Apple Says the Leaked iPhone Source Code is Outdated

Apple has responded to security concerns surrounding leaked iPhone source code, pointing out that any potential vulnerabilities would be outdated. From a report: "Old source code from three years ago appears to have been leaked," Apple said in a statement, "but by design the security of our products doesn't depend on the secrecy of our source code. There are many layers of hardware and software protections built in to our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections." The iBoot source code for iOS 9, a core part of what keeps your iPhones and iPads secure when they turn on, was leaked on GitHub, Motherboard first reported. The source code leak was considered a major security issue for Apple, as hackers could dig through it and search for any vulnerabilities in iBoot. Apple had used a DMCA notice to get the Github page hosting the leaked code taken down, but multiple copies of the code have already spread online.

Misinformation

[Balial]

That code may contain ROM source code, which can't be updated. It'd be for older chips, but if it's ROM, it's never out of date.

Re:Misinformation

[uCallHimDrJ0NES]

I agree that this is misinformation, or perhaps disinformation. Apple is trying to avoid a knee-jerk reaction from investors who don't understand what this actually means. I can't really blame them. Tech speculators are superstitious and foolish.

Re:Misinformation

[Baron_Yam]

>Tech speculators are superstitious and foolish.

What ever happened to 'due diligence'? I see so much 'investment' that is just blind gambling because the right keyword is included in the company's mission statement. It's insane.

If you have so much free capital that you're willing to throw it at companies blindly... just give it away to some useful cause.

Re:Misinformation

Due diligence is what investors do. Today's stock market is drive by speculators and traders, neither of which give a rat's patootie about truth, only which way the stock might head in the next very little while. Also remember that many of today's 'traders' are software, DEEP-LEARNING software (hah!), which only looks at market technicals and not at company or product qualities. This software is built by the same quants that brought us the last global financial meltdown.

Re: Misinformation

That can't be true. How else would Apple uphold their practice of breaking things with updates?

Re:Misinformation

[Anubis+IV]

That code may contain ROM source code

It likely doesn't, given that a large part of the ROM code's job is to validate the integrity of iBoot (the part of iOS that leaked). Ars' writeup goes into a tiny bit more detail about what iBoot actually is, but the relevant bit for this conversation is that iBoot is the next step in the chain after ROM in the secure bootup procedure. Of course, being able to review iBoot's code can likely provide some insight into how the ROM's code is designed to function.

Re:Misinformation

[sit1963nz]

ROMs ????, not likely. EEPROM or some other tech yes, but ROMs, no way,

Re:Misinformation

[Aaden42]

iBoot is the first code to execute AFTER mask ROM on the device. The source may contain some information about the ROM by virtue of interfacing with it, but if the leak was just iBoot source, it shouldn't contain source for the ROM itself. I doubt there's anything in the leak that isn't patchable in order devices if Apple chose to do so.

Re:Misinformation

[suutar]

the majority (possibly the vast majority) of "investing" is just speculation - the company hasn't issued new shares, so you're not really investing in it, you're just buying the theoretical fruits of someone else's investment. Given this, due diligence has kind of fallen by the wayside =/

Re:Misinformation

[zifn4b]

Apple is trying to avoid a knee-jerk reaction from investors who don't understand what this actually means

I think you're thinking of a different company called Unicorn Technology, Inc. where upper management actually understands how to run a technology business and doesn't emotionally react to stuff that sounds like it might be bad without actually understanding what it actually means...

Re:Misinformation

[zifn4b]

>Tech speculators are superstitious and foolish.

What ever happened to 'due diligence'?

I do my due diligence! It's called Magic 8-ball. I use it for all my investment decisions and it's never steered me wrong! My family has used the same one for many generations. All praise Magic 8-ball!

Re:Misinformation

[Baron_Yam]

It's always a gamble, yes... but there's a difference between manufactured risk and assumed risk.

Throwing money at companies more or less randomly (say, because they've just used the word 'blockchain' in a press release) is manufactured risk. You're creating an unnecessary risk by being blind to the investment details. You can't know how big the risk is or how big the potential payoff, because you've willfully blinded yourself.

You really should have a reason to invest in a particular company - and you should know enough about the company to make a rational assessment of the company's chances of performing to your expectations. That's an assumed risk - there's a pre-existing risk, and you're buying into it based on a (hopefully) rational and reasonably comprehensive analysis of the level of risk vs. the anticipated rewards if it pays off.

In other news

[viperidaenz]

The entire source code for Android was leaked online.
Rumor has it Google was the one to leak it.

You can find the leaked code at https://source.android.com/

Re:In other news

+1 Wooooosh!

Re:In other news

[dj245]

The entire source code for Android was leaked online. Rumor has it Google was the one to leak it.

You can find the leaked code at https://source.android.com/

The difference is that Android's source code has been out there and scrutinized by many people and organizations. Apple's has only been scrutinized by Apple until now. Even if significant amounts of the code are outdated, it could give people a better idea of what kind of attacks may be possible. Plus the fact that it is news may spur more attention to IOS exploits, if only out of curiosity.

NOT ALL ReLeAsEd!!! Imagonnabeatyabitch!

Teh G keeps much code secret, only for its use. Not even talking about the modem.

Re:iBoot: One i, one Boot

[dgatwood]

I am now imagining a pair of Uggs with googly eyes on top and a touchscreen below it showing the nose and mouth, to allow for adaptive facial expressions based on what you step in.

Re:It does or it doesn't?

[Dog-Cow]

I know you were taking a jab at Apple, but the statement and action are consistent. Security is in the design, while vulnerabilities are in the implementation. The security doesn't change if the source is available, but the ability to find and exploit vulnerabilities increases. In other words, vulnerabilities exist whether or not the source is available, but having the source improves a hacker's chances at finding them.

Of course it's outdated... Wink Wink.

[bobbied]

If you are actively maintaining it, it is outdated as soon as some programmer checks something new into what ever you use for source code management, which if you are Apple, likely happens multiple times a day for the development streams. Even a small group of developers doing agile (the right way) will be committing changes multiple times a day... Apple does releases every few months on average, so any code is out of date every quarter or so...

The question is really how long ago this code was actually in use.... Yesterday? last year? The year before?

Re:Of course it's outdated... Wink Wink.

[konohitowa]

You introduced an error. Please revert your attempted fix.

What if

[fabriciom]

Apple was the leaker?

Re: What if

[fabriciom]

Yet here you are talking about apple and ios...

Three years old?

[QuietLagoon]

..."Old source code from three years ago appears to have been leaked," Apple said in a statement...

This code screenshot has a copyright date of 2016. http://www.theregister.co.uk/2...

A few non-GMS Android devices

[tepples]

Name a single product running AOSP.

Archos 43 Internet Tablet. Kindle Fire. Fire Phone. Every Android device intended for the People's Republic of China market.

Re:A few non-GMS Android devices

[tepples]

Name a computing device from the past ten years running any operating system that doesn't have any proprietary bits in it. CPUs in even Purism Librem PCs have proprietary microcode.

Or was your point that all computing devices are equally unacceptable because they have at least one line of proprietary code in them?

Re: It does or it doesn't?

[Brockmire]

How the fuck does security not change if the chance of exploit increases? Fuck, it sounds like they're saying they significantly changed code over 3 years, which is suspect in supposedly secure code. You're trying to say that the devices aren't instantly insecure just because this is public knowledge, but there's now way more eyes and more attractive attack surface. If bookies were taking bets on jailbreaks, I'd guess the odds just changed.

Much like your lies, Apple

[Khyber]

Apple claims to support their phones for five years after the last date of manufacture for the product - https://support.apple.com/en-u...

The iPhone 4S ceased production in February 2016. Official Apple support stopped very shortly thereafter.

This, from the same company:

[p51d007]

That said people were holding the phone wrong. That said the slowdown was a "feature" and on and on.

Re:This, from the same company:

[sound+vision]

To Apple's credit, the slowdown actually was a feature. (The same feature Androids have had, with the option to turn on/off, since at least version 6.) To their discredit, the reason they forced it on people without their consent and then lied about it, was to get them to buy a new phone.

Ummm, No.

[Brannon]

"The 4S was discontinued officially on September 9, 2014 following the announcement of the iPhone 6" (the Feb 2016 date was for 'developing markets' which presumably fall under a different policy)

The 5 year guarantee is for hardware service & customer support. As of today, iPhone 4S is still supported by Apple in that sense (see here: serviced ).

There is no guarantee that you'll continue getting software updates for 5 years. The last iPhone 4s-compatible iOS update was iOS 9.3.5, released on August 25, 2016, which is almost 5 years from the initial release of the iPhone 4S (October 4, 2011), and that's pretty typical (>4 years of software updates on the newest model).

Feel free to cite another major smartphone manufacturer that does better in terms of customer & hardware support lifetime and OS updates.

Re:Ummm, No.

[Anubis+IV]

An AC responds to a series of facts backed up by citations by making a baseless claim based on no evidence while complaining that a product they don’t want isn’t something other than what it claims to be. They then have the gall to suggest the person they’re responding to is the zealot.

Have you tried looking in a mirror recently?

Re:Ummm, No.

[Khyber]

"The 5 year guarantee is for hardware service"

The software that is required to run the hardware is part of the fucking hardware service. The hardware can NOT run without the software.

But please, try to apologize more for a company that has always lied in its marketing to make a fucking sale.

Treble: Progress toward making AOSP installable

[tepples]

No the point is that you can't just take AOSP, build it and install it on any device.

Google is trying to fix that. Treble in Android 8 is an ABI allowing new versions of Android to install on top of the hardware abstraction layer provided by the manufacturer of an Android 8+ device. It'll be more like Windows or some GNU/Linux distributions, where the blobs are their own separate package and have their own test suite (Treble VTS on Android or HCK on Windows).

I can take the ubuntu source, build it and run it on just about any PC

And be without accelerated graphics, audio, WLAN, and suspend until you install blobs. Good luck building Debian or any other GNU/Linux distribution from source and installing it on an ASUS T100TA, for which many key blobs were never remade for Linux (source).

Re:Treble: Progress toward making AOSP installable

[ptaff]

without accelerated graphics, audio, WLAN, and suspend until you install blobs. Good luck building Debian or any other GNU/Linux distribution from source and installing it on an ASUS T100TA

If someone chooses to buy hardware that has no free drivers to run it, when alternatives do exist, who's to blame? Should we also blame Apple when a random USB gadget designed for Windows has no drivers for OS X?

Re:Treble: Progress toward making AOSP installable

[tepples]

If someone chooses to buy hardware that has no free drivers to run it, when alternatives do exist, who's to blame?

The person who bought it to give as a gift. Or the market, when alternatives do not in fact exist. On that note:

ASUS T100TA

alternatives do exist

I'm curious as to what they are. Which laptop or detachable with a 10 to 11.6 inch display do you recommend for running GNU/Linux without proprietary binary blobs?

Android 8+ device

alternatives do exist

I'm curious as to what they are. Which pocket computer with WLAN and cellular voice and data communication capability do you recommend for use without proprietary binary blobs?

Should we also blame Apple when a random USB gadget designed for Windows has no drivers for OS X?

Not usually, because Apple publishes enough information about I/O Kit to allow peripheral manufacturers to port drivers to macOS. Thus I would instead place blame on peripheral manufacturers with one exception: peripherals produced in such low volume that the extra cost to support macOS would be prohibitive, such as the "INL Retro" NES cartridge writer. For that, I'd blame the developers of popular programming languages' standard libraries for not providing a cross-OS framework that wraps each operating system's framework for user-mode drivers.

Re:Treble: Progress toward making AOSP installable

[ptaff]

[ASUS T100TA] Which laptop or detachable with a 10 to 11.6 inch display do you recommend

The FSF has a list of computers they recommend. There's also a list of hardware which needs no binary blob.

Which pocket computer with WLAN and cellular voice and data communication capability do you recommend for use without proprietary binary blobs

There is none on the market. I wrote "when alternatives exist", I never meant that there were alternatives to all proprietary blobbed hardware, that'd be preposterous, as there's blobs in cars, televisions, IoT, etc.

Apple publishes enough information about I/O Kit to allow peripheral manufacturers to port drivers to macOS. Thus I would instead place blame on peripheral manufacturers

I think it can be stated that Linux has all needed information for anyone to write a driver, more so than Apple. Buying hardware that has no free driver is just helping the proprietary blob model.

Re:Treble: Progress toward making AOSP installable

[tepples]

Which laptop or detachable with a 10 to 11.6 inch display do you recommend

The FSF has a list of computers they recommend

Most are refurbished Lenovo ThinkPad laptops, and zero of those are in the size range I mentioned.

Re:Treble: Progress toward making AOSP installable

[tepples]

There will always be exceptions to the general rule and there are outlier cases in the PC world but in the Android world that's the norm. You can always find some niche combination of variables and point to that as an example of the exception to the rule but that doesn't prove anything we don't already know.

Is the category of small laptops itself "some niche combination of variables"? Many if not most 11.6 inch or smaller laptops since the end of 2012 that I'm aware of have been either expensive, a Chromebook (whose firmware nags the user to wipe the hard drive if an OS other than Chrome OS is installed), or some underdocumented detachable.

I think you're confused

[Brannon]

1. Apple has never claimed they would provide 5 years of software updates on iPhones from the last point of manufacture. If you have a cite to show otherwise then please post it.
2. No major phone manufacturer provides a guarantee of 5 years of software updates, Apple is the clear leader in software update lifetime for phones--and it's not close.
3. The SW on an iPhone 4S continues to work just fine, it's just stuck at iOS 9.3.5 and won't benefit from new features.
4. Nobody is forcing you to buy an iPhone, why do you care so much what phone other people use?

Re:I think you're confused

[Khyber]

"If you have a cite to show otherwise then please post it. "

In my OP above, if you failed to read, the source DIRECT FROM FUCKING APPLES OWN PAGES.

I also used to be an Apple service tech, so I know damned well what their policies are.