Apple confirms massive iOS leak but says it's not so bad | Cult of Mac

Apple confirms massive iOS leak but says it’s not so bad


This leak is bad news for iPhone users.
Photo: Ste Smith/Cult of Mac

Apple confirmed this morning that the leaked iOS source code that hit the web yesterday is indeed authentic.

The iPhone-maker ordered GitHub to pull the iBoot source code from its servers. Security researchers remain worried that the leak could help hackers compromise iPhones and iPads, but Apple says there’s nothing to worry about.

In a statement released to news outlets this morning, Apple confirmed that the source code is from iOS 9. Only 7 percent of iOS devices in use right now are on iOS 9 or lower. Most of the code leaked has likely already been replaced by new builds of iOS 10 and iOS 11.

“Old source code from three years ago appears to have been leaked, but by design the security of our products doesn’t depend on the secrecy of our source code,” Apple said in its statement. “There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections.”

Apple’s latest iOS adoption chart shows that 65 percent of iPhone and iPad users run iOS 11. 28 percent of users run iOS 10.

iBoot is what loads iOS. It’s the first process that runs when you turn on your iPhone or iPad. It verifies that the kernel is signed by Apple — to make sure unauthorized software doesn’t run on the device — and then executes it.

It’s easy to see why finding a hole in iBoot could allow iOS devices to run modified or third-party software. Still, the code that was leaked can’t be compiled since bits of it are missing.


Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.