Apple Says the Leaked iPhone Source Code is Outdated

Apple has responded to security concerns surrounding leaked iPhone source code, pointing out that any potential vulnerabilities would be outdated. From a report: "Old source code from three years ago appears to have been leaked," Apple said in a statement, "but by design the security of our products doesn't depend on the secrecy of our source code. There are many layers of hardware and software protections built in to our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections." The iBoot source code for iOS 9, a core part of what keeps your iPhones and iPads secure when they turn on, was leaked on GitHub, Motherboard first reported. The source code leak was considered a major security issue for Apple, as hackers could dig through it and search for any vulnerabilities in iBoot. Apple had used a DMCA notice to get the Github page hosting the leaked code taken down, but multiple copies of the code have already spread online.

Misinformation

[Balial]

That code may contain ROM source code, which can't be updated. It'd be for older chips, but if it's ROM, it's never out of date.

Re:Misinformation

[uCallHimDrJ0NES]

I agree that this is misinformation, or perhaps disinformation. Apple is trying to avoid a knee-jerk reaction from investors who don't understand what this actually means. I can't really blame them. Tech speculators are superstitious and foolish.

Re:Misinformation

[Anubis+IV]

That code may contain ROM source code

It likely doesn't, given that a large part of the ROM code's job is to validate the integrity of iBoot (the part of iOS that leaked). Ars' writeup goes into a tiny bit more detail about what iBoot actually is, but the relevant bit for this conversation is that iBoot is the next step in the chain after ROM in the secure bootup procedure. Of course, being able to review iBoot's code can likely provide some insight into how the ROM's code is designed to function.

Re:Misinformation

[Aaden42]

iBoot is the first code to execute AFTER mask ROM on the device. The source may contain some information about the ROM by virtue of interfacing with it, but if the leak was just iBoot source, it shouldn't contain source for the ROM itself. I doubt there's anything in the leak that isn't patchable in order devices if Apple chose to do so.

In other news

[viperidaenz]

The entire source code for Android was leaked online.
Rumor has it Google was the one to leak it.

You can find the leaked code at https://source.android.com/

Re:In other news

+1 Wooooosh!

Re:In other news

[dj245]

The entire source code for Android was leaked online. Rumor has it Google was the one to leak it.

You can find the leaked code at https://source.android.com/

The difference is that Android's source code has been out there and scrutinized by many people and organizations. Apple's has only been scrutinized by Apple until now. Even if significant amounts of the code are outdated, it could give people a better idea of what kind of attacks may be possible. Plus the fact that it is news may spur more attention to IOS exploits, if only out of curiosity.

Re:iBoot: One i, one Boot

[dgatwood]

I am now imagining a pair of Uggs with googly eyes on top and a touchscreen below it showing the nose and mouth, to allow for adaptive facial expressions based on what you step in.

Re:It does or it doesn't?

[Dog-Cow]

I know you were taking a jab at Apple, but the statement and action are consistent. Security is in the design, while vulnerabilities are in the implementation. The security doesn't change if the source is available, but the ability to find and exploit vulnerabilities increases. In other words, vulnerabilities exist whether or not the source is available, but having the source improves a hacker's chances at finding them.

Of course it's outdated... Wink Wink.

[bobbied]

If you are actively maintaining it, it is outdated as soon as some programmer checks something new into what ever you use for source code management, which if you are Apple, likely happens multiple times a day for the development streams. Even a small group of developers doing agile (the right way) will be committing changes multiple times a day... Apple does releases every few months on average, so any code is out of date every quarter or so...

The question is really how long ago this code was actually in use.... Yesterday? last year? The year before?

Three years old?

[QuietLagoon]

..."Old source code from three years ago appears to have been leaked," Apple said in a statement...

This code screenshot has a copyright date of 2016. http://www.theregister.co.uk/2...

Ummm, No.

[Brannon]

"The 4S was discontinued officially on September 9, 2014 following the announcement of the iPhone 6" (the Feb 2016 date was for 'developing markets' which presumably fall under a different policy)

The 5 year guarantee is for hardware service & customer support. As of today, iPhone 4S is still supported by Apple in that sense (see here: serviced ).

There is no guarantee that you'll continue getting software updates for 5 years. The last iPhone 4s-compatible iOS update was iOS 9.3.5, released on August 25, 2016, which is almost 5 years from the initial release of the iPhone 4S (October 4, 2011), and that's pretty typical (>4 years of software updates on the newest model).

Feel free to cite another major smartphone manufacturer that does better in terms of customer & hardware support lifetime and OS updates.