Apple’s new security program offers special iPhone hardware, with restrictions attached

Apple introduced a new type of iPhone on Wednesday, but it is not one that anyone can know. The new batch of modified iPhones is tailored specifically for security researchers as part of the tech giant’s new Security Research Device program.

At last year’s Black Hat cybersecurity conference, Apple said for the first time that it would provide modified iPhones for security researchers. He launched the program on Wednesday, saying he would accept applications immediately and that investigators submitting the application should expect to receive their devices very soon.

IPhones will be the latest models available, but they come with specific hardware fuses that fit the programs used by security researchers. You couldn’t run the same tests on a store-bought iPhone, unless you had the device released.

Apple has different hardware for different levels of its iPhones, such as the hardware merger that allows Apple’s own developers to test the software internally. These iPhones with development fuses are highly coveted in the security research market because of that access, but they are hard to find.

The Security Research Device program offers a middle ground, with researchers now able to get iPhones with privileged access directly from Apple. Compared to a regular iPhone, where it’s limited to App Store software, these devices allow researchers to run security test software right away.

Typically, security researchers looking to find vulnerabilities on an iPhone would have to break the limitations of the App Store first, which can be a challenging hurdle if you’re not an iOS security expert. In some cases, researchers would also jailbreak iPhone, but that also has limits, as jailbreaks often run on older versions of iOS with vulnerabilities that are fixed in later versions.

Apple said it launched this program to make it easier for security researchers to start finding vulnerabilities with their iPhones.

The phones will be provided annually, which requires researchers to renew with Apple every 12 months, and are not intended for personal use, according to the company. There is a limited supply of these iPhones focused on security research, but Apple said it would keep in touch with investigators for feedback on how to expand the program.

Participants will also be part of a dedicated forum to talk to each other and Apple’s security engineers about the discoveries with the program, the company said.

To be eligible, you must be part of the Apple Developer Program and demonstrate a history of encountering security issues with Apple devices.

The program also comes with restrictions. The security vulnerabilities discovered on the platform should be reported to Apple and cannot be discussed with the public until a date determined by the company, ideally when Apple resolves the flaw.

That restriction creates concern if the flaw is never fixed, said Will Strafach, CEO of mobile security company Guardian and an iOS security researcher. He said he would not apply to the program because of that restriction.

Strafach said that in his work, he discovered that public disclosures of security vulnerabilities often put pressure on companies to fix problems that otherwise would never have been addressed.

“It is a good first step, I doubt it is very easy to accomplish,” Strafach said. “But there should be a lot more. The two important things I think are really needed are broader availability with fewer restrictions on how it can be used, and bringing it closer to the developer-merged iPhones in the gray market.” ”

Ben Hawkes, team leader of the Google Research Zero security research team, said in a tweet that the restrictions also prevent them from participating in the Apple program. Project Zero had discovered greater vulnerabilities for iOS targeting Muslims in China last September.

“We will continue to research Apple platforms and provide Apple with all of our findings, because we believe it is the right thing to do for user safety. But I confess that I am quite disappointed,” Hawkes said on Twitter.

ZecOps, another cybersecurity company, which in April discovered iOS vulnerabilities with Apple Mail, also said it would not participate in the program due to the restrictions.