fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Apple’s Hackable iPhones Are Finally Here

Apple’s Hackable iPhones Are Finally Here

LAST AUGUST, APPLE announced that it would distribute special iPhones to elite security researchers. The idea was to offer a device that had fewer constraints, allowing researchers to home in on security vulnerabilities more easily, without first having to work around standard iOS defenses. Starting today, you can apply to get your hands on one.

Apple is opening its security research device program to analysts with an established track record of finding iOS bugs, as well as those with expertise in other platforms who want to start on iOS. The company will loan the devices for a year with the possibility to renew, and participants will also gain access to new security forums focused on the devices. If researchers “find, test, validate, verify, or confirm” a vulnerability using one of the special iPhones, they must report it to Apple—and any relevant third parties—under the terms of the loan agreement.

Historically, relationships between Apple and the security industry have been strained, in part because Cupertino has offered so little visibility into iOS. The new research phones serve as something of an olive branch, with the added benefit of helping shore up iPhone security. Outside professionals can investigate iOS from different angles, helping find problems that may arise after an attacker bypasses iOS defenses.

“It’s ultimately a big win.”

PATRICK WARDLE, JAMF

Security researchers have until now had to resort to jailbreaks and third-party iOS emulators to gain that deeper insight. But Apple has aggressively attempted to swat down those efforts. The company sued the mobile development and security firm Corellium last year for making an iOS emulator. And Apple argues that jailbreaks, which are achieved by exploiting hardware or software vulnerabilities, result in imperfect research due to inherent differences from unadulterated iOS. Plus, most jailbreaks only work on outdated hardware and old versions of the firmware, Apple argues, because the vulnerabilities used to achieve jailbreaks get patched.

Also Read: Trusted Data Sharing Framework IMDA Announced In Singapore

iOS-focused security researchers told WIRED on Wednesday that the new devices will be useful in many ways. They’ll essentially grant unlimited permissions within the operating system so researchers can run code without iOS’s typical limitations and analyze how other programs function. This will help researchers spot vulnerabilities, but it will also make it much easier for them to analyze how Apple’s own software and third-party apps behave and manage data, whether that’s assessing a prominent app like TikTok or possible spyware like ToTok.

“Security researchers have already proved to be rather successful at uncovering flaws in both iOS proper and security and privacy issues in third-party apps,” says Patrick Wardle, an Apple security researcher at the enterprise management firm Jamf. “Armed with these new devices, they are likely only going to find more. Being able to audit and analyze third-party apps more easily on modern devices running the latest version of iOS would be lovely. It’s ultimately a big win for Apple’s users and Apple itself.”

Wardle and others point out, though, that this level of openness and insight may not extend beyond the user-facing parts of the operating system. That would mean the special devices wouldn’t help researchers analyze iOS’s core “kernel,” its boot-up procedures, the firmware that coordinates hardware and software, or hardware itself, like Apple’s custom T2 security chip.

“The devices appear to give researchers unrestricted access only to a portion of iOS,” says Will Strafach, a longtime iOS researcher and creator of the Guardian Firewall app for iOS. “It’s a good start for vulnerabilities in user-facing apps and services, which can be easily fixed in an iOS update. But they appear to intentionally not allow poking at lower-level security mechanisms, which may be more difficult to fix.”

Apple says that it carefully designed the research devices to behave like consumer products and give researchers as much insight as possible without inadvertently creating exposure or risk for the hundreds of millions of iOS devices deployed around the world. For example, the security-research devices are not the same as Apple’s own internal development prototypes, known as “dev-fused” iPhones, which are much more flexible and open than consumer iPhones and leave many iOS security features disabled. Still, the new security-research devices are loaners for a reason, and they will presumably be carefully tracked and controlled by Apple.

“It is not known what these devices will allow yet. It seems reasonable to assume that Apple will give researchers additional software and tools to help with their research, but no information is available yet,” says the jailbreaker known as “axi0mX,” who discovered an unfixable Apple hardware bug that enables the “checkra1n” jailbreak in older iPhones. “I think research devices are a good idea, but it seems that Apple is doing the bare minimum here.”

Ultimately, researchers say that the degree to which the new offering fosters goodwill depends on how helpful it turns out to be in practice. Strafach points out, for example, that researchers may be cautious about how they use the devices, fearing they might upset Apple and lose their access at the company’s whim. And depending on the new device’s limitations, researchers say it is unlikely to totally replace the other tools in the iOS analysis toolbox.

Also Read: Data Protection Authority GDPR: Everything You Need To Know

“For someone like me, who mostly looks at third-party apps, it will be very useful,” Jamf’s Wardle says. “But for hardcore vulnerability discovery, it may be limited. I can see this being just another option, like using checkra1n to get super low-level on older devices or an emulation/virtualization solution.”

A special device from Apple isn’t going to magically reveal and eliminate all iOS privacy and security issues. Given the small number of tools researchers have had at their disposal, though, anything that offers more insight is an important step forward.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us