Might be a slightly self-indulgent thread, but how exactly does Apple suppose that security researchers will do this without running across anti-research minefields that Apple has intentionally laid down to block exactly this kind of research?
How about dynamic analysis? Unless Apple is planning on giving the iCloud app the get-task-allow permission so you can attach a debugger, that would be out of the question on an vanilla iPhone. You'd need to resort to jailbreaks, or, heaven forbid, a Corellium device
Perhaps one way would be to write your own app to find unusual ways to compute the master hash and validate that it is valid, without relying on static graphical elements that hackers or Apple could surgically manipulate. But you think that app would get past AppStore review?
Does Apple ask other auditors for free labor after setting them up to fail? "Hi accountants, our calculation on this napkin is correct and the warehouse of receipts is subject to inspection by accountants who wish to verify it'? Of course not. Only this industry gets screwed.
Aug 13, 2021 · 9:19 PM UTC