Security firm puts $1 million bug bounty on iOS 9

“While millions of iPhone users have eagerly upgraded to iOS 9, a new race is on among researchers to find critical flaws in Apple’s software, and they’re throwing around more cash than ever to get hackers to find the holes,” Buster Hein reports for Cult of Mac.

“A new security industry firm called Zerodium announced today that it will pay hackers $1 million for a single exploit that allows attackers to break into an iPhone or iPad running iOS 9,” Hein reports. “The company says its even willing to pay the bounty multiple times, as long as the exploits break through iOS 9’s security flaws a certain way.”

“Thanks to a number of security improvements, iOS is currently the most secure mobile OS, according to Zerodium,” Hein reports. “The terms for Zerodium’s contest state that the exploit must allow attackers to remotely and silently install an arbitrary app like Cydia on a iOS 9 device via a webpage attack or text message. ”

More info in the full article here.

MacDailyNews Take: Good luck, hackers. You’re gonna need it.

New Android malware strains to top 2 million by end of 2015 – July 1, 2015
Symantec: 1 in 5 Android apps is malware – April 25, 2015
Kaspersky Lab Director: Over 98% of mobile malware targets Android because it’s much, much easier to exploit than iOS – January 15, 2015
Security experts: Malware spreading to millions on Android phones – November 21, 2014
There’s practically no iOS malware, thanks to Apple’s smart control over app distribution – June 13, 2014
F-Secure: Android accounted for 99% of new mobile malware in Q1 2014 – April 30, 2014
Google’s Sundar Pichai: Android not designed to be safe; if I wrote malware, I’d target Android, too – February 27, 2014
Cisco: Android the target of 99 percent of world’s mobile malware – January 17, 2014
U.S. DHS, FBI warn of malware threats to Android mobile devices – August 27, 2013

[Thanks to MacDailyNews Reader “Dan K.” for the heads up.]


    1. Bringing awareness to qualified people. This means more money spent investing in their products/services/careers/events, networking, etc. They’re being active in the community that matters to their field.

      But probably the most obvious reason is that hackers don’t typically make money doing things that are not malicious, so offering these guys $1,000,000 up front for exposing an exploit would be more interesting to a would be malicious hacker than taking the risks associated with a malicious use of the same exploit which would not be likely to yield such a payout, and definitely not one that could be deposited into a bank account no questions asked.

  1. …the exploit must allow attackers to remotely and silently install an arbitrary app like Cydia on a iOS 9 device via a webpage attack or text message.

    Does that include installing on jailbroken iOS devices? Does that include malware that uses stolen enterprise security certificates? (The Wirelurker/MacHook attack the Apple refuses to block).

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.