iOS is often considered to be the most secure mobile operating system available, aside from BlackBerry. However, most secure does not mean invulnerable. To this end security firm Zerodium is offering a US$1 million (RM4.27 million) bounty for exploits that would allow attackers to remotely hijack devices running on the new iOS9.
Like all good bounties, there are requirements for winning this one. To qualify, the exploit must be a web page targeting either Mobile Safari or Google Chrome in its default configuration; a web page targeting any application reachable through the browser; or a text message delivered through SMS or MMS. The whole exploit process must happen without the user having to do anything more than visit a webpage or reading the SMS/MMS.
At the moment, Zerodium has $3 million (about RM12.81 million) to give away for the bounty, which will be awarded to the first three individuals or teams that come forward with a working exploit. There is also a time limit on the bounty, with the competition closing on 31 October.
As is the case with most supposedly “secure” operating systems, Zerodium will undoubtedly have to pay out at least one of these bounties by the end of the time period. However, the fact that it is willing to pay so much for an exploit shows that it does not believe that this will be easily accomplished. Which could be constructed as a testament to Apple’s security practices.
That being said, Apple has just had to purge its App Store of hundreds of apps that were infected with the XcodeGhost malware. So maybe it isn’t actually that difficult to penetrate the iOS9 defences.