Apple Says the Leaked iPhone Source Code is Outdated

Apple has responded to security concerns surrounding leaked iPhone source code, pointing out that any potential vulnerabilities would be outdated. From a report: "Old source code from three years ago appears to have been leaked," Apple said in a statement, "but by design the security of our products doesn't depend on the secrecy of our source code. There are many layers of hardware and software protections built in to our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections." The iBoot source code for iOS 9, a core part of what keeps your iPhones and iPads secure when they turn on, was leaked on GitHub, Motherboard first reported. The source code leak was considered a major security issue for Apple, as hackers could dig through it and search for any vulnerabilities in iBoot. Apple had used a DMCA notice to get the Github page hosting the leaked code taken down, but multiple copies of the code have already spread online.

Misinformation

[Balial]

That code may contain ROM source code, which can't be updated. It'd be for older chips, but if it's ROM, it's never out of date.

Re:Misinformation

[uCallHimDrJ0NES]

I agree that this is misinformation, or perhaps disinformation. Apple is trying to avoid a knee-jerk reaction from investors who don't understand what this actually means. I can't really blame them. Tech speculators are superstitious and foolish.

Re:Misinformation

[Baron_Yam]

>Tech speculators are superstitious and foolish.

What ever happened to 'due diligence'? I see so much 'investment' that is just blind gambling because the right keyword is included in the company's mission statement. It's insane.

If you have so much free capital that you're willing to throw it at companies blindly... just give it away to some useful cause.

Re:Misinformation

Due diligence is what investors do. Today's stock market is drive by speculators and traders, neither of which give a rat's patootie about truth, only which way the stock might head in the next very little while. Also remember that many of today's 'traders' are software, DEEP-LEARNING software (hah!), which only looks at market technicals and not at company or product qualities. This software is built by the same quants that brought us the last global financial meltdown.

Re:Misinformation

That code may contain ROM source code, which can't be updated. It'd be for older chips, but if it's ROM, it's never out of date.

And such code (at least the core code) typically is reused again and again in newer products, so it does matter (at least in theory).

Re: Misinformation

That can't be true. How else would Apple uphold their practice of breaking things with updates?

Re: Misinformation

Not really clear on the whole "ROM" thing, are you?

Re:Misinformation

[Anubis+IV]

That code may contain ROM source code

It likely doesn't, given that a large part of the ROM code's job is to validate the integrity of iBoot (the part of iOS that leaked). Ars' writeup goes into a tiny bit more detail about what iBoot actually is, but the relevant bit for this conversation is that iBoot is the next step in the chain after ROM in the secure bootup procedure. Of course, being able to review iBoot's code can likely provide some insight into how the ROM's code is designed to function.

Re:Misinformation

[sit1963nz]

ROMs ????, not likely. EEPROM or some other tech yes, but ROMs, no way,

Re:Misinformation

[Aaden42]

iBoot is the first code to execute AFTER mask ROM on the device. The source may contain some information about the ROM by virtue of interfacing with it, but if the leak was just iBoot source, it shouldn't contain source for the ROM itself. I doubt there's anything in the leak that isn't patchable in order devices if Apple chose to do so.

Re:Misinformation

Implying that there's such a thing as an investment that isn't a gamble.

Re:Misinformation

[suutar]

the majority (possibly the vast majority) of "investing" is just speculation - the company hasn't issued new shares, so you're not really investing in it, you're just buying the theoretical fruits of someone else's investment. Given this, due diligence has kind of fallen by the wayside =/

Re:Misinformation

[zifn4b]

Apple is trying to avoid a knee-jerk reaction from investors who don't understand what this actually means

I think you're thinking of a different company called Unicorn Technology, Inc. where upper management actually understands how to run a technology business and doesn't emotionally react to stuff that sounds like it might be bad without actually understanding what it actually means...

Re:Misinformation

[zifn4b]

>Tech speculators are superstitious and foolish.

What ever happened to 'due diligence'?

I do my due diligence! It's called Magic 8-ball. I use it for all my investment decisions and it's never steered me wrong! My family has used the same one for many generations. All praise Magic 8-ball!

Re:Misinformation

[Baron_Yam]

It's always a gamble, yes... but there's a difference between manufactured risk and assumed risk.

Throwing money at companies more or less randomly (say, because they've just used the word 'blockchain' in a press release) is manufactured risk. You're creating an unnecessary risk by being blind to the investment details. You can't know how big the risk is or how big the potential payoff, because you've willfully blinded yourself.

You really should have a reason to invest in a particular company - and you should know enough about the company to make a rational assessment of the company's chances of performing to your expectations. That's an assumed risk - there's a pre-existing risk, and you're buying into it based on a (hopefully) rational and reasonably comprehensive analysis of the level of risk vs. the anticipated rewards if it pays off.

Re: Misinformation

Bs. Most algos are dumber than you think.

Re: Misinformation

Also, ROM can be patched at runtime. Not sure how safe that can be /before/ ROM patches can be applied, because the ROM patch might exploit a vulnerability in the ROM and cause it to behave ... incorrectly. But ROM it typically /very/ simple for the very fact that it cannot be changed after itâ(TM)s been manufactured. Delegation to software ASAP is a good design strategy.

Yeah Right...

Funny thing is, with the source being closed you'd have to take their word for it.

Does it still contains the "battery" issue code?

If it does then it is outdated.

In other news

[viperidaenz]

The entire source code for Android was leaked online.
Rumor has it Google was the one to leak it.

You can find the leaked code at https://source.android.com/

Re: In other news

Sigh, another sarcastic comment missed

Re:In other news

+1 Wooooosh!

Re:In other news

[dj245]

The entire source code for Android was leaked online. Rumor has it Google was the one to leak it.

You can find the leaked code at https://source.android.com/

The difference is that Android's source code has been out there and scrutinized by many people and organizations. Apple's has only been scrutinized by Apple until now. Even if significant amounts of the code are outdated, it could give people a better idea of what kind of attacks may be possible. Plus the fact that it is news may spur more attention to IOS exploits, if only out of curiosity.

Re:In other news

nice.

So why is it that Android is open because it's safer but iOS is closed because it's safer?

Re: In other news

But it really hasnâ(TM)t. Name a single product running AOSP. There isnâ(TM)t one. Every Android device out there leverages Play Services, which is closed, and the launcher now for a few generations is closed, bootloader code is closed, and driver code is closed. I wish people would stop perpetuating the myth that Android is truly open source.

Re:In other news

Perhaps he should have said 'Google didn't release it', rather than 'leak' but I think you need to self-wooosh as the parent post is entirely valid and a worthwhile counterpoint to the grandparent.

Re:In other news

That deafening noise was from the 747 sized WOOOOSH that went rocketing over your thick head.

iBoot: One i, one Boot

[Mister+Liberty]

What iBoot needs is many eyes; they make all bugs shallow.

Re:iBoot: One i, one Boot

[dgatwood]

I am now imagining a pair of Uggs with googly eyes on top and a touchscreen below it showing the nose and mouth, to allow for adaptive facial expressions based on what you step in.

Re:iBoot: One i, one Boot

What iBoot needs is many eyes; they make all bugs shallow.

Heartbleed says hello to your fallacy!

Re: iBoot: One i, one Boot

Obviously someone looked and found it. Then it got reported.

What was your point again?

Re:iBoot: One i, one Boot

The "many eyes" idea is correct in principle, but in practise it just doesn't happen. Even in the most widely used open source projects (Linux, OpenSSL, etc) much less the lesser known ones, old bugs are still being found and new ones introduced. In theory with enough people you could find and fix all bugs but this does not happen in reality. So yes, in practical terms you're right.

It does or it doesn't?

"but by design the security of our products doesn't depend on the secrecy of our source code." ...
" as hackers could dig through it and search for any vulnerabilities in iBoot. Apple had used a DMCA notice to get the Github page hosting the leaked code taken down,"

So its security doesn’t depend on being secret but let’s take it down quickly because its security depends on it being secret.

Re:It does or it doesn't?

[Dog-Cow]

I know you were taking a jab at Apple, but the statement and action are consistent. Security is in the design, while vulnerabilities are in the implementation. The security doesn't change if the source is available, but the ability to find and exploit vulnerabilities increases. In other words, vulnerabilities exist whether or not the source is available, but having the source improves a hacker's chances at finding them.

Re:It does or it doesn't?

It also improves the chances of bugs being found, going into the bugtracker, getting fixed, and vulnerabilities removed.

Re:It does or it doesn't?

I know you were taking a jab at Apple, but the statement and action are consistent. Security is in the design, while vulnerabilities are in the implementation. The security doesn't change if the source is available, but the ability to find and exploit vulnerabilities increases. In other words, vulnerabilities exist whether or not the source is available, but having the source improves a hacker's chances at finding them.

So you feel that with open-source, the ability to find vulnerabilities increases, but the chance of exploiting versus fixing them mostly falls to the exploitation side?

Re: It does or it doesn't?

[Brockmire]

How the fuck does security not change if the chance of exploit increases? Fuck, it sounds like they're saying they significantly changed code over 3 years, which is suspect in supposedly secure code. You're trying to say that the devices aren't instantly insecure just because this is public knowledge, but there's now way more eyes and more attractive attack surface. If bookies were taking bets on jailbreaks, I'd guess the odds just changed.

Re:It does or it doesn't?

The first quote was from Apple, the second one asserting a reason for the DMCA takedown was not from Apple at all. So you're pointing out inconsistency in the statements of 2 different people. Security is not the only reason to issue a DMCA takedown notice nor is it a reason cited for this DMCA takedown notice.

we always encourage customers to update

I guess Larry Nassar also did some encouraging then.

NOT ALL ReLeAsEd!!! Imagonnabeatyabitch!

Teh G keeps much code secret, only for its use. Not even talking about the modem.

Of course it's outdated... Wink Wink.

[bobbied]

If you are actively maintaining it, it is outdated as soon as some programmer checks something new into what ever you use for source code management, which if you are Apple, likely happens multiple times a day for the development streams. Even a small group of developers doing agile (the right way) will be committing changes multiple times a day... Apple does releases every few months on average, so any code is out of date every quarter or so...

The question is really how long ago this code was actually in use.... Yesterday? last year? The year before?

Re:Of course it's outdated... Wink Wink.

[angel'o'sphere]

Even^H^H^H^HEvery a small group of developers doing agile (the right way) will be committing changes multiple times a day.
FTFY.

Re:Of course it's outdated... Wink Wink.

[konohitowa]

You introduced an error. Please revert your attempted fix.

What if

[fabriciom]

Apple was the leaker?

Re:What if

Highly likely. A scare tactic to get people off ios 9.

Re: What if

Yes, to get that remaining 5% off iOS 9.

Meanwhile something like 75% of Android devices are more than a year out of date with published, exploited vulnerabilities out in the wild.

Iâ(TM)ll freely admit that I have an iOS device running 9.3, but I have disabled everything store-related on the device and only let my kids play games on it. Iâ(TM)d never use it for myself, having been abandoned by the vendor.

Android handset manufacturers, on the other hand, abandon the devices as soon as they are sold.

Re: What if

[fabriciom]

Yet here you are talking about apple and ios...

Three years old?

[QuietLagoon]

..."Old source code from three years ago appears to have been leaked," Apple said in a statement...

This code screenshot has a copyright date of 2016. http://www.theregister.co.uk/2...

Apple muddling the issue on open source

Apple also said that the security of their products does NOT depend on the secrecy of the source code.

Okay, Apple: then release all the source code. Duh. Obviously if that is their position, then open source could ONLY be a positive for security.

People buy Apple because of the hardware quality, brand recognition, and ease of use. Open sourcing the code isn't going to suddenly lead to a flood of competitors magically copying Apple's business model and taking all their sales.

Re:Apple muddling the issue on open source

What you demand is based on the false premise that the only reason for protecting the source code is security.

What about trade secrets?

And furtherrnore, even though Apple's security doesn't depend on it, the whole security principle of "defense in depth" means that it's still good practice to employ multiple tactics to improve security. Just adding another hurdle, but all things being equal, why not?

Lastly, I'll concede that it's true that there may be bugs in the code that will be identified and exploited now that the source is released, and perhaps if the code had been opened the bugs would have been identified. But the question is, "Identified by who?" Maybe a hostile attacker who doesn't disclose the defects to Apple, but rather weaponizes the exploit for gain.

Just saying, "Free the code!!!" is a cute slogan, but it's rife with hazards and business decisions.

A few non-GMS Android devices

[tepples]

Name a single product running AOSP.

Archos 43 Internet Tablet. Kindle Fire. Fire Phone. Every Android device intended for the People's Republic of China market.

Re:A few non-GMS Android devices

Name a single product running AOSP.

Archos 43 Internet Tablet. Kindle Fire. Fire Phone. Every Android device intended for the People's Republic of China market.

Nope. The Android operating system in those devices contains many proprietary bits including drivers, the operating system running in your device is derived from AOSP.

Re:A few non-GMS Android devices

[tepples]

Name a computing device from the past ten years running any operating system that doesn't have any proprietary bits in it. CPUs in even Purism Librem PCs have proprietary microcode.

Or was your point that all computing devices are equally unacceptable because they have at least one line of proprietary code in them?

Re:A few non-GMS Android devices

No the point is that you can't just take AOSP, build it and install it on any device. The source to AOSP is there but it's different to what is running on your device and the source that is there cannot be run on your device because it needs many modifications in order to do so, this is why those devices you mention do not run the latest Android version.

I can take the ubuntu source, build it and run it on just about any PC, you cannot do that with the AOSP source and smartphones.

Re:A few non-GMS Android devices

No the point is that you can't just take AOSP, build it and install it on any device. .

but thats exactly what I did with my htc magic, g1, galaxy nexus, nexus 7, and nexus 4. most of those i did have to get a few blobs for wifi and gpu though. but those were also provided by google to use with pure aosp.

the g1 now runs with less blobs than stock because i could never get graphics accel to work in ics.

Much like your lies, Apple

[Khyber]

Apple claims to support their phones for five years after the last date of manufacture for the product - https://support.apple.com/en-u...

The iPhone 4S ceased production in February 2016. Official Apple support stopped very shortly thereafter.

This, from the same company:

[p51d007]

That said people were holding the phone wrong. That said the slowdown was a "feature" and on and on.

Re:This, from the same company:

[sound+vision]

To Apple's credit, the slowdown actually was a feature. (The same feature Androids have had, with the option to turn on/off, since at least version 6.) To their discredit, the reason they forced it on people without their consent and then lied about it, was to get them to buy a new phone.

Chained Loader

[Pikoro]

So I wonder if there is a possibility that this could be used to chain another bootloader in order to get linux or even android to boot on some older phones?

Ummm, No.

[Brannon]

"The 4S was discontinued officially on September 9, 2014 following the announcement of the iPhone 6" (the Feb 2016 date was for 'developing markets' which presumably fall under a different policy)

The 5 year guarantee is for hardware service & customer support. As of today, iPhone 4S is still supported by Apple in that sense (see here: serviced ).

There is no guarantee that you'll continue getting software updates for 5 years. The last iPhone 4s-compatible iOS update was iOS 9.3.5, released on August 25, 2016, which is almost 5 years from the initial release of the iPhone 4S (October 4, 2011), and that's pretty typical (>4 years of software updates on the newest model).

Feel free to cite another major smartphone manufacturer that does better in terms of customer & hardware support lifetime and OS updates.

Re:Ummm, No.

Oh dear, an Apple zealot is about to cry. How about letting users change the FW, and roll back to an earlier version that isn't a buggy? How about letting the device owner replaced the shitty battery? How about not deliberately slowing down older devices to encourage fangirls like yourself to "upgrade" to the latest iThing?

Re:Ummm, No.

[Anubis+IV]

An AC responds to a series of facts backed up by citations by making a baseless claim based on no evidence while complaining that a product they don’t want isn’t something other than what it claims to be. They then have the gall to suggest the person they’re responding to is the zealot.

Have you tried looking in a mirror recently?

Re:Ummm, No.

[Khyber]

"The 5 year guarantee is for hardware service"

The software that is required to run the hardware is part of the fucking hardware service. The hardware can NOT run without the software.

But please, try to apologize more for a company that has always lied in its marketing to make a fucking sale.

Treble: Progress toward making AOSP installable

[tepples]

No the point is that you can't just take AOSP, build it and install it on any device.

Google is trying to fix that. Treble in Android 8 is an ABI allowing new versions of Android to install on top of the hardware abstraction layer provided by the manufacturer of an Android 8+ device. It'll be more like Windows or some GNU/Linux distributions, where the blobs are their own separate package and have their own test suite (Treble VTS on Android or HCK on Windows).

I can take the ubuntu source, build it and run it on just about any PC

And be without accelerated graphics, audio, WLAN, and suspend until you install blobs. Good luck building Debian or any other GNU/Linux distribution from source and installing it on an ASUS T100TA, for which many key blobs were never remade for Linux (source).

Re:Treble: Progress toward making AOSP installable

[ptaff]

without accelerated graphics, audio, WLAN, and suspend until you install blobs. Good luck building Debian or any other GNU/Linux distribution from source and installing it on an ASUS T100TA

If someone chooses to buy hardware that has no free drivers to run it, when alternatives do exist, who's to blame? Should we also blame Apple when a random USB gadget designed for Windows has no drivers for OS X?

Re:Treble: Progress toward making AOSP installable

[tepples]

If someone chooses to buy hardware that has no free drivers to run it, when alternatives do exist, who's to blame?

The person who bought it to give as a gift. Or the market, when alternatives do not in fact exist. On that note:

ASUS T100TA

alternatives do exist

I'm curious as to what they are. Which laptop or detachable with a 10 to 11.6 inch display do you recommend for running GNU/Linux without proprietary binary blobs?

Android 8+ device

alternatives do exist

I'm curious as to what they are. Which pocket computer with WLAN and cellular voice and data communication capability do you recommend for use without proprietary binary blobs?

Should we also blame Apple when a random USB gadget designed for Windows has no drivers for OS X?

Not usually, because Apple publishes enough information about I/O Kit to allow peripheral manufacturers to port drivers to macOS. Thus I would instead place blame on peripheral manufacturers with one exception: peripherals produced in such low volume that the extra cost to support macOS would be prohibitive, such as the "INL Retro" NES cartridge writer. For that, I'd blame the developers of popular programming languages' standard libraries for not providing a cross-OS framework that wraps each operating system's framework for user-mode drivers.

Re:Treble: Progress toward making AOSP installable

[ptaff]

[ASUS T100TA] Which laptop or detachable with a 10 to 11.6 inch display do you recommend

The FSF has a list of computers they recommend. There's also a list of hardware which needs no binary blob.

Which pocket computer with WLAN and cellular voice and data communication capability do you recommend for use without proprietary binary blobs

There is none on the market. I wrote "when alternatives exist", I never meant that there were alternatives to all proprietary blobbed hardware, that'd be preposterous, as there's blobs in cars, televisions, IoT, etc.

Apple publishes enough information about I/O Kit to allow peripheral manufacturers to port drivers to macOS. Thus I would instead place blame on peripheral manufacturers

I think it can be stated that Linux has all needed information for anyone to write a driver, more so than Apple. Buying hardware that has no free driver is just helping the proprietary blob model.

Re:Treble: Progress toward making AOSP installable

[tepples]

Which laptop or detachable with a 10 to 11.6 inch display do you recommend

The FSF has a list of computers they recommend

Most are refurbished Lenovo ThinkPad laptops, and zero of those are in the size range I mentioned.

Re:Treble: Progress toward making AOSP installable

I can take the ubuntu source, build it and run it on just about any PC

And be without accelerated graphics, audio, WLAN, and suspend until you install blobs.

No I can get free versions of many of those drivers, and i can build kernel modules to install many of the proprietary ones like the nvidia ones if i wish. Do any of the Android vendors provide buildable kernel modules that allow you to upgrade the kernel and still install the driver?

Good luck building Debian or any other GNU/Linux distribution from source and installing it on an ASUS T100TA, for which many key blobs were never remade for Linux (source).

There will always be exceptions to the general rule and there are outlier cases in the PC world but in the Android world that's the norm. You can always find some niche combination of variables and point to that as an example of the exception to the rule but that doesn't prove anything we don't already know.

Re:Treble: Progress toward making AOSP installable

Which laptop or detachable with a 10 to 11.6 inch display do you recommend

The FSF has a list of computers they recommend

Most are refurbished Lenovo ThinkPad laptops, and zero of those are in the size range I mentioned.

If the size range outweighs the ability to maintain/upgrade the system then buy one that is in the size range.

Re:Treble: Progress toward making AOSP installable

[tepples]

There will always be exceptions to the general rule and there are outlier cases in the PC world but in the Android world that's the norm. You can always find some niche combination of variables and point to that as an example of the exception to the rule but that doesn't prove anything we don't already know.

Is the category of small laptops itself "some niche combination of variables"? Many if not most 11.6 inch or smaller laptops since the end of 2012 that I'm aware of have been either expensive, a Chromebook (whose firmware nags the user to wipe the hard drive if an OS other than Chrome OS is installed), or some underdocumented detachable.

I think you're confused

[Brannon]

1. Apple has never claimed they would provide 5 years of software updates on iPhones from the last point of manufacture. If you have a cite to show otherwise then please post it.
2. No major phone manufacturer provides a guarantee of 5 years of software updates, Apple is the clear leader in software update lifetime for phones--and it's not close.
3. The SW on an iPhone 4S continues to work just fine, it's just stuck at iOS 9.3.5 and won't benefit from new features.
4. Nobody is forcing you to buy an iPhone, why do you care so much what phone other people use?

Re:I think you're confused

[Khyber]

"If you have a cite to show otherwise then please post it. "

In my OP above, if you failed to read, the source DIRECT FROM FUCKING APPLES OWN PAGES.

I also used to be an Apple service tech, so I know damned well what their policies are.

iSay

Apple probably released it themselves to scare users into buying the latest and expensivest.