Updated: Apple reveals potential iOS security flaws in unencrypted kernel release
Apple's Tim Cook at WWDC 2016
Apple has released an unencrypted version of its latest operating system for iOS 10, giving security researchers an unprecedented opportunity to scour the kernel for security flaws.
The preview version of iOS 10 was released at Apple's WWDC event in San Francisco.
The company may have adopted this new approach to encourage the reporting of more bugs, but so far it has not commented on this.
MIT Technology Review speculated that it could even have been an embarrassing mistake.
Apple has previously encrypted the kernel when it has released previous versions of iOS, making the work of security researchers much harder as they sought to reverse engineer certain features to look for potential flaws.
This doesn't mean that the security of iOS 10 is compromised, according to Jonathan Levin, who wrote “Mac OS X Internals: To the Apple's core”.
While opening up the kernel for inspection will make it easier for blackhat hackers and governments to find security flaws, it will also help the whitehat community find and report the flaws to Apple, leading to quicker discovery and remediation.
Brian Chappell, technical service director for EMEA at BeyondTrust, told SCMagazineUK.com, “While encrypting the iOS kernel does prevent prying into the inner workings of the OS, we should never rely on obscurity as a method of security as you can never tell who can gain access to the code itself, as the FBI demonstrated through their ‘consultant' recently when they managed to retrieve the data from the phone of the San Bernardino killer. Many eyes should lead to a much better, more secure iOS so I hope this was a deliberate act on the part of Apple.”
Neil Cook, chief security architect at Open-Xchange, said, “Accidental or not, Apple's move to release the unencrypted iOS kernel will only improve the security of the operating systems for users. Transparency and continued scrutiny are the only ways to maintain a high standard of security in any digital product. Open source developers have known this for years and their products are far more secure as a result.”