Skip links

Apple says its CSAM scan code can be verified by researchers. Corellium starts throwing out dollar bills

Last week, Apple essentially invited security researchers to probe its forthcoming technology that’s supposed to help thwart the spread of known child sexual abuse material (CSAM).

In an attempt to clear up what it characterized as misunderstandings about its controversial plan to analyze iCloud-bound photos for this awful material, the Cupertino giant described [PDF] the systems, protections, and mechanisms involved.

Crucially, Apple repeatedly stated that its claims about its CSAM-scanning software are “subject to code inspection by security researchers like all other iOS device-side security claims.” And its senior veep of software engineering Craig Federighi went on the record to say “security researchers are constantly able to introspect what’s happening in Apple’s [phone] software.”

Now, Florida-based infosec outfit Corellium is taking Apple up on that assertion. And yes, that’s the same Corellium Apple tried to drag through the courts, alleging “unlawful commercialization of Apple’s valuable copyrighted works,” until it gave up that fight last week.

With that victory, of sorts, under its belt, and Apple’s invitation to bug hunters and cryptography experts, Corellium, which previously accused Apple of trying to hinder external security research, this week applauded the iPhone maker’s “commitment to holding itself accountable by third-party researchers.”

And, for good measure, it has launched a $15,000 initiative to encourage researchers to test that commitment. Specifically, the initiative is open to proposals for “research projects designed to validate any security and privacy claims for any mobile software vendor, whether in the operating system or third-party applications,” though it’s clear it has Apple in mind.

That may be because, depending on who you are, Apple in the past at least has either made it difficult or slightly easier to pore over its proprietary code for exploitable faults.

“We applaud Apple’s commitment to holding itself accountable by third-party researchers,” said Corellium, which provides among other things virtualized iOS devices for infosec types to probe, adding: “We believe our platform is uniquely capable of supporting researchers in that effort.”

Up to 1700 EST on October 15, Corellium says it will accept security research proposals and judge them based on technical merits, feasibility, and presumed likelihood of success. The biz said it will award a $5,000 grant and a year of free access to its mobile device virtualization platform for up to three submissions.

The program rules require any vulnerabilities found to be reported directly to the relevant vendor, so any bug bounty award from the vendor would depend on whether that company has a vulnerability reward program and what the program covers.

True to form, Apple did not respond to a request for comment. Neither did Corellium.

In a phone interview, Katie Moussouris, founder of Luta Security and a pioneer in designing bug bounties, told The Register she found it noteworthy that research grant programs, which have been around for years, are moving away from vendors.

It’s interesting that they’re offering research grants towards doing research for any mobile devices and not just iPhones

“What’s interesting about the Corellium announcement is it’s no longer the vendors themselves offering research grants, which obviously I think is a great idea, but it’s a third-party that makes a virtualization platform that makes reverse engineering easier,” she said. “I also think it’s interesting that they’re offering research grants towards doing research for any mobile devices and not just iPhones.”

Moussouris said it’s clear Corellium’s grant program would have happened if Apple’s litigation had not concluded.

Asked about Federighi’s characterization of Apple’s openness with regard to security research, Moussouris said Apple’s perception of openness isn’t necessarily the same as the rest of the security industry.

“Remember, for a long time, the Apple security team couldn’t even have the word ‘security’ on their business cards,” she said. ‘They couldn’t talk about security at all. So I think that for Apple, this seems very open. For the rest of the world, Apple’s still on a much more secretive and closed side of things, including for security research.”

Citing her role in the creation of the first Microsoft bug bounty program, Moussouris said, “I am a big fan of incentive programs, smart incentive programs that don’t create perverse incentives [like] overly rewarding things that should have been found internally by the organization itself, by its own employees, and by testing and tools.” ®

Source