The code that runs on the iPhone and iPad before iOS starts, and which is commonly referred to as iBoot, was posted online earlier this week for anyone to explore it. That source code represents one of the iPhone’s many secrets, something that Apple doesn’t share with others.
A few hours after security experts speculated the iBoot code that leaked is actually a few years old, coming from iOS 9, Apple confirmed the leak is genuine. And while the iPhone maker downplayed the importance of keeping this particular type of program secret, it still forced Github to remove it.
“Old source code from three years ago appears to have been leaked, but by design the security of our products doesn’t depend on the secrecy of our source code,” Apple said in a statement to media on Thursday. “There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections.”
Apple’s lawyers explained in the DMCA notice that the leaked code isn’t actually open-source software, which is why Apple has filed a takedown request:
Reproduction of Apple’s “iBoot” source code, which is responsible for ensuring trusted boot operation of Apple’s iOS software. The “iBoot” source code is proprietary, and it includes Apple’s copyright notice. It is not open-source.
The code was available for several hours on Github before being removed, so it’s safe to say that the parties interested in these iPhone secrets had download it long before Apple removed it. Furthermore, as Motherboard explained the other day, the code was first spotted on Reddit a year ago.
Even if current iPhone devices may still use code from the iOS 9 iBoot sequence, it’s likely Apple has made several modifications to it. It’s too early to say whether the iBoot leak will have any impact on the security of iOS devices going forward.