Apple vs. Security Researchers
Lorenzo Franceschi-Bicchierai:
The lawsuit, however, has already produced a tangible outcome: very few people, especially current and former customers and users, want to talk about Corellium, which sells the eponymous software that virtualizes iPhones and Android devices. During the lawsuit’s proceedings, Apple has sought information from companies that have used the tool, which emulates iOS on a computer, allowing researchers to probe potential iPhone vulnerabilities in a forgiving and easy-to-use environment.
“Apple has created a chilling effect,” a security researcher familiar with Corellium’s product, who asked to remain anonymous because he wasn’t allowed to talk to the press, told Motherboard.
“I don’t know if they intended it but when they name individuals at companies that have spoken in favor [of Corellium], I definitely believe retribution is possible,” the researcher added, referring to Apple’s subpoena to the spanish finance giant Santander Bank, which named an employee who had Tweeted about Corellium.
So we’re back at security through obscurity? That always worked out great in history.
Zerodium this week announced that it will not be purchasing any iOS exploits for the next two to three months due to a high number of submissions. In other words, the company has so many security vulnerabilities at its disposal that it does not need any more.
“iOS Security is fucked,” said Zerodium’s founder Chaouki Bekrar via Twitter. “Only [Pointer Authentication Codes] and non-persistence are holding it from going to zero…but we’re seeing many exploits bypassing PAC, and there are a few persistence exploits (0days) working with all iPhones/iPads. Let’s hope iOS 14 will be better.”
[…]
The market for iOS vulnerabilities took a hit last September when Zerodium said for the first time that it would pay more for flaws in Android than in iOS.
[…]
Asked whether Zerodium’s statement reflects the actual state of iOS security or should be taken as a company just trying to make waves, Patrick Wardle, principal security researcher at Jamf Security and founder of Objective-See, told The Register that it’s probably a bit of both.
Almost seems like Apple suing the #1 company allowing security research on iOS (Corellium) and not paying out bounties could have a chilling effect on white hats while black hats thrive.
Previously:
- Mac Sandbox Escape via TextEdit
- Apple’s Filing Against Corellium and Jailbreaking
- Mac Bug Bounty Program Opens
- Hacker-Friendly iPhones and Mac Bug Bounty Program
Update (2021-02-05): Joshua Hill:
Apple denied my access to the security developer program because I haven’t done enough work. Almost all my CVE’s are credited to anonymous or my team name.
I had to realize as well that reporting vulnerabilities and applying for security entitlements are two unrelated things. The entitlement team doesn’t care at all about the other type of work although it took me 10 months to get the ES one, KEXT is a clear no-go
For example the product-security team supported me in getting a kext signing cert, yet the entitlement team said they don’t care and they also said that it’s not the product-security team’s authority to decide. Sigh.
Update (2021-07-16): Khaos Tian:
lol apparently reporting security issue to Apple product security can lead to termination from Apple Developer Program? Got a notice of termination from the personal account that has no activity recently today 🙃
Standard termination template citing violation of 3.2(f) of the agreement… Typically I think it’s used for people making fraudulent/scam apps? I haven’t submit any apps for years so who knows ¯\_(ツ)_/¯
