iOS source code leak could be the worst Apple's ever had to deal with Credit: Michael Kan

iOS source code leak could be the worst Apple's ever had to deal with

Apple is used to fighting leaks about its upcoming products and OS releases, but it’s never had to deal with anything like this before. An anonymous user on the popular code-sharing server GitHub has posted a major component of the iOS source code for all to see, and some experts are fearing it could be “the biggest leak in history.”

As first reported by Motherboard, the leaked code has since been pulled off the site but not before countless people were surely able to get their hands on it. Apple was forced to use the Digital Millennium Copyright Act to get the code taken down, and as UW research scientist Karl Koscher mused on Twitter, the law essentially forces Apple to admit that the code was real or else face perjury charges. In the DMCA takedown letter, Apple's legal team writes that the content in question is a "reproduction of Apple's "iBoot" source code, which is responsible for ensuring trusted boot operation of Apple's iOS software. The 'iBoot' source code is proprietary and it includes Apple's copyright notice. It is not open-source."

apple ios dmca GitHub

Apple is actively working to take down all instances of the iBoot code on GitHub.

The code in question is for a version of iOS 9.3, which was released in spring 2016 and brought features such as Night Shift and various other improvements. The portion of the code that leaked is called iBoot, and as its name suggests, it controls the trusted boot-up process that springs into action every time you start up your iPhone. According to Apple, the iOS bootloader "is the first step in the chain of trust where each step ensures that the next is signed by Apple." If it is compromised, it could allow infected software to run on the device.

While the leak is certainly embarrassing, it could also be dangerous. Apple’s boot process is the most essential part of its iOS code, providing front-line protection against malware and other attacks. It’s so sensitive, in fact, that Apple shells out up to $200,000 to developers who find vulnerabilities, according to reports on the invitation-only program.

While the code is for a two-year-old OS, it’s likely that parts of it are still in use in the latest version of iOS 11. The most likely use for the iBoot code would be for creating jailbroken versions of iOS, but intimate knowledge of iOS’s source code could benefit hackers as well, as it provides an unprecedented look at how the iOS sausage is mode. By digging through the source code, malicious coders could spot vulnerabilities and inconsistencies in the code that could be used to attack all version of iOS, not just 9.3.

The impact on you at home: For the average user, there probably isn’t much to fear, at least not yet. To attack your phone using anything discovered in the iBoot leak, a hacker would likely need physical access to your phone and a bit of time to install a new OS on it. However, it does mean that hackers will be hard at work to find exploits in the code, as well as designers looking to emulate the iOS system. And it’s just one more unfortunate security story Apple has to deal with.

IDG Insider

PREVIOUS ARTICLE

«Dell is selling a 24-inch 1440p G-Sync monitor for less than $400 today

NEXT ARTICLE

How tighter ties between Google and Nest can bring new value to the Google Tax»
author_image
IDG Connect

IDG Connect tackles the tech stories that matter to you

Add Your Comment

Most Recent Comments

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.

images

Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.

images

Poll

If it were legal, would your organization hack back?