Apple Unfazed By iPhone Source Code Leak, But Solution Providers See Exploit Risk
Apple is contending that the posting of iOS source code online will not affect iPhone security, but enterprise mobility solution providers aren't so sure.
"To allow this type of leak could be damaging to the strides [Apple has] made in securing their OS," said Paul Troisi, chief customer officer at Peabody, Mass.-based Troy Mobility. "There have been so many vulnerabilities that have surfaced over the past couple of years and for them to lose care, custody and control of the most important aspect of their OS is shocking."
Source code for iOS, the iPhone's operating system, was posted on code-sharing site GitHub, and then reportedly removed after a request from Apple that cited copyright law.
The so-called iBoot source code is involved in securely booting up iPhones, and was actually a part of iOS 9 -- although it's likely to still be a part of the current version of iPhone operating system software, iOS 11, reports said.
The exposure of the code could raise the risk of hacking and jailbreaking activity related to Apple's iPhone, according to reports.
In a statement to CRN, Apple downplayed the impact of the source code leak.
"Old source code from three years ago appears to have been leaked, but by design the security of our products doesn't depend on the secrecy of our source code," Apple said in its statement. "There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections."
Troisi, however, told CRN that he does believe there's a heightened risk of exploits as a result of the iPhone source code leak.
"The goal is to stay one step ahead of the bad guys. If you give them an opening, they will exploit it," he said. "It may take them a little while, but they could exploit that OS. Even though [Apple] claims the code is from three years ago, we still see iOS 9 floating around on older devices. Not common, but still out there on older hardware. And due to the age of the hardware, an upgrade to the newest version may not be possible."
Jay Gordon, vice president of sales at Plano, Texas-based Honeywell Enterprise Mobility, called the incident "a significant situation for Apple, which differentiates itself on being a closed, highly secure platform."
The development "proves that third-party security software from the likes of MobileIron, AirWatch, SOTI and others remains a needed part of any mobility strategy to thwart jailbreaking and intrusions to the enterprise," Gordon said.
Douglas Grosfield, founder and CEO of Kitchener, Ontario-based Five Nines IT Solutions, said the incident raises other questions about Apple, as well.
"How did the code get leaked out?" Grosfield said. "Basic technologies such as data leakage protection should keep that kind of thing from happening."
The iPhone source code leak follows other recent Apple security issues including a bug in macOS High Sierra that allowed access simply by typing in the username "root," as well as the so-called "Fruitfly" malware, which could be used for such surveillance activities as taking webcam photos and capturing keystrokes. Mac users saw a 240 percent increase in malware during the first three quarters of 2017, according to cybersecurity vendor Malwarebytes.
In terms of iPhone security, a cyberattack that could involve taking over an iPhone user's camera and microphone if a user clicked a text message link was revealed in August 2016. That same month, Apple revealed a bug bounty program to pay researchers that uncover security vulnerabilities in its products.