Security

iPhone source code leaked as anonymous developer posts iOS bootloader to GitHub

Apple has since had the repository removed through the Digital Millennium Copyright Act.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • Part of the source code for the iOS 9 bootloader was leaked and anonymously posted on GitHub.
  • Using a leaked iOS source code, even for an older version, a hacker could find and exploit vulnerabilities in the code.

A major portion of the source code for iOS 9 was leaked after an anonymous GitHub user posted it in a repository on the website. The repository has been removed, but there is still potential for damage to be done with the code.

According to Motherboard, which first reported the story, the code is labeled iBoot, and is likely the code for the bootloader in iOS. While the code is connected to an older version of iOS, bits and pieces of it are likely still in use in today's version of the software.

While the code will likely be used to create more jailbroken versions of iOS, Motherboard noted, it could also be studied by hackers to find potential vulnerabilities and exploit them. Jonathan Levin, an author of books on iOS and Mac OSX, told the publication that it is "the biggest leak in history."

SEE: Information security incident reporting policy (Tech Pro Research)

The burning question about this source code leak: Is it real?

According to Levin, the code looks real, as it matches the code he reverse engineered, Motherboard reported. Additionally, Apple may have accidentally confirmed the validity of the code itself.

To get the repository taken down, Apple leveraged the Digital Millennium Copyright Act (DMCA), filing a notice with GitHub about the offending code. Per GitHub's DMCA takedown policy, the copyright owner must "conduct an initial investigation to confirm both that they own the copyright to an original work and that the content on GitHub is unauthorized and infringing." So, Apple must own the copyright of the code in order to have it removed.

In another posted letter, Apple wrote "The 'iBoot' source code is proprietary and it includes Apple's copyright notice. It is not open-source."

What does this mean for everyday users? Not much. Tethered jailbreaks may be making a comeback, Levin told Motherboard, but there probably won't be a large swath of iOS attacks that crop up due to this.

Forrester vice president and principal analyst Jeffrey Hammond said that, from a developer point of view, "the damage is already done—the posting on GitHub and DMCA takedown just publicizes it."

Regular developers probably won't try to exploit the code, even with a cloned GitHub repository, as the risk of getting tangled up with Apple's lawyers is too much. Hackers and nation state attackers, well, that's a whole different story.

Also see

ios11.jpg
Image: CNET

About Conner Forrest

Conner Forrest is a Senior Editor for TechRepublic. He covers enterprise technology and is interested in the convergence of tech and culture.

Editor's Picks

Free Newsletters, In your Inbox