Apple has begun to notify security researchers that they will begin to receive iPhones as part of the company’s new Apple Security Research Device Program.
Back in July, Apple announced that it was making a special type of iPhone consumers wouldn’t be able to buy. Instead, this hacker-friendly iDevice would be sent exclusively to security researchers. This week, that new iPhone started shipping.
As you’d expect, the iPhones consumers receive include a locked-down version of iOS so as to make it very difficult for malicious software and hackers to take control of your device. However, security researchers have to work with the same version, making it that much more difficult to analyze and discover security holes in the mobile OS. Apple realized this and decided to offer a hacker-friendly iPhone to the research community.
Apple says the program is designed to help improve security for all iOS users, bring more researchers to iPhone, and improve efficiency for those who already work on iOS security. The Apple Security Device Program features a smartphone dedicated exclusively to security research, with unique code execution and containment policies. The Security Research Device (SRD) is intended for use in a controlled setting for security research only.
While security researchers would commonly jailbreak iPhones in order to perform research in the past, the iPhones in the program will not require this and still enable them to help discover potential vulnerabilities. MacRumors explains:
The iPhones Apple will provide are less locked down than consumer devices, which will make it easier for researchers to locate serious security vulnerabilities. These devices are as close as possible to production phones with the latest version of iOS and modern hardware. Researchers will not need to jailbreak the phones to do research, which will enable them to investigate platform security features, and they can run whatever tools they want to test the OS.
Security researchers who discover vulnerabilities can submit them as part of Apple’s bug bounty program and potentially receive payouts of up to $1.5 million depending on the severity and scale of the issue they discover.
SRDs are provided on a 12-month renewable basis and remain the property of Apple. The company notes that they’re not meant for personal use or daily carry, and must remain on the premises of program participants at all times. Access to and use of SRDs must be limited to people authorized by Apple.
Those interested in participating in the SRD program must be an account holder in the Apple Developer Program and have a proven track record of success in finding security issues on Apple platforms, or other modern OSes and platforms. You’ll also need to be at least 18 years of age and not a current Apple employee (or have worked for the company in the last 12 months).