Earlier this week, iOS source code showed up on GitHub, raising concerns that hackers could find a way to comb the material for vulnerabilities. Apple has confirmed with TechCrunch that the code appears to be real, but adds that it's tied to old software.
The material is gone now, courtesy of a DMCA notice Apple sent to GitHub, but the occurrence was certainly notable, given the tight grip the company traditionally has on such material. So, if the code was, indeed, what it purported to be, has the damage already been done?
Motherboard, which was among the first to note the code labeled “iBoot,” reached out to author Jonathan Levin, who confirmed that the code certainly looks real and called it “a huge deal.” While the available code appears to be pretty small, it could certainly offer some unique insight into how Apple works its magic.
"Old source code from three years ago appears to have been leaked," the company said in a statement provided to TechCrunch, "but by design the security of our products doesn’t depend on the secrecy of our source code. There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections."
Much of the security concern is mitigated by the fact that it appears to be tied to iOS 9, a version of the operating system released three-and-a-half years ago. Apple’s almost certainly tweaked significant portions of the available code since then, and the company's own numbers show that a large majority of users (93-percent) are running iOS 10 or later. But could the commonalities offer enough insight to pose a serious potential threat to iPhone users?
Security researcher Will Strafach told TechCrunch that the code is compelling for the information it gives hackers into the inner workings of the boot loader. He added that Apple’s probably not thrilled with the leak due to intellectual property concerns (see: the DMCA request referenced above), but this information ultimately won’t have much if any impact on iPhone owners.
“In terms of end users, this doesn’t really mean anything positive or negative,” Strafach said in an email. “Apple does not use security through obscurity, so this does not contain anything risky, just an easier to read format for the boot loader code. It’s all cryptographically signed on end user devices, there is no way to really use any of the contents here maliciously or otherwise.”
In other words, Apple’s multi-layered approach to keeping iOS secure involves a lot more safeguards than what you’d see in a leak like this, however it may have made its way to GitHub. Of course, as Strafach correctly points out, the company’s still probably not thrilled about the optics around having had this information in the wild — if only for a short while.