When the legal battle between Apple and Corellium began, researchers warned about the plans’ consequences to limit access to iOS and attain full control of the security research process. Months passed, and Apple ignored the calls to reconsider and moved forward with its plan to put iOS security testing inside a closed ecosystem that would only include Apple’s teams and partners.
In this context, Apple has recently shared the upcoming iOS 14 with a select number of security researchers and hackers, and now they’re announcing a new research program.
To take part in this new program, researchers will have to be a member of the Apple Developer Program, have a proven track record of success in finding security issues on Apple platforms (or other modern OSes), and be based in one of the following countries: Australia, Austria, Belgium, Canada, Czech Republic, Denmark, Finland, France, Germany, Hungary, Ireland, Italy, Japan, Luxembourg, Netherlands, Norway, Poland, Portugal, Spain, Sweden, Switzerland, United Kingdom, and the United States.
In addition to the above, you will also need to be at least 18 years, or you’re excluded.
Related: Security Research Around iOS Began Showing Signs of Stagnation
Those eligible will receive a Security Research Device (SRD) (specifically set-up iPhone) that is good for 12 months. After that, the researcher will have to renew the SRD, which remains Apple’s property - so you’re basically only renting it for testing purposes. And finally, Apple includes a term about the disclosure, obliging the researchers not to publish anything until they fix the discovered vulnerability.
This should be within a reasonable time, or as Apple puts it, “as soon as practical.” This means that the typical three-month period that is a standard in the security research world is not respected and won’t be accepted.
It looks like we won't be able to use the Apple "Security Research Device" due to the vulnerability disclosure restrictions, which seem specifically designed to exclude Project Zero and other researchers who use a 90 day policy.
— Ben Hawkes (@benhawkes) July 22, 2020
The lead of Google Project Zero, Ben Hawkes, has tweeted about how they are barred out of the new program, and why this is a shame. This is a team that has reported over 350 vulnerabilities to Apple in the past five years, so you can get an idea of who’s going to lose from all this.
Apple is putting too many restrictions in place, and while they have every right to do it, this is an approach that may backfire given enough time. Closing down security research programs is a bet, and bets are always risky - but this is not the first time we see Apple moving in uncharted territory.
Only time will tell if they were well-prepared for the risks that arise from this approach, but right now, things for iOS security research do not look promising.