Data Privacy

    Apple’s Bug Bounty Program : Hacker’s Getting Paid

    How does one of the largest and most innovative companies in history prevent cyber attacks and data hacks? They hire hackers to hack them. That’s right, Apple pays up to $1 million to friendly hackers who can find and report vulnerabilities within their operating systems. Recently, Apple announced that it will open its Bug Bounty program to anyone to report bugs, not just hackers who have previously signed up and been approved. 

     

    Apple’s head of security engineering Ivan Krstic says is that this is a major win not only for iOS hackers and jailbreakers, but also for users—and ultimately even for Apple. The new bug bounties directly compete with the secondary market for iOS flaws, which has been booming in the last few years. 

     

    In 2015, liability broker Zerodium revealed that will pay $1 million for a chain of bugs that allowed hackers to break into the iPhone remotely. Ever since, the cost of bug bounties has soared. Zerodium’s highest payout is now $2 million, and Crowdfense offering up to $3 million.

    So how do you become a bug bounty for Apple? We’ll break it down for you.

     

    What is the Apple Security Bounty?

    As part of Apple’s devotion to information security, the company is willing to compensate researchers who discover and share critical issues and the methods they used to find them. Apple make it a priority to fix these issues in order to best protect their customers against a similar attack. Apple offers public recognition for those who submit valid reports and will match donations of the bounty payment to qualifying charities.

    See the Apple Security Bounty Terms and Conditions Here

    Who is Eligible to be a Bug Bounty?

     

    In order to qualify to be an Apple Bug Bounty, the vulnerability you discover must appear on the latest publicly available versions of iOS, iPadOS, macOS, tvOS, or watchOS with a standard configuration. The eligibility rules are intended to protect customers until an update is readily available. This also ensures that Apple can confirm reports and create necessary updates, and properly reward those doing original research. 

    Apple Bug Bounties requirements:

    • Be the first party to report the issue to Apple Product Security.
    • Provide a clear report, which includes a working exploit. 
    • Not disclose the issue publicly before Apple releases the security advisory for the report. 

    Issues that are unknown to Apple and are unique to designated developer betas and public betas, can earn a 50% bonus payment. 

    Qualifying issues include:

    • Security issues introduced in certain designated developer beta or public beta releases, as noted in their release notes. Not all developer or public betas are eligible for this additional bonus.
    • Regressions of previously resolved issues, including those with published advisories, that have been reintroduced in certain designated developer beta or public beta release, as noted in their release notes.

    How Does the Bounty Program Payout?

     

    The amount paid for each bounty is decided by the level of access attained by the reported issue. For reference, a maximum payout amount is set for each category. The exact payment amounts are determined after Apple reviews the submission. 

    Here is a complete list of example payouts for Apple’s Bounty Program

    The purpose of the Apple Bug Bounty Program is to protect consumers through understanding both data exposures and the way they were utilized. In order to receive confirmation and payment from the program, a full detailed report must be submitted to Apple’s Security Team.  

     

    According to the tech giant, a complete report includes:

    • A detailed description of the issues being reported.
    • Any prerequisites and steps to get the system to an impacted state.
    • A reasonably reliable exploit for the issue being reported.
    • Enough information for Apple to be able to reasonably reproduce the issue. 

     

    Keep in mind that Apple is particularly interested in issues that:

    • Affect multiple platforms.
    • Impact the latest publicly available hardware and software.
    • Are unique to newly added features or code in designated developer betas or public betas.
    • Impact sensitive components.

    Learn more about reporting bugs to Apple here

    The TikTok Controversy: How Much Does Big Tech Care About Your Data and its Privacy?

    If you have a teenager in your house, you’ve probably encountered them making weird dance videos in front of their phone’s camera. Welcome to the TikTok movement that’s taking over our nation’s youth. TikTok is a popular social media video sharing app that continues to make headlines due to cybersecurity concerns. Recently, the U.S. military banned its use on government phones following a warning from the DoD about potential personal information risk. TikTok has now verified that it patched multiple vulnerabilities that exposed user data. In order to better understand TikTok’s true impact on data and data privacy, we’ve compiled some of the details regarding the information TikTok gathers, sends, and stores.

    What is TikTok?

    TikTok is a video sharing application thar allows users to create short, fifteen-second videos on their phones and post the content to a public platform. Videos can be enriched with music and visual elements, such as filters and stickers. By having a young adolescent demographic, along with the content that is created and shared on the platform, have put the app’s privacy features in the limelight as of late. Even more so, questions the location of TikTok data storage and access have raised red flags.

    You can review TikTok’s privacy statement for yourself here.

    TikTok Security Concerns

    Even though TikTok allows users to control who can see their content, the app does ask for a number of consents on your device. Most noteworthy, it accesses your location and device information. However, there’s no evidence to support the theory of malicious activity or that TikTok is violating their privacy policy, it is still advised to practice caution with the content that’s both created and posted.

    The biggest concern surrounding the TikTok aplication is where user information is stored and who has access to it. According the TikTok website, “We store all US user data in the United States, with backup redundancy in Singapore. Our data centers are located entirely outside of China, and none of our data is subject to Chinese law.” “The personal data that we collect from you will be transferred to, and stored at, a destination outside of the European Economic Area (“EEA”).” There is no other specific information regarding where user data is stored.

    Recently, TikTok published a Transparency Report which lists “legal requests for user information”, “government requests for content removal”, and “copyrighted content take-down notices”. The “Legal Requests for User Information” shows that India, the United States, and Japan are the top three countries where user information was requested. The United States was the number one country with fulfilled request (86%) and number of accounts specified in the requests (255). Oddly enough, China is not listed as having received any requests for user information. 

    What Kind of Data is TikTok Tracking?

    Below are some of the consents TikTok requires on Android and iOS devices after installation of the app is completed. While some of the permissions are to be expected, these are all consistent with TikTok’s written privacy policy. When viewing all that TikTok gathers from its users, it can be alarming. In short, the app allows TikTok to:

    • Access the camera (and take pictures/video), the microphone (and record sound), the device’s WIFI connection, and the full list of contacts on your device.
    • Determine if the internet is available and access it if it is.
    • Keep the device turned on and automatically start itself.
    • Secure detailed information on the user’s location using GPS.
    • Read and write to the device’s storage, install/remove shortcuts, and access the flashlight (turn it off and on).

    You read that right, TikTok has full access to your audio, video, and list of contacts in your phone. The geo location tracking via GPS is somewhat surprising though, especially since TikTok videos don’t display location information. So why collect that information? If you operate and Android device, TikTok has the capability of accessing other apps running at the same time, which can give the app access to data in another app such as a banking or password storage app. 

    Why is TikTok Banned by the US Military?

    In December 2019, the US military started instructing soldiers to stop using TikToK on all government-owned phones. This TikTok policy reversal came just shortly after the release of a Dec. 16 Defense Department Cyber Awareness Message classifying TikTok as having potential security risks associated with its use. As the US military cannot prevent government personnel from accessing TiKTok on their personal phones, the leaders recommended that service members use caution if unfamiliar text messages are received.

    In fact, this was not the first time that the Defense Department had been required to encourage service members to remove a popular app from their phones. In 2016, the Defense Department banned the augmented-reality game, Pokémon Go, from US military owned smartphones. However, this case was a bit different as military officials alluded to concerns over productivity and the potential distractions it could cause. The concerns over TikTok are focused on cybersecurity and spying by the Chinese government.

    In the past, the DoD has put out more general social media guidelines, advising personnel to proceed with caution when using any social platform. And all DoD personnel are required to take annual cyber awareness training that covers the threats that social media can pose.

    Scroll to top