The source code for iBoot, Apple's proprietary programme that loads iOS when iPhones are powered on, was leaked on GitHub yesterday, thereby exposing the code to cyber criminals looking to jailbreak iPhones or to exploit vulnerabilities in the booting process.
While Apple has open-sourced several iOS and MacOS codes in the past, the source code for iBoot has always been a closely-guarded secret, mainly because it details out how the iOS operating system boots once an iPhone is powered on. So sensitive is the source code that its publication on GitHub has been termed by iOS expert Jonathan Levine as the "Biggest Leak in History".
While it is not clear how the perpetrator got his hands around the source code that Apple values so highly, Apple acted quickly once it became clear that the code was leaked on a platform that is frequently visited by cyber-experts and hackers alike. It ensured the code was removed by GitHub by issuing a takedown request as per the Digital Millennium Copyright Act.
In its request, Apple told GitHub that the offending post contained "reproduction of Apple's "iBoot" source code, which is responsible for ensuring trusted boot operation of Apple's iOS software. The "iBoot" source code is proprietary and it includes Apple's copyright notice. It is not open-source. Please act expeditiously to disable the content found at the following repository".
Apple also informed customers that the leaked source code was outdated and that the security of devices that run iOS are not dependent on the secrecy of source codes. According to several reports, the leaked source code was for iOS 9 but portions of the code are still used in iOS 11, the latest version of the software.
"Old source code from three years ago appears to have been leaked but, by design the security of our products doesn't depend on the secrecy of our source code. There are many layers of hardware and software protections built in to our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections," said Apple.
Andy Kays, CTO at RedScan, a UK-based threat detection and response specialist, believes that even though Apple device users are not directly affected, the leak does demonstrate that vendors must take appropriate measures to ensure the security around such codes.
In an email to SC Media UK he commented, “The release of the iBoot code demonstrates that vendors can't take it for granted that source code will always remain hidden. Vendors relying excessively on code obfuscation to maintain the security of their products will always be vulnerable to leaks. Any provider that takes security seriously should always conduct rigorous threat modelling based on the assumption that source code will be exposed as some point and put in place appropriate controls to counter it."
However, Rusty Carter, VP of product at Arxan Technologies, believes that while Apple has played down the significance of the leak, cyber-criminals will try their best to make the most of the leak of one of Apple's most closely-guarded secrets.
"Apple iOS is widely viewed as the most trusted mobile operating system out there. But the leak of this source code is proof that no environment or OS is infallible, and application protection from within the application itself is crucial, especially for business-critical, data-sensitive applications. It's only a matter of time before the release of this source code results in new and very stealthy ways to compromise applications running on iOS," he warns.