An anonymous person uploaded a portion of Apple’s iOS source code to GitHub this week. The code was for the iBoot portion of iOS 9, which is the first thing that loads when you turn on an iPhone or iPad. It’s the software that loads loads the kernel and makes sure the software is verified.
In other words, it’s probably the thing you want to hack if you want to jailbreak an iPhone and modify its operating system. It’s also software that could be used by malicious hackers to find new ways to infect iPhones with malware.
The code is from an older version of iOS and it’s already been removed from GitHub. But now that it’s in the wild, this leak could cause some serious headaches for apple.
First of all, it’s worth noting that this leak is almost certainly legitimate: GitHub removed the code after receiving a DMCA takedown notice from Apple. The company had to confirm the authenticity of the code in order to file the notice.
In that notice, a representative of Apple describes iBoot the following way:
Reproduction of Apple’s “iBoot” source code, which is responsible for ensuring trusted boot operation of Apple’s iOS software. The “iBoot” source code is proprietary and it includes Apple’s copyright notice. It is not open-source.
The second thing to note is that while the software is no longer on GitHub, it was up long enough for multiple users to have downloaded it… so it’s in the wild.
Finally, while the code was part of iOS 9, it’s likely that some or all of the code is still used for iOS 11. Like most developers, Apple doesn’t make a habit of starting over from scratch when designing operating system upgrades.
Something tells me Apple will be under pressure now to jettison as much old iBoot code as possible in order to enhance boot security in future versions of iOS.
Update: Apple confirmed to CNET that its 3-year-old source code “appears to have been leaked,” but claims that “there are many layers of hardware and software protection” built into its devices so that “the security of our products doesn’t depend on the secrecy of our source code.”