9
February
2018
Apple: The 'biggest leak in history': Secret Apple source code is posted online prompting fears it could lead to major breach in iPhone security.
Written by: Samdam82
Earlier this week, iOS source code showed up on GitHub, raising concerns that hackers could find a way to comb the material for vulnerabilities. Apple has confirmed that the code appears to be real, but adds that it’s tied to old software. The Source code for iBoot, which is the first app that runs when you turn on an iOS device, was posted by an anonymous user 'Zioshiba' on GitHub. The event captured the attention of several security experts, including one who told Motherboard that it was the 'biggest leak in [Apple's] history.'
Motherboard, which was among the first to note the code labeled “iBoot,” reached out to author Jonathan Levin, who confirmed that the code certainly looks real and called it “a huge deal.” While the available code appears to be pretty small, it could certainly offer some unique insight into how Apple works its magic.
Much of the security concern is mitigated by the fact that it appears to be tied to iOS 9, a version of the operating system released three-and-a-half years ago. Apple’s almost certainly tweaked significant portions of the available code since then, and the company’s own numbers show that a large majority of users (93-percent) are running iOS 10 or later. But could the commonalities offer enough insight to pose a serious potential threat to iPhone users?
Security researcher Will Strafach said that the code is compelling for the information it gives hackers into the inner workings of the boot loader. He added that Apple’s probably not thrilled with the leak due to intellectual property concerns, but this information ultimately won’t have much if any impact on iPhone owners.“In terms of end users, this doesn’t really mean anything positive or negative,” Strafach said in an email. “Apple does not use security through obscurity, so this does not contain anything risky, just an easier to read format for the boot loader code. It’s all cryptographically signed on end user devices, there is no way to really use any of the contents here maliciously or otherwise.”
Apple’s multi-layered approach to keeping iOS secure involves a lot more safeguards than what you’d see in a leak like this, however it may have made its way to GitHub. Of course, as Strafach correctly points out, the company’s still probably not thrilled about the optics around having had this information in the wild — if only for a short while.
Motherboard, which was among the first to note the code labeled “iBoot,” reached out to author Jonathan Levin, who confirmed that the code certainly looks real and called it “a huge deal.” While the available code appears to be pretty small, it could certainly offer some unique insight into how Apple works its magic.
Much of the security concern is mitigated by the fact that it appears to be tied to iOS 9, a version of the operating system released three-and-a-half years ago. Apple’s almost certainly tweaked significant portions of the available code since then, and the company’s own numbers show that a large majority of users (93-percent) are running iOS 10 or later. But could the commonalities offer enough insight to pose a serious potential threat to iPhone users?
Security researcher Will Strafach said that the code is compelling for the information it gives hackers into the inner workings of the boot loader. He added that Apple’s probably not thrilled with the leak due to intellectual property concerns, but this information ultimately won’t have much if any impact on iPhone owners.“In terms of end users, this doesn’t really mean anything positive or negative,” Strafach said in an email. “Apple does not use security through obscurity, so this does not contain anything risky, just an easier to read format for the boot loader code. It’s all cryptographically signed on end user devices, there is no way to really use any of the contents here maliciously or otherwise.”
Apple’s multi-layered approach to keeping iOS secure involves a lot more safeguards than what you’d see in a leak like this, however it may have made its way to GitHub. Of course, as Strafach correctly points out, the company’s still probably not thrilled about the optics around having had this information in the wild — if only for a short while.
