Apple claims to manufacture the most secure smartphone. They implement many unique security and privacy features that cannot be found in other ecosystems. Outstanding and elaborated features are publicly described in their platform security guide, including high-level goals and underlying cryptographic primitives [1]. However, detailed documentation is missing. Often, iOS and macOS are assumed to be secure by design without questioning the underlying implementation.
Within SEEMOO, proprietary features and interfaces were studied a lot. For example, we reverse-engineered Find My and AirDrop, which uncovered new security and privacy issues, and implemented the open-source clients OpenHaystack and OpenDrop. Moreover, we took a look at wireless interfaces and daemons, more specifically Bluetooth and the Intel cellular baseband, and published tools like the ToothPicker fuzzer and the ARIstoteles dissector.
When analyzing a previously unexplored topic within Apple's ecosystem, it is likely to find security issues affecting more than a billion of users of the Apple ecosystem. Moreover, the knowledge gained during this process helps to open up proprietary interfaces and enable interaction with third-party devices. There are still a lot of open topics on all layers. The main expertise within SEEMOO are wireless protocols. However, you can also contact us if you want to look into other concepts, such as low-level hardware security (PAC, side channels, ...), biometric security (Face ID, ...), network security (Private Relay, fuzzing the network stack, ...), and more. Usually, picking a single feature and exploring it in depth will be sufficient for a B.Sc. or M.Sc. thesis.
We offer experience within the Apple ecosystem and reverse-engineering tips for firmware, kernel, and user-space daemons, including the *OS Internals book series that documents iOS and macOS internals way beyond the official materials by Apple. Additionally, due to supervising a lot of theses in this area, we have a collection of example theses. We also have jailbroken iPhones and iPads, recent MacBooks, and other Apple devices. For your own safety and security, these are designated research devices and not meant for private usage. Note that we do not participate in the Apple research device program, meaning that you can set your own disclosure timeline when coordinating disclosure with Apple. In some cases, Apple might award you a bug bounty. We also encourage and financially support you presenting your results at a scientific or security conference.
The precise topic will be tailored to your previous experience. It is recommended to have a reverse-engineering background, e.g., previous participation in CTFs. Depending on the topic, either a strong programming background is required (develop an open-source equivalent of one Apple feature) or a good understanding of software/hardware security is mandatory (fuzzing a protocol, implementing a hardware attack, ...). Please contact us for more details.
We are currently getting many requests for this topic area. Please only contact us if you have a strong background in the previously mentioned areas.
[1] Apple Platform Security, May 2021, https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/apple-platform-security-guide.pdf