Apple is used to fighting leaks about its upcoming products and OS releases, but it’s never had to deal with anything like this before. An anonymous user on the popular code-sharing server GitHub has posted a major component of the iOS source code for all to see, and some experts are fearing it could be “the biggest leak in history.”
As first reported by Motherboard, the leaked code has since been pulled off the site but not before countless people were surely able to get their hands on it. Apple was forced to use the Digital Millennium Copyright Act to get the code taken down, and as UW research scientist Karl Koscher mused on Twitter, the law essentially forces Apple to admit that the code was real or else face perjury charges. In the DMCA takedown letter, Apple’s legal team writes that the content in question is a “reproduction of Apple’s “iBoot” source code, which is responsible for ensuring trusted boot operation of Apple’s iOS software. The ‘iBoot’ source code is proprietary and it includes Apple’s copyright notice. It is not open-source.”
The code in question is for a version of iOS 9.3, which was released in spring 2016 and brought features such as Night Shift and various other improvements. The portion of the code that leaked is called iBoot, and as its name suggests, it controls the trusted boot-up process that springs into action every time you start up your iPhone. According to Apple, the iOS bootloader “is the first step in the chain of trust where each step ensures that the next is signed by Apple.” If it is compromised, it could allow infected software to run on the device.
In a statement, Apple said, “Old source code from three years ago appears to have been leaked, but by design the security of our products doesn’t depend on the secrecy of our source code. There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections.”
While the leak is certainly embarrassing, it could also be dangerous. Apple’s boot process is the most essential part of its iOS code, providing front-line protection against malware and other attacks. It’s so sensitive, in fact, that Apple shells out up to $200,000 to developers who find vulnerabilities, according to reports on the invitation-only program.
While the code is for a two-year-old OS and nearly 95 percent of users are on later versions of iOS, it’s likely that parts of it are still in use even in the most recent version of iOS 11. The most likely use for the iBoot code would be for creating jailbroken versions of iOS, but intimate knowledge of iOS’s source code could benefit hackers as well, as it provides an unprecedented look at how the iOS sausage is mode. By digging through the source code, malicious coders could spot vulnerabilities and inconsistencies in the code that could be used to attack all version of iOS, not just 9.3.
The impact on you at home: For the average user, there probably isn’t much to fear, at least not yet. To attack your phone using anything discovered in the iBoot leak, a hacker would likely need physical access to your phone and a bit of time to install a new OS on it. However, it does mean that hackers will be hard at work to find exploits in the code, as well as designers looking to emulate the iOS system. And it’s just one more unfortunate security story Apple has to deal with.
Michael Simon has been covering Apple since the iPod was the iWalk. His obsession with technology goes back to his first PC—the IBM Thinkpad with the lift-up keyboard for swapping out the drive. He's still waiting for that to come back in style tbh.