Bengaluru, NFAPost: As part of further strengthening its security features, Apple has decided to supply its hardware to security experts available outside Apple.
Apple announced the new programme, where Apple will give special research iPhones to security researchers, to find bugs to help the company improve its security standards.
According to sources familiar with the development, these research iPhones will come with specific, custom-built iOS software with features that ordinary iPhones don’t have. Researchers will have shell access and will be able to run any tools and choose their entitlements.
The SRD phones to be used in a controlled setting only, and will feature unprecedented access that normal iPhones don’t typically have, such as root shell access and the ability to run custom commands.
Apple said that they’re not designed for personal use and must stay put at the premises of the researchers at all times. In other words, these are not meant for carrying outside in the world.
Apple sources said that, if researchers found a vulnerability through using the SRD, it must report it to Apple or an appropriate third party if it’s in a third-party code. Apple will then attempt to resolve the issue, and provide a “publication date” when it will take place. Until then, the researchers can’t share their findings with others. The program participants will have access to extensive documentation and a dedicated forum with Apple engineers.
Device availability is limited, and researchers need to apply to be in the program. They must be an Account Holder in the Apple Developer Program, a proven track record of finding security issues, and be based in an eligible country or region.
Besides specific, custom-built iOS software with features that ordinary iPhones don’t have, these research iPhones will come with features SSH access and a root shell to run custom commands with the highest access to the software, and debugging tools that make it easier for security researchers to run their code and better understand what’s going on under the surface.
Apple Bounty Programme
The SRD program will run concurrently with its bug bounty program, which was opened up to all researchers last year. Participants can file security bug reports and potentially get paid up to $1 million in rewards. Some well-known hackers would publish their bug findings online without first alerting Apple — which hackers call a “zero-day” as they give no time for companies to patch — out of frustration with Apple’s once-restrictive bug bounty terms.
Under its bounty program, Apple asks hackers to privately submit bugs and security issues for its engineers to fix, to help make its iPhones stronger to protect against nation-state attacks and other cyber criminals. In return, hackers get paid on a sliding scale based on the severity of their vulnerability.