The source code for iBoot, Apple’s proprietary programme that loads iOS when iPhones are powered on, was leaked on GitHub, thereby exposing the code to cyber criminals looking to jailbreak iPhones or to exploit vulnerabilities in the booting process.
In its request, Apple told GitHub that the offending post contained “reproduction of Apple’s “iBoot” source code, which is responsible for ensuring trusted boot operation of Apple’s iOS software. The “iBoot” source code is proprietary and it includes Apple’s copyright notice. It is not open-source. Please act expeditiously to disable the content found at the following repository”.
Apple also informed customers that the leaked source code was outdated and that the security of devices that run iOS are not dependent on the secrecy of source codes. According to several reports, the leaked source code was for iOS 9 but portions of the code are still used in iOS 11, the latest version of the software.
“Old source code from three years ago appears to have been leaked but, by design the security of our products doesn’t depend on the secrecy of our source code. There are many layers of hardware and software protections built in to our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections,” said Apple.
Andy Kays, CTO at RedScan, a UK-based threat detection and response specialist, believes that even though Apple device users are not directly affected, the leak does demonstrate that vendors must take appropriate measures to ensure the security around such codes.
In an email he commented, “The release of the iBoot code demonstrates that vendors can’t take it for granted that source code will always remain hidden. Vendors relying excessively on code obfuscation to maintain the security of their products will always be vulnerable to leaks. Any provider that takes security seriously should always conduct rigorous threat modelling based on the assumption that source code will be exposed as some point and put in place appropriate controls to counter it.”
However, Rusty Carter, VP of product at Arxan Technologies, believes that while Apple has played down the significance of the leak, cyber-criminals will try their best to make the most of the leak of one of Apple’s most closely-guarded secrets.
“Apple iOS is widely viewed as the most trusted mobile operating system out there. But the leak of this source code is proof that no environment or OS is infallible, and application protection from within the application itself is crucial, especially for business-critical, data-sensitive applications. It’s only a matter of time before the release of this source code results in new and very stealthy ways to compromise applications running on iOS,” he warns.