Google Project Zero vs Apple: Some of the biggest names in the field of research for iPhone vulnerabilities announced that they will not take part in the new program Apple Security Research Device (SRD) due to the restrictive rules of the company in the process of revealing a vulnerability.
The list also includes Project Zero (Google's elite bug-hunting team), Will Strafach (Guardian CEO), ZecOps (mobile security company that recently discovered a series of iOS attacks) and Axi0mX (iOS researcher). and author of Checkm8 iOS exploit).
What is the Apple SRD program?
The Security Research Device (SRD) program is unique among smartphone makers. Through the SRD program, Apple promised to sell the iPhone before selling it to security researchers.
These iPhones have been modified to have fewer restrictions and allow deeper access to the iOS operating system and device hardware, so security investigators can detect errors they would not normally detect on standard iPhones where the phone's default security features prevent security tools to "see" deeper into the phone.
Apple officially announced the SRD program in December 2019, when it also expanded the bug bounty program to include more of its operating systems and platforms.
Restrictive new rule
One company website contains all the official rules of the SRD program. So according to complaints shared on various social media, a specific regulation angered most security researchers:
"If you report a vulnerability that affects Apple products, Apple will give you a release date (usually the date on which Apple will release the fix). Apple will work in good faith to resolve any vulnerabilities as soon as possible. You cannot discuss vulnerabilities with others before the publication date. ”
The new regulation allows Apple to silence security researchers.
It gives Apple full control over the vulnerability detection process by allowing it to set a release date. Until then, security researchers are not allowed to talk or post anything about the vulnerabilities they discover on iOS and iPhone through the SRD program.
Many security researchers now fear that Apple will abuse this regulation and delay significantly with repairs, as it will not be afraid of any publication that reveals the vulnerability.
The first to notice this regulation and understand its implications was Ben Hawkers, the head of the Google Project Zero team.
"It appears we will not be able to use Apple's 'SRD' due to vulnerability detection restrictions, which appear to have been specifically designed to exclude Project Zero and other researchers using the 90-day policy," he said. Hawkes in Twitter today.
Hawkes's tweet, of course, caught the attention of the infosec community.
On Twitter, security company ZecOps also announced that it would drop the SRD program and continue hacking iPhones the old-fashioned way.
ZecOps will not use the "dedicated research device" released by @Apple due to the program's restrictions and minimal benefits. We will continue to report bugs to Apple because it's the right thing to do.
Instead of releasing dedicated research device we encourage Apple to…
- ZecOps (@ZecOps) July 22th, 2020
Security researcher Axi0mX told ZDNet that he is considering not participating either.
"Apple requires investigators to wait indefinitely, at Apple's discretion, before they can detect any errors they found in the SRD. There is no deadline. "
Alex Stamos, a former Facebook Information Security Director, also criticized Apple's move, which is part of a broader set of decisions the company has made in recent months against the cyber security and vulnerability research community.
Apple security programs are not doing well
Fears that Apple may abuse the SRD rules to bury significant iOS bugs are justified by those involved in Apple's security programs. Apple has been accused of exactly the same practice in the past.
In a series of tweets posted in April, macOS and iOS developer Jeff Johnson attacked the company for not being serious enough about its security.
"I am thinking of leaving the Apple Security Bounty program", said Johnson. "I do not see any evidence that Apple is serious about the program. I have only heard of one payment and the error was not even for a specific Mac. Also, Apple Product Security ignored my last email for weeks.
Apple announced the program in August, did not open it until a few days before Christmas and now have not paid a single security researcher I know. Its funny. "I think their goal is just to keep investigators silent about the mistakes for as long as possible," Johnson said.