Apple policy on bugs explains why hackers would help FBI

When hackers find flaws in Apple's code, they have little incentive to turn these over to the company for fixing

After a third party went to the FBI, with claims of being able to unlock an iPhone, many in the security industry said they were not surprised that the third party did not go to Apple.

For all the steps Apple has taken to encrypt customers' communications and its rhetoric around customer privacy, security experts said the company was still doing less than many competitors to seal up its systems from hackers. And, when hackers do find flaws in Apple's code, they have little incentive to turn them over to the company for fixing.

Google, Microsoft, Facebook, Twitter, Mozilla and many other tech companies all pay outside hackers who turn over bugs in their products and systems. Uber began a new bug bounty programme on Tuesday. Google has paid outside hackers more than $6 million since it announced a bug bounty programme in 2010 and the company last week doubled its top reward to $100,000 for anyone who can break into its Chromebook.

Apple, which has had relatively strong security over the years, has been open about how security is a never-ending cat-and-mouse game and how it is unwilling to engage in a financial arms race to pay for code exploits. The company has yet to give hackers anything more than a gold star. When hackers do turn over serious flaws in its products, they may see their name listed on the company's website - but that is it. That is a far cry from what hackers can expect if they sell an Apple flaw on the thriving underground market where a growing number of companies and government agencies are willing to pay hackers handsomely.

The disclosure by the United States government on Monday that an unknown third party had approached it - and not Apple - to help open a controversial iPhone only highlights how the giant company approaches bug-hunting efforts and security differently from the rest of the tech industry.

But security experts, especially those with a stake in such bug programmes, said Apple could now be doing more, especially in this day and age where the conventions of finding bugs and fixing them have changed. Just this week, researchers at Johns Hopkins University uncovered a flaw that would allow attackers to decrypt the contents of photos and videos attached in Apple's iMessage programme. The researchers turned that flaw over to Apple for patching.

"Especially with the stakes being as high as they are, if Apple wants to continue to compete in the modern world, they have to modernise their approach," said Katie Moussouris, a chief policy officer at HackerOne, which companies like Yahoo, Dropbox and now Uber pay to manage their bug bounty programmes.

The identity of the third party that approached the FBI with the possible way to unlock the iPhone - which was used by one of the attackers in a mass shooting in San Bernardino, California, last year - remained unknown on Tuesday. The emergence of the third party halted, at least temporarily, a contentious case between Apple and the United States government over whether the company should weaken the security of its iPhone to help law enforcement.

The justice department has declined to name the third-party person or organisation, or to describe the proposed method for breaking into the device.

The third party may not have approached Apple for many reasons. In the past, Microsoft's systems were a more frequent target for malicious-minded hackers, largely because of the prevalence of its products. But as Microsoft began to embrace the hacking community, its security improved.

The technology company has been locked in a major legal battle against law enforcement officials over privacy and security. As Apple's desktops and mobile phones have gained more market share, and as customers began to entrust more and more of their personal data to their iPhones, Apple products have become far more valuable marks for criminals and spies.

©2016 The New York Times News Service