Roger Fingas
The iOS 9 iBoot source code published this week is old and shouldn't pose a threat to people who keep their iPhones and iPads updated, Apple said on Thursday.
"Old source code from three years ago appears to have been leaked, but by design the security of our products doesn't depend on the secrecy of our source code," the company told AppleInsider. "There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections."
Users who keep their device up to date with the latest iOS versions should be well protected against potential vulnerabilities, and judging from Apple's own metrics a majority of users — 93 percent — are running iOS 10 or above.
Sill, the company has had the code removed from GitHub via a DMCA takedown notice, but not before it spread to other locations online.
iBoot is essential to loading iOS, for instance verifying kernel signing. Hackers could theoretically use source code to uncover vulnerabilities, though it's not clear how much of iOS 9's code has carried over to iOS 11, and other security measures are in place — such as the hardware-based Secure Enclave, which stores critical Face ID and Touch ID data.
Apple offers a $200,000 bounty to security researchers who discover holes in iBoot, given the potential damage a successful hack could cause. Even without malicious intent hackers could produce new jailbreaks — something Apple is keen to prevent both for security and to keep people paying at the App Store.
Andrew Orr
Christine McKee
Sponsored Content
Wesley Hilliard
AppleInsider Staff
Amber Neely
13 Comments
Yup, we all clearly understand the defense in depth strategy that nullifies this leak. Unfortunately the non tech savvy news outlets that drool over anything anti-Apple are already presenting this as an Armageddon level security breach involving Apple's most critical products. It's too bad there is no reliable digital chain of custody so the authorities can determine who the lowlife scumbag is who originated the leak.
But wait - isn’t Android open source? If that’s a concern for you then an iPhone is still a better option. (Or a windows phone, since no one even cares about the source code of those!)
Whistleblowers are to be lauded which ever sector they work in: National Security, Commerce, governmental administartions. From what I've gleaned this release of iBoot is of no threat to current iOS devices running the latest software. Should this leaked sourcecode lead to the discovery of other security risks you'll all be glad it was outed and squashed. "Every cloud..."
I don't see why Apple would do this. I thought they learned their lesson about calling attention to themselves this way, especially knowing that you can't stop the distribution once it's hit the internet.