iBoot Leak: Apple's Secret iPhone iOS Source Code On Github, Is Your iPhone Secure?

Apple’s secret source code for a vital part of the iPhone’s operating system was leaked on the code-sharing server site GitHub on Wednesday, Motherboard reported.

The vital source code that was leaked, called “iBoot,” is the part of iOS that works to ensure a trusted boot of the operating system. The program loads the system and verifies the kernel is properly signed by Apple before running the system on a device. The leaked code is for iOS 9, but parts of the source code could still be used on Apple’s latest iOS 11 system, the report said.

The leak opens up a path for hackers, jailbreakers and security researchers to find flaws in iOS, making it easier to jailbreak iPhones. The leaked code could also allow programmers to imitate iOS on platforms that are not related to Apple.

Jonathan Levin, who has written books on iOS and Mac OSX internals, described the leak as a “huge” deal on Twitter. Levin told Motherboard that the leak meant tethered jailbreaks, which require the iPhone to be connected to a computer when booting, could soon return for regular users. The jailbreaks used to be easier to implement on iPhones and were much more common years ago, however the process has gotten more difficult through more advanced iOS devices. The latest iOS versions have better security tools that make it hard for even highly skilled researchers to look for bugs, since they need to jailbreak the smartphone first before inspecting the device.

The leaked code has since been removed from the site. Apple indirectly confirmed that the source code posted on GitHub was legit after it issued a DMCA takedown under penalty of perjury on Wednesday.

“I have a good faith belief that the files in the repository identified below (by URL) are unlawful under these laws because, among other things, the files offer to distribute a copyrighted item without authorization from the owner of the copyright,” Apple said in the request. “Reproduction of Apple's ‘iBoot’ source code, which is responsible for ensuring trusted boot operation of Apple's iOS software. The ‘iBoot’ source code is proprietary and it includes Apple's copyright notice. It is not open-source.”

Apple has been pretty secretive with its codes and has avoided releasing it to the public, although it has made certain parts of iOS and MacOS open source in the past few years. Apple has especially kept the iBoot program secure and kept its code private. The company launched its bug bounty program in 2016, and flaws in secure boot firmware components were valued at up to $200,000. Apple’s bounty program also rewards researchers when reporting executions of arbitrary or malicious code with kernel privileges, as well as access to iCloud account data on Apple servers. Those were valued at $50,000, while the boot flaws were the highest valued in the bounty program.