPhones that focus on security research, but Apple said it will stay in touch with researchers to get feedback on how to expand the program.
Participants will also be part of a dedicated forum to talk to Apple security engineers about discoveries made with the program, the company said.
To be eligible, you must be part of the Apple Developer program and have been shown to have security issues with Apple's devices.
The program is also subject to restrictions. Vulnerabilities discovered on the platform must be reported to Apple and can only be discussed with the public after a date set by the company, ideally when Apple corrects the error.
This limitation is worrying if the bug is never fixed, said Will Strafach, CEO of Guardian mobile security company and iOS security researcher. He said he would not apply for the program because of this limitation.
Strafach said he found in his work that public security vulnerability disclosure often puts companies under pressure to fix issues that would otherwise never have been resolved.
"It's a good first step, I doubt that this is very easy to do," Strafach said. "But there should be a lot more. The two big things that I really need are greater availability with less usage restrictions and an approach to the merged developer iPhones that are making their way around the gray market . " ""
Ben Hawkes, team leader of Google security research team Project Zero, said in a tweet that the restrictions also prevent them from participating in the Apple program. Project Zero had spotted major Vulnerabilities for iOS targeting Muslims in China last September.
"We will continue to search for Apple platforms and will share all of our insights with Apple because we believe this is the right thing for user security. But I admit I'm pretty disappointed," Hawkes said on Twitter.
ZecOps, another cybersecurity company that discovered iOS vulnerabilities with Apple Mail in April, also said it would not participate in the program due to the restrictions.
ZecOps will not use the "dedicated research device" released by @Apple due to the limitations and minimal benefits of the program. We will continue to report bugs to Apple as this is the right thing to do.
Instead of launching a special research device, we encourage Apple to ...
- ZecOps (@ZecOps), July 22, 2020
