{"id":28966,"date":"2020-05-19T15:42:51","date_gmt":"2020-05-19T19:42:51","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=28966"},"modified":"2021-07-16T14:23:33","modified_gmt":"2021-07-16T18:23:33","slug":"apple-vs-security-researchers","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2020\/05\/19\/apple-vs-security-researchers\/","title":{"rendered":"Apple vs. Security Researchers"},"content":{"rendered":"

Lorenzo Franceschi-Bicchierai<\/a>:<\/p>\n

The lawsuit, however, has already produced a tangible outcome: very few people, especially current and former customers and users, want to talk about Corellium, which sells the eponymous software that virtualizes iPhones and Android devices. During the lawsuit’s proceedings, Apple has sought information from companies that have used the tool, which emulates iOS on a computer, allowing researchers to probe potential iPhone vulnerabilities in a forgiving and easy-to-use environment.<\/p>

“Apple has created a chilling effect,” a security researcher familiar with Corellium’s product, who asked to remain anonymous because he wasn’t allowed to talk to the press, told Motherboard.<\/p>

“I don’t know if they intended it but when they name individuals at companies that have spoken in favor [of Corellium], I definitely believe retribution is possible,” the researcher added, referring to Apple’s subpoena to the spanish finance giant Santander Bank<\/a>, which named an employee who had Tweeted about Corellium. <\/p><\/blockquote>\n\n

Peter Steinberger<\/a>:<\/p>\n

\n

So we’re back at security through obscurity? That always worked out great in history.<\/p>\n<\/blockquote>\n\n

Joe Rossignol<\/a>:<\/p>\n

\n

Zerodium this week announced that it will not be purchasing any iOS exploits for the next two to three months due to a high number of submissions. In other words, the company has so many security vulnerabilities at its disposal that it does not need any more.<\/p>\n<\/blockquote>\n\n

Thomas Claburn<\/a> (Hacker News<\/a>):<\/p>\n

“iOS Security is fucked,” said Zerodium’s founder Chaouki Bekrar via Twitter<\/a>. “Only [Pointer Authentication Codes] and non-persistence are holding it from going to zero…but we’re seeing many exploits bypassing PAC, and there are a few persistence exploits (0days) working with all iPhones\/iPads. Let’s hope iOS 14 will be better.”<\/p>

[…]<\/p>

The market for iOS vulnerabilities took a hit last September when Zerodium said<\/a> for the first time that it would pay more for flaws in Android<\/a> than in iOS.<\/p>

[…]<\/p>

Asked whether Zerodium’s statement reflects the actual state of iOS security or should be taken as a company just trying to make waves, Patrick Wardle, principal security researcher at Jamf Security and founder of Objective-See, told The Register<\/i> that it’s probably a bit of both.<\/p><\/blockquote>\n\n

Peter Steinberger<\/a>:<\/p>\n

\n

Almost seems like Apple suing the #1 company allowing security research on iOS (Corellium) and not paying out bounties could have a chilling effect on white hats while black hats thrive.<\/p>\n<\/blockquote>\n\n

Previously:<\/p>\n