Apple Confirms iPhone Source Code Leak is Real, But Says its Security Doesn't Depend on Secrecy

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Feb 8, 2018.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    Source code for iBoot, a core component of the iPhone's operating system leaked on GitHub yesterday, raising concerns that the hackers and security researchers could dig into the code to find iOS vulnerabilities.

    [​IMG]

    In a statement issued to MacRumors this morning, Apple confirmed the authenticity of the code but emphasized that it's for iOS 9, a three-year-old operating system that's been replaced with iOS 11 and is in use on only a small number of devices.
    Based on data from Apple's App Store support page for developers, iOS 11 is installed on 65 percent of devices, iOS 10 is installed on 28 percent of devices, and earlier versions of iOS, such as iOS 9, are installed on just seven percent of devices.

    In addition to acknowledging that the leak contained real source code, Apple this morning also sent a DMCA takedown notice to GitHub this morning, successfully getting the code removed from the site.

    The data that was shared on GitHub was incomplete so the iBoot code was not able to be compiled, but it did include a documents directory that offered up additional information relevant to iBoot, and combined, the data leak could make it easier to locate vulnerabilities to create new jailbreaks.

    Average users should not need to be concerned about the leak, however, as Apple has many layers of protection in place, like the Secure Enclave, and does not rely on source code secrecy alone as a way to keep its users safe.

    Security researcher Will Strafach, who spoke to TechCrunch, echoed what Apple had to say. He believes the source code is compelling because it provides an inside look into the inner workings of the bootloader, but ultimately, "Apple does not use security through obscurity," so there is nothing risky in the code.

    Article Link: Apple Confirms iPhone Source Code Leak is Real, But Says its Security Doesn't Depend on Secrecy
     
  2. tzm41 macrumors regular

    tzm41

    Joined:
    Jul 11, 2014
    Location:
    Boston, USA
    #3
    Most likely users won't have to sweat if all implementations are right. Indeed security of these OS level protections does not come from secrecy.

    But if flaws are found... it would be a different story.
     
  3. Norbs12 macrumors 6502

    Norbs12

    Joined:
    Apr 24, 2015
    Location:
    Mountain View, CA
    #4
    "root" <enter> <enter>

    jk jk

    Glad they are actually being vocal instead of almost dead silent during the battery thing. That just lead to people coming to their own conclusions. It's quite a bit harder to change people's minds once they form their own opinion, even if it's dead wrong.
     
  4. Rshill macrumors newbie

    Joined:
    Aug 18, 2010
    #5
    Not so worried about the security implications, but it could mean that ios could be booted on a generic ARM device. Basically a "hackintosh" for ios.
     
  5. scrapesleon macrumors 6502

    scrapesleon

    Joined:
    Mar 30, 2017
    Location:
    Jamaica
  6. keysofanxiety macrumors 604

    keysofanxiety

    Joined:
    Nov 23, 2011
    #7
    How many of the "better post quick and say something sarcastic" posters actually read the article and saw it was for iOS 9?
     
  7. OldSchoolMacGuy macrumors 68040

    OldSchoolMacGuy

    Joined:
    Jul 10, 2008
    #8
    Windows source code has leaked in the past and not caused issues. Some are making this out to be a far larger deal than it really is. It's only a big issue if we assume (incorrectly) that nothing has changed within the OS since iOS 9 three years ago and that Apple has made no changes to security or other pieces since.
     
  8. DailySlow macrumors member

    DailySlow

    Joined:
    Aug 5, 2015
    Location:
    Northern Virginia
    #9
    Oh, yeah, I brought the family jewels in a baggie - they're in the car.
     
  9. miniroll32 macrumors 6502a

    miniroll32

    Joined:
    Mar 28, 2010
    #10
    It’s pretty funny that, ever since Tim Cook said Apple was doubling down, they’ve surely had twice as many fails.
     
  10. Happy-Mac macrumors member

    Joined:
    Dec 12, 2012
    #11
    That sounds like fun. Maybe a HackinPhone or an iHackedPhone

    Joking aside, the conspiracy theorist inside of me wonders if they did this on purpose to have it vetted by experts who are trying to find holes to point out flaws in Apple's code.

    Which, they'll fix before the before the rumored iOS in MacOS app crossover. #LongLiveChupacabra </conspiracy-theory>
     
  11. skinned66 macrumors 65816

    skinned66

    Joined:
    Feb 11, 2011
    Location:
    Ottawa, Canada
    #12
    Awww...I was hoping for an 11.3 jailbreak sometime in the next 5 years.
     
  12. AJ5790 macrumors 6502

    Joined:
    Jun 1, 2016
    Location:
    Phoenix
    #13
    And they’re like 200% bigger. Funny how that works.
     
  13. ProwlingTiger macrumors 65816

    ProwlingTiger

    Joined:
    Jan 15, 2008
    #14
    Most likely not as the source code wasn't 100% complete and could not be compiled.
     
  14. BasicGreatGuy Contributor

    BasicGreatGuy

    Joined:
    Sep 21, 2012
    Location:
    In the middle of several books.
  15. sdf, Feb 8, 2018
    Last edited: Feb 8, 2018

    sdf macrumors regular

    sdf

    Joined:
    Jan 29, 2004
    #16
    I didn't hear much about this at the time, but you could reproduce the bug with only one press on Enter if you took the time to understand it. :) It was definitely a UI bug, but I think the UI may have been covering a weakness in the authentication layer as well.

    Edit: I don't remember exactly how to get it to get past with only one hit of Enter, but if anyone's still running pre-patched and wants to see it had something to do with which text field was first responder in the prompt. I think maybe you had to tab or click on the password field first? Been too long. I should have made a video.
     
  16. GREEN4U macrumors 6502a

    Joined:
    Mar 24, 2010
    #17
    Secret projects at Apple fall into 2 categories now. 1) Not secret or 2) Not interesting
     
  17. OldSchoolMacGuy macrumors 68040

    OldSchoolMacGuy

    Joined:
    Jul 10, 2008
    #18
  18. midkay macrumors regular

    Joined:
    Jan 27, 2008
  19. ArtOfWarfare macrumors G3

    ArtOfWarfare

    Joined:
    Nov 26, 2007
    #20
    Anyone could always just decompile the code. C doesn't decompile as easily/neatly as, say, java, but products like Hopper Decompiler exist if you want to convert from compiled code to C.
     
  20. alirz macrumors regular

    Joined:
    Sep 28, 2011
    Location:
    Montreal,Canada
    #21
    yeh that would be cool. To be able to run it in a Vm etc...or boot it up on an android device lol
     
  21. ActionableMango macrumors G3

    ActionableMango

    Joined:
    Sep 21, 2010
    #22
    "we always encourage customers to update to the newest software releases to benefit from the latest protections"

    ...and for those of you with older devices that cannot run the newest software releases, we encourage you to throw your device into a landfill because the millisecond that we make a new iOS version, we stop putting security fixes into the previous version.
     
  22. OldSchoolMacGuy macrumors 68040

    OldSchoolMacGuy

    Joined:
    Jul 10, 2008
    #23
    HA! Good luck with that. Give it a try and let us know how it works out. Hint: there's a reason someone hasn't just done that.
    --- Post Merged, Feb 8, 2018 ---
    That's not true at all. Apple continues issuing security updates for older devices years after they're no longer on sale. Android has new devices on the market which don't even run the current version of Android. The same can't be said for their push to secure older devices like Apple.
     
  23. saintstryfe macrumors member

    saintstryfe

    Joined:
    Apr 23, 2009
    #24
    Your duplicity is dually noted and ignored.
     
  24. Nozuka macrumors 68000

    Joined:
    Jul 3, 2012
    #25
    well we don't really know that for sure. maybe some of the security problems were caused by this leak. maybe some that were found are still actively being used. there's really not a good way to track this or the connection to a leak.
     

Share This Page