Google Bug Hunter Urges Apple To Change Its iOS Security Culture; Asks Tim Cook To Donate $2.45 Million To Amnesty For His Unpaid iPhone Bug Bounties

secwatcher writes: Prolific Google bug hunter Ian Beer ripped into Apple on Wednesday, urging the iPhone maker to change its culture when it comes to iOS security. The Verge: "Their focus is on the design of the system and not on exploitation. Please, we need to stop just spot-fixing bugs and learn from them, and act on that," he told a packed audience. Per Beer, Apple researchers are not trying to find the root cause of the problems. "Why is this bug here? How is it being used? How did we miss it earlier? What process problems need to be addressed so we could [have] found it earlier? Who had access to this code and reviewed it and why, for whatever reason, didn't they report it?" He said the company suffers from an all-too-common affliction of patching an iOS bug, but not fixing the systemic roots that contribute to the vulnerability. In a provocative call to Apple's CEO Tim Cook, Beer directly challenged him to donate $2.45 million to Amnesty International -- roughly the equivalence of bug bounty earnings for Beer's 30-plus discovered iOS vulnerabilities.

Re:He missed something...no surprise

You're kidding, right?

Apple's stance on bugs is "we don't care until it makes the press."

Remember that bug where you could log in as root with a blank password on almost every Mac? Turns out Apple knew about it for months. They only bothered fixing it when the tech press found out about it.

This is pretty much the only way security fixes ever happen for Apple products: the tech press hears about the flaw, then Apple decides "OK, now we'll fix it."

Re:He missed something...no surprise

[bill_mcgonigle]

No, you're talking about something completely different. Back when Apple was working on the 5S, and they developed the whole Secure Enclave architecture, it did have some really good engineers working out good security for system. What this guy's talking about is the past few years where they have the iOS bugs that have been identified, patched, and then in the next go-round we find out that they only patched the extremely specific bug, on one line. The next exploit is a few lines down, the same darn thing, in a slightly different way. The most likely explanation for this is that they lost the talent that was working there, making the system good. Why would top people stay when Apple doesn't innovative any more? It's clear from the results that they lost their performance engineering people, for about four major iOS releases, with only iOS 11 having any kind of decent performance again. Now that they are going into the thought police business, good luck getting anyone worth their salt to work there.

Re:From Google?

"The Box", is simply a PR trick invented to provide a win-win for Apple and the Government.

1. Apple spawns new company under untraceable ownership.
2. Comply with government requests to unlock phones by providing the fake company vulnerabilities.
3. Win with consumers because they don't know it's Apple selling backdoors,

The whole thing reeks of a collaboration with the government to both comply with FISA/NSLs and appeal to consumers by pretending not to at the same time.

Wake up.