Apple intentionally left iOS 10 kernel unencrypted to optimize system performance

article thumbnail

AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content.

Responding to speculation as to why the iOS 10 beta kernel was left unencrypted, Apple on Wednesday confirmed the move was made deliberately to streamline system performance.

Explaining the decision, an Apple spokesperson toldTechCrunch that because iOS 10's kernel cache does not contain sensitive information, it does not need to be encrypted.

"The kernel cache doesn't contain any user info, and by unencrypting it we're able to optimize the operating system's performance without compromising security," the representative said.

Apple traditionally obfuscates the kernel in order to protect its prized operating system from unwanted probing or reverse engineering, potentially by nefarious agents. The small risk — or no risk, according to Apple — of furnishing unobscured kernel cache data is likely outweighed by potential benefits.

As noted by experts earlier this week, Apple's decision allows security researchers to — legitimately — dive into the "heart" of iOS for the first time. In particular, white hats, or researchers who find and disclose vulnerabilities publicly in an effort to secure consumer devices, now have unprecedented access to Apple's code, meaning more eyes are on the lookout for potential weaknesses.

Further, Apple's move could deflate the iOS exploit market run by so-called "gray hats," or experts who take part in the ethically questionable practice of selling software vulnerabilities to government agencies or companies. The issue is of particular interest to Apple, a company that just this year tussled in court with the U.S. Justice Department over data privacy.

In February, Apple was ordered to bypass iOS security mechanisms to gain access to an iPhone linked to last year's San Bernardino terror attack. The company refused, mounting a legal defensive in response, but the case was rendered moot when the FBI cracked the device on its own using a purchased zero-day vulnerability.