Apple has started distributing special iPhones for security researchers who have been talking about for about a year: they are roughly iPhones with "factory jailbreak", which allow bug hunters to install apps from sources outside the App Store. . This step is often critical for hackers, who develop self-monitoring, diagnostics and analysis tools that are essential for identifying or verifying vulnerabilities.
Until now, the bug researchers in Melafonini have had to resort to traditional jailbreak systems, which however tend not to be available for the latest version of the operating system. The researcher could therefore waste time investigating an already closed vulnerability with subsequent updates. The alternative was to be able to get our hands on the prototypes for internal use of Apple developers, who reach very high figures in online auctions precisely because of the enormous access privileges they enjoy.
The iPhones presented yesterday are a bit of a middle ground between normal and internal ones. They are available in limited quantities, and of course you can't just go into a store and buy them – you have to apply directly to Apple, you have to be part of the Apple developer program and already have a reputation in the sector aimed specifically at iOS. Apple says that the distributed iPhones are the latest generation, which cannot be used for personal purposes and that they will be replaced automatically every 12 months.
ZecOps will not use the "dedicated research device" released by @Apple due to the program's restrictions and minimal benefits. We will continue to report bugs to Apple because it's the right thing to do.
Instead of releasing dedicated research device we encourage Apple to …
– ZecOps (@ZecOps) July 22, 2020
However, there are legal restrictions that have made several researchers turn up their noses. Some, including hackers from Google's Project Zero team, have even stated that they will give up the device. In particular, it does not like the clause that publicly disclosing details of a vulnerability is not permitted until Apple has released a corrective patch.
Many researchers and associations, including Project Zero, impose a three-month ultimatum to keep pressure on producers and developers high. The concept is simple: the details are disclosed to the company responsible for the vulnerability and 90 days later they are made publicly accessible. This prevents developers, aware that the secret remains secret, from neglecting to correct the problem promptly.
Therefore. On the one hand, Apple's approach makes sense, because if a vulnerability is not disclosed, the chances of a fraudster discovering them and developing malware are low; on the other, it makes sense to force companies to close loopholes as soon as possible, because "improbable" is not synonymous with "impossible". In the online discussion that arose between the experts siding with one or the other faction, it was argued that Apple never takes more than 90 days to close a flaw. But at least there is a precedent: it dates back to 2016, and concerns a bug discovered by Project Zero in macOS.
Huawei's top at the best price? Huawei P30 Pro, on offer today from Emarevolution for 450 euros or from Unieuro to 599 euros.