Apple has confirmed that source code to the iOS boot loader posted to collaborative coding site GitHub is genuine, but has played down security concerns by stating that the files were three years old and long outdated.
Responsible for validating the origin of executables running on the device at first start-up, the iBoot source code would be a natural target for anyone looking to boot unsigned code - whether for legitimate or malicious purposes - on an iOS device. This makes the posting of its source code, first spotted yesterday by Vice's Motherboard, a genuine problem for Apple - but one the company is significantly downplaying.
Following the removal of the files from the collaborative coding and version control service GitHub via a Digital Millennium Copyright Act (DMCA) takedown notice, Apple has confirmed that that files were genuine and a 'reproduction of Apple’s ‘iBoot’ source code, which is responsible for ensuring trusted boot operation of Apple's iOS software'. Since the takedown notice, though, the company has stated that the files represented 'old source code from three years ago,' claiming that 'by design the security of our products doesn’t depend on the secrecy of our source code' and thus the leak should be of little concern to users.
For those whose interests lie in circumventing Apple's security measures, however, the leak will likely prove of considerable interest - as, despite being associated with iOS 9, the core functionality is likely identical in the company's latest iOS 11 release.
January 24 2020 | 12:00