A portion of Apple's sensitive and proprietary iOS source code was posted to GitHub on Wednesday (7 February) in a breach that some dubbed as the "biggest leak in history".
The source code for iBoot — the iOS process that starts up the system when you switch on your iPhone and makes sure the code being run is valid and legitimate — was leaked by an anonymous user named "ZioShiba".
According to Motherboard, the three-year-old source code for iOS 9 was initially stolen by a former Apple intern who shared it with a group of five friends in the iOS jailbreaking community. "He pulled everything, all sorts of Apple internal tools and whatnot," one friend of the intern who received the code told Motherboard. Two people who originally received the code said it was never meant to leave the group, but was ultimately shared beyond the circle of five friends sometime in 2017.
"I was really paranoid about it getting leaked immediately by one of us," another person said. "Having the iBoot source code and not being inside Apple... that's unheard of."
The code was eventually shared in a Discord chat group and later posted to Reddit on r/jailbreak about four months ago. The post was automatically removed by a moderator bot but was eventually leaked again via GitHub this week.
"I personally never wanted that code to see the light of day. Not out of greed but because of fear of the legal firestorm that would ensue," the person continued.
"The Apple internal community is really full of curious kids and teens. I knew one day that if those kids got it they'd be dumb enough to push it to GitHub.
"What leaked yesterday isn't even the full leak really. It's not the original leak—it's a copy," the person added.
The post quickly went viral before Apple ordered GitHub to remove the link by issuing a DMCA take down notice. The Cupertino company confirmed that the post did contain legitimate code but dismissed any potential security implications of the leak.
"Old source code from three years ago appears to have been leaked," the company said in a statement to TechCrunch. "But by design the security of our products doesn't depend on the secrecy of our source code. There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections."
According to the take down notice, the offending post contained a "reproduction of Apple's 'iBoot' source code" which is "proprietary and it includes Apple's copyright notice".
IBTimes UK has reached out to Apple for further comment.
Although Apple says the outdated code is unlikely to be exploited by hackers to break into their devices or compromise users' security, experts say the leak of such code itself is worrying. The fact that Apple's key proprietary code was seemingly swapped in the wild around the jail-breaking community before it was leaked also raises serious security concerns.
"The release of the iBoot code demonstrates that vendors can't take it for granted that source code will always remain hidden," RedScan CTO Andy Kays told SC Magazine UK. Vendors relying excessively on code obfuscation to maintain the security of their products will always be vulnerable to leaks. Any provider that takes security seriously should always conduct rigorous threat modelling based on the assumption that source code will be exposed as some point and put in place appropriate controls to counter it."