Bug Bounty Programs & mobile pentesting: Apple vs. Android - Pentestmag

Bug Bounty Programs & mobile pentesting: Apple vs. Android

With so many data breaches and hackers breaking into systems, companies constantly scan and improve their code, to make it as secure as possible. No application is vulnerability free and that's why bug bounty programs arose. Cyber security specialists, hackers and pentesters from all around the world spend hours to find a vulnerability, document it and receive an award.


A couple weeks ago at Black Hat USA, one of the biggest InfoSec events, Apple announced their own bug bounty program where you can earn up to $200,000. This is one of the highest reward through corporate bounty programs, e.g. Google Chrome (from $100 to $20,000), AVG Technologies (from $50 to $1,000), Microsoft (up to $100,000).

The program will be launched in September and below you can see the list of risk and rewards:

  • Flaws in secure boot firmware components: up to $200,000;

  • Flaws that could allow extraction of confidential data protected by the Secure Enclave: up to $100,000;

  • Vulnerabilities that allow executions of malicious or arbitrary code with kernel privileges: up to $50,000;

  • Flaws that grant unauthorized access to iCloud account data on Apple servers (remember celebrity photo leak?): up to $50,000;

  • Access from a sandboxed process to user data outside of that sandbox: up to $25,000.

You can read some amazing stories about people who actually discovered bugs, like Anand Prakash, who discovered a bug in Facebook, or Jobert Abma, who was a bug hunter since he was a teen and cofounder of HackerOne company, which is a website where companies can ask hackers to attack them, and then pay fees based on the vulnerabilities found. Cyber security specialists laud such programs. It's a perfect opportunity to check and upgrade your skills, where additionally you can be rewarded for breaking into system.

How can we help you with learning iOS penetration testing?

If you still think "Am I good enough to do this?" we present you our course where you will learn how to identify and exploit vulnerabilities in iOS applications using various tools. Our aim is to present you knowledge in the most effective way, so you can easily look for bugs on your own and maybe receive an award.

This hands-on, video course is designed to teach you both basic and advanced techniques. During the course you will learn:

  • The process of identifying and exploiting vulnerabilities in iOS Applications

  • iOS Traffic Analysis

  • Runtime analysis of iOS apps

  • Exploiting iOS Applications

  • iOS Forensics

  • Exploiting iDevices with Metasploit


Also don't forget about the Android bug bounty program. You can look for vulnerabilities in the latest Android versions and you can find the full version on the reward amounts here: https://www.google.com/about/appsecurity/android-rewards/

The amount starts from $200 up to $50,000 for an exploit or chain of exploits leading to TEE (TrustZone) or Verified Boot compromise from a remote or proximal attack vector. The reward is dependent from details included in report, a proof of concept and additional information.

Android Security Rewards program is one year old and since then, the company has received over 250 vulnerability reports with an average of $6,700 reward per researcher.

How can we help you with learning Android penetration testing?

If you are an Android fan and you always wanted to understand how the system works and learn how to test it, we have a course created especially for you.

During the course you will:

  • Understand the Android ecosystem and application architecture.

  • Understand components of the Android data storage and security models.

  • Identify specific threats and risks associated with the Android mobile platform.

  • Perform a hands-on penetration test and reverse engineer an Android application.

  • Use your powerful Android device.

  • Perform professional security analysis of your network, or your business network, from point zero.

  • Understand all the risks and vulnerabilities that your business network can have, how to find them, and how to secure them, with step-by-step tutorials.

And for the rest of our readers who are not sure where to start, we have two special issues of the magazine titled: Mobile Application Penetration Testing Tools and Mobile Pentesting where you will find articles related both to iOS and Android. You will find basic and advanced content. You can read about tools like: Netcat, Burp Suite, QARK, AppUse and many more! In those issues, we will focus on mobile security, mobile penetration testing and mobile attacks.


List of our courses and magazines related to mobile pentesting:

  1. iOS Penetration Testing

  2. Penetration Testing Apps for Android Devices

  3. Mobile Application Penetration Testing Tools

  4. Mobile Pentesting



  1. https://www.google.com/about/appsecurity/android-rewards/
  2. https://security.googleblog.com/2016/06/one-year-of-android-security-rewards.html
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013