This post is from the Arxan blog and has not been updated since the original publish date.
Latest Revelations Confirm Arxan’s Suspicions of Source of Apple Source Code Leak Issue
In early February news broke that “critical, top secret Apple code for the iPhone's operating system – “iBoot” -- was posted on Github, opening a new, dangerous avenue for hackers and jailbreakers to access the device.”
Rusty Carter, Vice President of Product Management, did some analysis of the leak, explaining what it meant for the industry – that it could potentially allow hackers to find security holes in the smartphone, enabling them to analyze Apple’s code, replicate and manipulate it for malicious purpose.
As he noted, "Apple iOS is widely viewed as the most trusted mobile operating system out there,” he said. “But the leak of this source code is proof that no environment or OS is infallible, and application protection from within the application itself is crucial, especially for business-critical, data-sensitive applications. It's only a matter of time before the release of this source code results in new and very stealthy ways to compromise applications running on iOS."
In further conversations with media, Carter further speculated on the intent and source of the leak. He noted that, “A ‘for profit’ criminal would likely keep for their own use to develop malware (including adware or spyware attached to a jailbreak kit), use it to reverse-engineer / compromise iOS applications (like those from banks, payments, or, connected medical devices), or try to sell it on the black market.”
Given that the code appeared on GitHub, Carter noted that instead, “It's likely from either a disgruntled employee looking for notoriety or from an employee's lost or stolen device that was then compromised.”
The story continued to evolve over the next week, proving that the source code actually leaked in 2016, and then found an even wider audience as it was shared again. “In 2016, a low-level employee working at Apple's Cupertino headquarters was convinced by some of his friends in the jailbreaking community to steal some Apple source code for their own security research. The group of friends never intended on the source code leaking from the initial bunch but nearly a year after the code was stolen someone inside the group gave it ‘to someone else who shouldn't have had it.’ Despite the wider exposure, the code largely went unnoticed until it eventually went viral after being posted to GitHub.”
This revelation supports Carter’s line of reasoning about the likely source.
Carter notes, “Exposure publicly on Github will certainly signal Apple to evaluate the risk of using the older version source to attack new versions of iBoot.”
The bottom line? App developers can’t trust even the most secure OS to protect their apps. Even an older version of iOS provides risk. App dev teams must take it upon themselves to harden their applications from within, lest they fall prey to the flaws of their environment.