The source code for Apple’s iBoot, the little-known but critically important secure bootloader for iOS, leaked online yesterday. Apple this morning confirmed the leak by filing a DMCA copyright takedown request with the code’s host, GitHub.
Though the publication of iBoot was enthusiastically dubbed “the biggest leak in history” in the initial Motherboard report, the source code is believed to be from three-generations-old iOS 9. It is thus likely mostly a concern for users of older iOS devices lacking the “secure enclave,” a hardware security feature found in all Touch ID devices since the iPhone 5s.
iBoot is not labeled or marketed by Apple in any way. It is, however, the first app that runs when you turn on an iOS device, silently transitioning from a black screen to the white Apple icon to iOS’ colorful Home screen.
iBoot is designed to guarantee that a valid, trusted version of iOS is being loaded. Unlike other portions of iOS that have been open-sourced, it’s been kept opaque for security reasons. Apple considers bugs in iBoot to be so important that it pays security researchers up to $200,000 per vulnerability.
The disclosure of iBoot’s source code could considerably improve hackers’ chances of spotting issues, and reignite a jailbreaking scene that all but dried up as iOS’s hardware and software security improved. Motherboard speculates that the leak could also enable programmers to emulate iOS on non-Apple platforms.
That said, it’s unclear how much of the iOS 9-vintage code remains in the current iOS 11 and near-future iOS 12 iBoot process, nor how improvements to the secure enclave hardware may have mitigated risks to almost all iOS devices currently being sold.
Updated at 10:54 a.m. Pacific: An Apple spokesperson provided the following statement: “Old source code from three years ago appears to have been leaked, but by design the security of our products doesn’t depend on the secrecy of our source code. There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections.”
To put iOS 9’s current installed base in some perspective, Apple’s App Store developer page currently shows that 93% of iOS devices are running either iOS 10 or iOS 11.