Google Project Zero vs Apple: Some of the biggest names in the field of research for iPhone vulnerabilities announced that they will not take part in the new program Apple Security Research Device (SRD) due to the restrictive rules of the company in the process of revealing a vulnerability.
The list also includes Project Zero (Google's elite bug-hunting team), Will Strafach (Guardian CEO), ZecOps (mobile security company that recently discovered a series of iOS attacks) and Axi0mX (iOS researcher and author of Checkm8 iOS exploit).
What is the program Apple SRD
The Security Research Device (SRD) program is unique among smartphone makers. Through the SRD program, the Apple promised to own the iPhone before selling it to security investigators.
These iPhones have been modified to have fewer restrictions and allow deeper access to the iOS operating system and device hardware, so security researchers can detect bugs they would not normally detect on standard iPhones where the phone's default security features prevent security tools to "see" deeper into the phone.
OR Apple officially announced the SRD program in December 2019, when it also expanded the bug bounty program to include more of its operating systems and platforms.
Restrictive new rule
A company website contains all the official rules of the SRD program. So according to complaints shared on various social media, a specific regulation angered most security researchers:
"If you mention a vulnerability that affects its products Apple, the Apple will give you a publication date (usually the date on which Apple will release the update to resolve the issue). THE Apple will work in good faith to resolve any vulnerabilities as soon as possible. You cannot discuss vulnerabilities with others before the publication date. ”
The new regulation allows Apple to silence security researchers.
Gives to Apple full control over the vulnerability detection process, as it allows it to set the date of publication. Until then, security researchers are not allowed to talk or post anything about the vulnerabilities they discover on iOS and iPhone through the SRD program.
Many security researchers now fear that Apple will abuse this regulation and will delay significantly with repairs, as it will not be afraid of any publication that will reveal the vulnerability.
The first to notice this regulation and understand its effects was Ben Hawkers, his team leader Google Project Zero.
"It seems we will not be able to use her 'SRD' Apple due to vulnerability detection limitations, which appear to have been specifically designed to exclude Project Zero and other researchers using the 90-day policy, ”Hawkes told Twitter today.
Hawkes's tweet of course caught the attention of the infosec community.
On Twitter, security company ZecOps also announced that it would drop the SRD program and continue hacking iPhones the old-fashioned way.
ZecOps will not use the "dedicated research device" released by @Apple due to the program's restrictions and minimal benefits. We will continue to report bugs to Apple because it's the right thing to do.
Instead of releasing dedicated research device we encourage Apple to…
- ZecOps (@ZecOps) July 22th, 2020
Security researcher Axi0mX told ZDNet that he is considering not participating either.
Alex Stamos, former Facebook Information Security Director, also criticized her move Apple, which is part of a broader set of decisions the company has made in recent months against the cyber security and vulnerability research community.
Its security programs Apple they are out of their minds
The fears that the Apple may abuse SRD rules to bury significant iOS bugs are justified, for those taking part in its security programs Apple. THE Apple has been accused of exactly the same practice in the past.
In a series of tweets posted in April, macOS and iOS developer Jeff Johnson attacked the company for not being serious enough about its security.
"I am thinking of leaving the program Apple Security Bounty ”, he stated Johnson. "I do not see any evidence that Apple is serious about the program. I have only heard of one payment and the error was not even for a specific Mac. Also, the Apple Product Security ignored my last email for weeks.
OR Apple announced the program in August, did not open it until a few days before Christmas and now have not paid a single security investigator I know. Its funny. "I think their goal is just to keep investigators silent about the mistakes for as long as possible," Johnson said.