Published: Mon, August 12, 2019
Tech | By Anita Cain

Apple expanding its bug bounty program to double down on security issues

Apple expanding its bug bounty program to double down on security issues

In June, researcher Patrick Wardle spotted a flaw that would make it possible for intruders to bypass security prompts in the company's macOS software, as Wired reported.

Another $500,000 will be given to people who will find a "network attack requiring no user interaction".

Apple is also expanding its bug-bounty program, which it launched three years ago, to include its Mac, Apple Watch, and Apple TV operating systems as well as iOS.

However, it's not just Apple that has announced such a big reward. The company has tried to make third-party or DIY fix hard for end users, preferring that they take their iPhones to an Apple Store for fix instead. Apple's previous highest bounty was $200,000 for friendly reports of bugs that can then be fixed with software updates and not leave them exposed to criminals or spies. "Health information is not available for this battery". Usually such message appears if the battery is defective or lost capacity, but in the new iPhone warning appears even after installing a brand new original battery from Apple.

Instead of a battery diagnostic page which details health and whether the battery needs to be replaced, altered phones display a "Service" message. This has led iFixit to speculate that Apple may have intentionally designed this as a way of showing the middle finger to independent fix shops. Unless an Apple Genius or an Apple Authorized Service Provider authenticates a battery to the phone, that phone will never show its battery health and always report a vague, ominous problem. "This is an unprecedented fully Apple supported iOS security research platform", said Krstić at the conference.

iFixit notes that this authentication feature doesn't actually affect battery performance, so if you swap out a battery using methods Apple doesn't approve of, the new battery will function normally.

Krstić also unveiled Apple's new iOS Security Research Device program, which will be out next year.

The Verge commented: "The evidence suggests that people hold onto their phones for longer when they have access to cheap battery repairs".

However, Apple clearly recognizes that if it's going to maintain world-class security in its products, it will be important that researchers have access to the necessary tools - plus it will help Apple to more effectively close the holes by which such devices leaked out of its supply chain in the past.

Like this: