Secret iPhone code published online in 'biggest ever' leak

The source code related to iOS 9, a three-year-old version of the software. Photo / Getty Images

A secret part of Apple's iPhone software has been posted online in a leak that could potentially allow hackers to find security holes in the smartphone.

Although the release does not immediately put iPhone owners at risk, security experts said the leak enables hackers to analyse Apple's code, replicate and manipulate it for malicious purposes and that users could be vulnerable in the future.

On Wednesday night, an anonymous user published part of the "source code" - the computing instructions that underpin the iOS software - on GitHub, a website for computer programmers to share code.

The leak relates to iOS 9, a three-year-old version of the software, but security researchers claimed that the components are likely to remain in the latest software update.

Fun thing about the DMCA: it required Apple to state, under penalty of perjury, that the iBoot source code was legit: https://t.co/PKHZqcEe6h

— Karl (@supersat) February 8, 2018

The blueprint details the iPhone's "iBoot" system, which kicks in when a phone switches on. Hackers could potentially use this to craft a way to install malware or surveillance tools on a victim's device, researchers said.

"It's big, but does not directly impact users yet," said Matthew Carr of Insinia Security.

"But it gives visibility into what the code does so anyone looking to reverse engineer iOS and write exploits can use this to make their job much easier. There may even be massive parts of code reused so they could try and find bugs in old code and see if it works on new versions," he added.

Jonathan Levin, chief technology officer at software consultancy firm, Technologeeks, told Motherboard that the code hacking represented "the biggest leak in history".

Apple has always kept its software source code under wraps to avoid anyone stealing or hunting for vulnerabilities that might be used to break the security of its products. It runs a bug bounty program, where eagle-eyed security researchers and white hat hackers are encouraged to alert them of potential security holes in its software in exchange for money.

Rewards depend on the severity of the flaw, but its website states that an iBoot system disclosure could be worth $200,000, as it is a central component of its system.

On Wednesday evening Apple issued a take-down notice to GitHub, where the file was posted. The company is yet to comment.