Apple Opens IPhone To Security Researchers
Written by Kay Ewbank   
Thursday, 15 August 2019

Apple is increasing its support for security researchers with special iPhones offering deeper access, and an increase in the upper limit paid to bug finders.

The announcements were made at this year's Black Hat cybersecurity conference in Las Vegas by Ivan Krstic, Apple's head of security.

appledev

The first part of the announcement applies to the special iPhones, which offer access to ssh, root shell, and what was described as ‘advanced debug capabilities.’ The new phones will be offered as part of what Krstic described as Apple's new iOS Security Research Device Program, which will roll out next year. While anyone can apply for one of the phones, they'll be on a strictly limited basis for qualified researchers. Krstic said that:

“This is an unprecedented fully Apple supported iOS security research platform.”

Alongside the new program, Krstic also announced details of increases to the amounts Apple will pay to researchers who find bugs. The bounty program is now open to anyone; until now, you had to be invited to take part. It will also be open to security vulnerabilities found in all Apple platforms, including not just iOS but macOS, tvOS, and watchOS. The amount offered has also been increased from the current limit of $200,000 up to a maximum $1 million.

Apple has been criticized by security researchers for not paying for vulnerabilities found in its operating systems other than iOS. Back in February, a freelance security researcher found a weakness in MacOS that he showed could be exploited by malware to gain access to passwords, private keys, and tokens from the user's  keychain. The researcher, Linus Henze, refused to submit the details to Apple as the company at that point wasn't paying anything for MacOS flaws.

From now on, Apple will pay no matter which operating system is compromised, with the increased limits rising from $100,000 for a successful physical access attack that manages to bypass an iPhone's lock screen or unauthorized access to a user's iCloud account, to $1 million for a zero-click, full chain kernel code execution attack with persistence, such as a hacker managing to gain complete control of an iPhone without the user doing anything.

Apple also promised that anyone finding and reporting a vulnerability in pre-release software before general release will get up to 50 percent more than the normal bounty for that category of vulnerability.

appledev

.

More Information

Black Hat Conference 2019

Related Articles

Microsoft Partners With HackerOne On Bug Bounty

GitHub Bounty Program Increases Rewards

Bug Bounty Bonanza

The End Of The App Store Era - Apple To Face Lawsuit

Pwn2Own 2016 - The Results 

Apple's New Phones - The Programmer's Take

 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on, Twitter, Facebook or Linkedin.

Banner


$100,000 On Offer To Invent Block Chain Algorithm
03/08/2019

The challenge is specified as a calculation that you have to implement. It is easy to understand and, if it can be done in a reasonable time, it will make blockchains much more efficient.



C++ 20 Feature List Finalized
02/08/2019

The ISO C++ Committee has decided what features will be included in the next C++ standard, with many improvements and new features including modules, concepts and coroutines. C++ 20 is due to be publi [ ... ]


More News

appC

 



 

Comments




or email your comment to: comments@i-programmer.info