> Since not just anyone can be approved, I don't think I"d consider that "anyone".

I took the parent to mean you "just need to be approved" to do debugging via this program, but not to use other means to do debugging, which you don't need approval for, hence anyone can do.

Why not? Their bug bounty program that they had previously was quite selective, for reference.

Yep, definitely designed to be a barrier that's just enough to say "look we're doing something", but restrict enough so that most won't bother. Sort of like their repair program.

I tend to like Apple in general, I think they do a lot of things right, but I feel there are a few things they do that are clearly about money and not the purported reasons. I guess no company is impervious to that.

"Look we're doing something"? Apple has a well-regarded security team that is among the largest in the industry. The locked platform is part of the premise of their security model. You can disagree with that; many smart people do. But you can't pretend that anything other than unlocking the platform constitutes a half-measure.

Apple's security model is not the only one that exists, and its model has the additional benefit of giving them the ability to control software distribution for the platform.

I'm actually not in disagreement of either points. I think they just need to stop with the whole see people can do stuff. Own it, I like the locked environment and security.

That said, on the back end outside of devices, they don't implement the same precautions. IE encrypting iCloud data / backups where they have limited access. I would like consistency is all.

One way or the other.

In what way do they not "own it"? They've been owning the fact that it's a closed system for 40 years, when tech nerds complained about their products being "appliances".

I'm more on the side of their argument that they have to lock the phone down without their own ability to access the data (which I agree with), but falling back on encrypting the backend the same way (buckling to Federal pressure).

I would love it to be encrypted through out. Even it if means, that if I lose access I may not be able to get it back. It's a tradeoff. The marketing position of being secure is factually true for the phone, but they imply the data is when in fact it really isn't.

>not just anyone can be approved

Anyone can take advantage of the unpatchable bootloader flaw on iDevices with the A11 SOC or earlier that allows you to exert full control over the device and any current or future version of iOS that runs on it.

>For security researchers, this is a huge boon, which should help them analyze any version of iOS that will run on an iPhone X or older. Since iOS research really can’t be done on a device that hasn’t had security restrictions lifted somehow, this will likely become one of the most important tools in researchers’ toolkits. This can benefit iOS users, as it can enable researchers to locate issues and report them to Apple.

https://blog.malwarebytes.com/mac/2019/09/new-ios-exploit-ch...

You don't need Apple's permission.

What happens when iOS 20 comes out and the A11 can’t run it? Is it suddenly okay then to ask Apple’s permission? I don’t think the court would hold up a bootrom exploit in an older chip as good enough for research purposes (what if an exploit only affected the A12 and A13 for some reason?)

How about some of the new features in Apple's recent chips? Is there a way to research those?

Oh, I understand where you were going now. Sorry, I should have read your post a bit more closely.

I do agree with saagarjha and jedieaston's sibling comments, however. Checkm8 is great, but it's temporary.