Apple’s long-awaited security device research program makes its debut
In order to make it easier for security researchers to find vulnerabilities in iPhones, Apple is launching an iPhone Research Device Program that will provide certain hackers with special devices to conduct security research, the company announced Wednesday.
Beyond enhancing security for iOS users and making it easier to unearth flaws in iPhones, the program also aims to improve the efficiency of ongoing security research on iOS, Apple said.
The launch comes several months after Apple initially teased out the plans for the security device program last year at the Black Hat conference in Las Vegas.
For a company normally reluctant to allowing security researchers to find flaws in its code, Apple’s move could mark a step forward in its willingness to work with the broader information security community to expose and root out vulnerabilities in Apple platforms. Security researchers in recent years found it so difficult to access the inner workings of iPhones that, in some cases, they began to seek out leaked iPhone dev devices or prototypes to find and report flaws.
The debut of the program comes a little over a year after Vice News revealed the leaks.
The devices in the research program won’t be like typical iPhones sold in Apple stores, Apple said. Instead, they will come with unique code execution and containment policies to better allow iPhone hackers to find vulnerabilities. The program’s phones, which will be distributed to certain qualified hackers with a “proven track record“ finding security issues on Apple platforms or other operating systems, will also make shell access available. Participants may also choose entitlements, Apple said.
Apple will be sending the devices to qualified iPhone hackers soon, although not all qualified applicants will be able to receive devices in the first round of the program, which will last for one year. Applicants that don’t receive devices this time around will automatically be considered in the next round, Apple said.
The head of Google’s Project Zero, Ben Hawkes, said on Twitter he was disappointed in Apple’s rollout of the program because the terms appeared to block research teams, including his own, which use a 90-day policy, from participating. Hawkes said Project Zero will continue conducting research on Apple platforms nonetheless.
Last year, Apple also adjusted its bug bounty program to compete with bug bounty payouts from firms like Zerodium.