Apple: The leaked iPhone source code is outdated

The company takes down crucial iPhone source code for iOS 9 posted on Github, but the code was up long enough to cause security concerns.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
2 min read

The leaked source code originally came out in 2015, and wouldn't affect users on new devices, Apple said.

James Martin/CNET

Apple has responded to security concerns surrounding leaked iPhone source code, pointing out that any potential vulnerabilities would be outdated.

"Old source code from three years ago appears to have been leaked," Apple said in a statement, "but by design the security of our products doesn't depend on the secrecy of our source code. There are many layers of hardware and software protections built in to our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections."

The iBoot source code for iOS 9, a core part of what keeps your iPhones and iPads secure when they turn on, was leaked on GitHub, Motherboard first reported. iBoot essentially makes sure all software that loads on Apple's devices is secure and hasn't been tampered with.

Because iBoot is such a crucial part of an iOS device's security, Apple offers its bug bounty program's highest reward -- $200,000 -- to anyone who can find vulnerabilities in the code. 

The source code leak was considered a major security issue for Apple, as hackers could dig through it and search for any vulnerabilities in iBoot. Apple had used a DMCA notice to get the Github page hosting the leaked code taken down, but multiple copies of the code have already spread online.

The leaked source code from iOS 9 was first released in 2015. Only 7 percent of iOS devices are running a version older than iOS 10, which came out in September 2016, according to Apple

"The iBoot code that was leaked is for an older iOS, so whatever bugs people find may not be relevant anymore," said Michael Borohovski, co-founder of Tinfoil Security.

But with more than 1 billion iOS devices in the world since 2016, that's still at least 70 million people who could be affected by any new vulnerabilities that could spring up.

"There's a wide range of things, from new jailbreaks to the possibility of circumventing Apple's process, based on having access to the source code," said David Kennedy, the CEO of security company TrustedSec.

In short, if you haven't already, update your iOS software.

First published Feb. 8, 10:15 a.m. PT
Update, 11:22 a.m.:
Adds comment from Borohovski.