Hacker-friendly iPhones: Apple offers special iPhones with privileged access to security researchers to discover new vulnerabilities and report back to the firm, but that won’t help Google teams that are busy discovering bugs in Apple devices.
The Security Research Device (SRD) is part of Apple’s latest security system and is intended for use in a managed security testing environment and is “provided on a 12-month renewable basis and remains the property of Apple”.
Currently, security researchers trying to find vulnerabilities on an iPhone need to jailbreak the devices, but this comes with many drawbacks, like older devices.
Hacker-friendly iPhones Apple said on Wednesday that the new device would make it easier for security researchers to use special iPhone equipment to identify vulnerabilities.
“They are not meant for personal use or daily carry and must remain on the premises of program participants at all times. Access to and use of SRDs must be limited to people authorized by Apple,” said the company.
However, the move won’t support Google’s Project Zero team that has found bugs in past Apple devices.
“It looks like we won’t be able to use the Apple ‘Security Research Device’ due to the vulnerability disclosure restrictions, which seem specifically designed to exclude Project Zero and other researchers who use a 90-day policy,” tweeted a “disappointed” Project Zero team lead Ben Hawkes.
“I think we first asked Apple for a security research test device in 2014 or early 2015. And since then we’ve reported over 350 security vulnerabilities to Apple”.
Nevertheless, Hawkes said they’ll continue to study Apple platforms and send all their results to Apple.
Apple said that security researchers have access to shells, so they will be able to run any software so pick entitlements.
“If you use the SRD to find, test, confirm, verify, or confirm a vulnerability, you must promptly report it to Apple and, if the bug is in third-party code, to the appropriate third party. If you didn’t use the SRD for any aspect of your work with a vulnerability, Apple strongly encourages (and rewards, through the Apple Security Bounty) that you report the vulnerability, but you are not required to do so”.
If you report a bug that affects Apple products, Apple will provide you with a publication date (usually the date that Apple releases the update to fix the problem).
Not all safety researchers are eligible, and Security Research System Program participation is subject to review, Apple said.
“Device availability is limited. Devices will not be available for all qualified applicants in the initial application period. Qualified applicants who do not receive a device during this period will automatically be considered during the next application period in 2021,” said Apple.
To qualify, one has to be an Apple Developer Program membership account holder, have a proven track record of success in identifying security problems on Apple platforms, or other modern operating systems and platforms.