The source code for iOS 9, an older version of Apple’s mobile software, was posted on the Github code-sharing earlier this week, doubtless causing gnashing of teeth in Cupertino and joy in the iPhone jailbreaking community.
Even though the software is about two years old, and most iPhones now run iOS 11, the iOS 9 code contained the secret instructions that boot an iPhone (called “iBoot” by some), which may not have changed much in the interim.
It’s not clear whether this leak poses any kind of security threat, as the same code has apparently been circulating privately among iOS researchers for some time, and was even posted on Reddit in the fall of 2017. Because the Reddit poster wasn’t well known, few paid attention to him then.
But the source-code leak will spur new activity among jailbreakers and among iOS security researchers, the latter of whom have found it hard to find bugs in iOS because Apple won’t divulge much of its code.
Specifically, the leaked code is for iOS 9.3, released in March 2016. The consensus among iOS experts online was that it was genuine, but not exactly earth-shattering news.
“iBoot source leak isn’t as interesting as everyone is making out,” tweeted British iOS researcher nullpixel. “It’s been circulated between people for years, surprised it took this long to leak such an old build honestly.”
The code was put on Github anonymously, and it’s not clear who smuggled it out of Apple headquarters. You can no longer find it on the original Github page, thanks to a Digital Millennium Copyright Act objection by Apple’s attorneys, but it took us only a couple of minutes to find a copy. (Sorry, not linking to it.) One wag pointed out that by issuing a DMCA takedown notice, Apple confirmed that the code was real.
The bootloader verifies that the build of iOS loaded on an iPhone is genuine and allows the boot-up procedure to continue. But with each new version of iOS, Apple has been moving more and more processes to a special hardware chip called the Secure Enclave, so it’s possible that jailbreaks based on the leaked iOS 9 code may not work on newer iPhones.
So if you’re an iPhone user, should you be worried? Not really. The leaked source code will benefit low-level black-hat hackers who will be looking through it for security flaws, but they’ll be in an arms race with white-hat hackers doing the same with the intent to fix flaws and/or cash in on Apple’s bug bounties.
More serious iOS hackers will already have seen the source code. The real pros who work for or with the NSA and other intelligence agencies probably reverse-engineered iOS 9 two years ago.
UPDATE: Apple provided us with a statement, here in full:
“Old source code from three years ago appears to have been leaked, but by design the security of our products doesn’t depend on the secrecy of our source code. There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections.”
An Apple spokesperson pointed out that Apple’s own numbers, as posted on the Apple developer site, show that only 7 percent of iOS devices are running iOS 9 or earlier.
Amit Serper, a principal security researcher at Cybereason in Boston, said the leak of the source code does raise the security risks for iPhone users.
“The bootloader is a crucial part of the device,” Serper told Tom’s Guide. “Once its code is publicly available to analyze, it’s a game changer.”
“Finding a vulnerability in the bootloader will allow attackers to tinker with the boot process and execute code that, well, shouldn’t really be executed,” he added. “Sadly, such leaks have been the reality in the past decade.”