Skip to main content
Application Security Image

This post is from the Arxan blog and has not been updated since the original publish date.

Last Updated Mar 13, 2018 — Application Security expert

Latest Revelations Confirm Arxan’s Suspicions of Source of Apple Source Code Leak Issue

Application Security

In early February news broke that “critical, top secret Apple code for the iPhone's operating system – “iBoot” -- was posted on Github, opening a new, dangerous avenue for hackers and jailbreakers to access the device.” 

Rusty Carter, Vice President of Product Management, did some analysis of the leak, explaining  what it meant for the industry – that it could potentially allow hackers to find security holes in the smartphone, enabling them to analyze Apple’s code, replicate and manipulate it for malicious purpose.

 As he noted, "Apple iOS is widely viewed as the most trusted mobile operating system out there,” he said. “But the leak of this source code is proof that no environment or OS is infallible, and application protection from within the application itself is crucial, especially for business-critical, data-sensitive applications. It's only a matter of time before the release of this source code results in new and very stealthy ways to compromise applications running on iOS."

Threatpost: Apple Downplays Impact of IBoot Source Code Leak

Security Week: Source Code IoS Security Component iBoos posted to Github

Apple Says Don’t Fear about Leaked Source Code, Experts Say Do

In further conversations with media, Carter further speculated on the intent and source of the leak. He noted that, “A ‘for profit’ criminal would likely keep for their own use to develop malware (including adware or spyware attached to a jailbreak kit), use it to reverse-engineer / compromise iOS applications (like those from banks, payments, or, connected medical devices), or try to sell it on the black market.”

Given that the code appeared on GitHub, Carter noted that instead, “It's likely from either a disgruntled employee looking for notoriety or from an employee's lost or stolen device that was then compromised.” 

SC Magazine: Apple iOS 9 source code posted to Github

SC Magazine UK: Apple’s closely-guarded iBoot source code made public on GitHub

The story continued to evolve over the next week, proving that the source code actually leaked in 2016, and then found an even wider audience as it was shared again. “In 2016, a low-level employee working at Apple's Cupertino headquarters was convinced by some of his friends in the jailbreaking community to steal some Apple source code for their own security research. The group of friends never intended on the source code leaking from the initial bunch but nearly a year after the code was stolen someone inside the group gave it ‘to someone else who shouldn't have had it.’ Despite the wider exposure, the code largely went unnoticed until it eventually went viral after being posted to GitHub.”

This revelation supports Carter’s line of reasoning about the likely source.  

Carter notes, “Exposure publicly on Github will certainly signal Apple to evaluate the risk of using the older version source to attack new versions of iBoot.” 

The bottom line? App developers can’t trust even the most secure OS to protect their apps. Even an older version of iOS provides risk. App dev teams must take it upon themselves to harden their applications from within, lest they fall prey to the flaws of their environment. 

More from the Blog

View more
Apr 29, 2021

Why better security means better products

Application Security
Over the past 15 years, businesses have learned a lot about the value ...
Read More
Jun 05, 2020

In Plain Sight II: On the Trail of Magecart

Application Security
On the surface, the breaches that impacted British Airways, Ticketmast ...
Read More
Jun 02, 2020

Here Comes CCPA

Application Security
  Ready Or Not, Here It Comes! As of publication, there are 147 ...
Read More
May 27, 2020

Application Security: Testing is NOT Enough

Application Security
In the software development world, developers are faced with a break ...
Read More
Contact Us