- Apple today launched its Security Research Device Program which provides jailbroken iPhones to security researchers.
- The dedicated iPhones provide researchers with unique access to typically restricted parts of iOS.
- Apple has historically avoided working with security researchers, having only started paying bug bounties in 2016.
Apple today officially launched its Apple Security Research Device Program. The program, as the name somewhat implies, is designed to make it easier for researchers to unearth bugs and discover overarching security vulnerabilities in iOS. As part of the initiative, Apple notes that it will provide security researchers with specialized iPhones dedicated to security research “with unique code execution and containment policies.”
Apple first announced its plan to implement the program last year. At the time, Apple said it would provide the specialized iPhones to a carefully curated list of hackers and security researchers. A report from a few months back relayed that the devices will not grant hackers access to decrypted iPhone firmware but that they will be nearly as capable as what Apple’s own engineers use.
Forbes last year observed:
What makes these iPhones special? One source with knowledge of the Apple announcement said they would essentially be “dev devices.” Think of them as iPhones that allow the user to do a lot more than they could on a traditionally locked-down iPhone. For instance, it should be possible to probe pieces of the Apple operating system that aren’t easily accessible on a commercial iPhone. In particular, the special devices could allow hackers to stop the processor and inspect memory for vulnerabilities. This would allow them to see what happens at the code level when they attempt an attack on iOS code.
Apple’s security page which details the program reads in part:
The Security Research Device (SRD) is intended for use in a controlled setting for security research only. Shell access is available, and you’ll be able to run any tools and choose your entitlements. Otherwise, the SRD behaves as closely to a standard iPhone as possible in order to be a representative research target.
SRDs are provided on a 12-month renewable basis and remain the property of Apple. They are not meant for personal use or daily carry, and must remain on the premises of program participants at all times. Access to and use of SRDs must be limited to people authorized by Apple.
Apple also notes that security researchers can apply to be part of the program if they haven’t yet been contacted by Apple directly. Apple says device availability is limited. The program requirements include a membership in Apple’s developer program and a “proven track record of success in finding security issues on Apple platforms, or other modern operating systems and platforms.”
Interested security researchers can apply via Apple’s developer page over here.