Black Hat, famously known for its information security conferences, has just released the ‘Behind the Scenes of iOS Security’ video from this year’s USA event. The talk, led by Ivan Krstic, dives into some of the security methods that currently exist in iOS and what Apple does to keep users secure. This talk was also where Apple had introduced its first security bounty program.
Automate weight logging w/ Health and Siri
This year has been a major year in security for Apple. From being taken to court over iOS encryption methods in the well-documented San Bernardino case, to initiating a requirement for HTTPS connections in all apps in the App Store, it’s easy to see that security is at the forefront of their discussions. Although bugs and vulnerabilities still exist, Apple seeks to resolve them as quickly as possible.
Not too long ago, Apple’s iOS 9.3.3 saw a vulnerability being exploited allowing users to jailbreak their devices. Though many jailbreakers openly accept these exploits as a potential to run iOS in the manner they decide, Apple still looks at them for what they are: vulnerabilities in their software which should not exist. Not too long after Pangu released their jailbreaking tool, Apple introduced iOS 9.3.4 closing the exploitation in the IOMobileFrameBuffer.
Exploits in the software like this are the ones Apple looks to close to better ensure security for their customers, and one Apple brought up frequently during the San Bernardino court cases. They believed if they did introduce and disclose a way to circumvent the encryption on the iOS device, it could then be used in ways they never imagined. This didn’t stop the FBI from pursuing other avenues where they reportedly paid less than $1 million for the exact exploit they needed.
Apple’s introduction of their first security bounty program may have been as a direct result as to what happened with the FBI court case. Apple is much more willing to pay someone who discovers the vulnerability first, versus having it potentially fall into whatever they may consider the “wrong hands”.
According to the ‘Behind the Scenes of iOS Security’ talk, Apple’s vulnerability payouts range from $25,000 to $200,000 — all seemingly much less than the rumored “less than $1 million” figure heard before.
The keynote PDF from the talk can be downloaded here, and the video is embedded below:
Image Credit: ‘Behind the Scenes of iOS Security‘ keynote by Ivan Krstic