Story image

Apple says DON’T fear about leaked source code – experts say DO

10 Feb 2018

Yesterday an anonymous user posted what experts believed at the time to be the source code for a key component of the iPhone’s operating system on GitHub.

Apple indirectly confirmed the code to be real soon after when it demanded GitHub to take the source code down with a DMCA legal notice.

The code on GitHub was labelled ‘iBoot’, which is a key cog of iOS responsible for making sure the operating system ‘boots up’ safely and securely. This means of all the processes running behind iOS, it is the very first to start up when an iPhone is turned on.

The code indicated that it was taken from iOS 9 butt experts say there are portions of it that are still likely to be used in the newest operating system, iOS 11.

While various parts of iOS and MacOS have been made open source in recent years, Apple has gone out of its way to ensure iBoot’s code remains private – in Apple’s bounty program, bugs in the boot process are deemed the most valuable and can fetch up to US$200k.

Apple confirmed in a statement that the source code had been posted online, but asserted it was three years old and that by design the security of their products aren’t based on the secrecy of their source code.

“There are many layers of hardware and software protections built in to our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections,” the statement from Apple read.

So what are the actual implications of this leak? Arxan Technologies VP of product, Rusty Carter says iBoot’s leak  could potentially allow hackers to find security holes in the smartphone, enabling them to analyse Apple’s code, replicating and manipulating it for malicious purpose.

"Apple iOS is widely viewed as the most trusted mobile operating system out there. But the leak of this source code is proof that no environment or OS is infallible, and application protection from within the application itself is crucial, especially for business-critical, data-sensitive applications,” says Carter.

“It's only a matter of time before the release of this source code results in new and very stealthy ways to compromise applications running on iOS."

Various experts online agree with Carter, reporting the leak could pave the way for hackers to find flaws and bugs to enable them to crack or decrypt an iPhone. There is also the potential for advanced programmers to ‘clone’ iOS onto non-Apple platforms.

Nuance biometrics fight back against fraud
Nuance Communications has crunched the numbers and discovered that it has prevented more than US$1 billion worth of fraud from being passed on to users of its Nuance Security Suite.
Attacks targeting Cisco Webex extension explode in popularity - WatchGuard
WatchGuard's Internet Security Report for Q4 2018 also finds growing use of a new sextortion phishing malware customised to individual victims.
Developing APAC countries most vulnerable to malware - Microsoft
“As cyberattacks continue to increase in frequency and sophistication, understanding prevalent cyberthreats and how to limit their impact has become an imperative.”
Worldwide spending on security to reach $103.1bil in 2019 - IDC
Managed security services will be the largest technology category in 2019.
Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Myth-busting assumptions about identity governance - SailPoint
The identity governance space has evolved and matured over the past 10 years, changing with the world around it.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.