Apple will supply hacker-friendly iPhones to security researchers with a track record of uncovering vulnerabilities in Apple software as part of its newly announced Apple Security Research Device Program.
Experts will use the phones to search for serious bugs in iOS. Qualifying researchers can apply here to receive one.
The new devices are designed to address a double-edge sword when it comes to iPhone security. Apple has strict control over iOS, and how apps can be installed, which can prevent malware from infiltrating its software ecosystem. However, the same closed-off ecosystem can make it hard for security researchers to analyze iOS for vulnerabilities.
Those same vulnerabilities can be hugely valuable to state-sponsored cyberspies. Some companies that sell hacking tools to governments will even pay up to $2.5 million to own details about the most serious iOS security flaws.
In response, Apple last year announced it would eventually begin offering the best security researchers in the world access to hacker-friendly iPhones. These devices come with shell access, enabling the owner to execute any computer code they’d like. The code can also be run with varying degrees of security permissions.
Apple plans on loaning out the phones on a 12-month renewable basis. “They are not meant for personal use or daily carry, and must remain on the premises of program participants at all times,” the company said. “Access to and use of SRDs (Security Research Devices) must be limited to people authorized by Apple.”
If the owner does find a vulnerability in iOS, they must promptly report it to Apple. The company says it’ll then fix the vulnerability “as soon as practical,” without mentioning a specific timeline. But until the patch is released, the security researcher has to remain quiet about the bug.
Not everyone is happy about this requirement. The team at Google’s Project Zero, which is focused on finding previously unknown vulnerabilities, points out they typically demand a vendor fix a vulnerability within 90 days, otherwise they’ll release details about the threat to warn the public.
“It looks like we won’t be able to use the Apple ‘Security Research Device’ due to the vulnerability disclosure restrictions, which seem specifically designed to exclude Project Zero and other researchers who use a 90 day policy,” tweeted Ben Hawkes, who heads up the Google sponsored group.
Project Zero will continue examining Apple’s software platform for security vulnerabilities. Even without the hacker-friendly iPhones, the group has uncovered numerous flaws in the company’s software, Hawkes said. “I think we first asked Apple for a security research test device in 2014 or early 2015. And since then we’ve reported over 350 security vulnerabilities to Apple,” he added.
According to TechCrunch, security researchers who find bugs over the devices will be able to receive rewards via Apple’s bug bounty program. Depending on the vulnerability’s severity, a researcher can earn up to $1 million.
For now, Apple’s Security Research Device Program will only be available to researchers in 23 countries including the US. China and Russia are both absent from the list.