iOS 10 Beta Features Unencrypted Kernel Making it Easier to Discover Vulnerabilities

Apple’s iOS 10 preview, seeded to developers last week, does not feature an encrypted kernel and thus gives users access to the inner workings of the operating system and potential security flaws, reports MIT Technology Review. It is not known if this was an unintentional mistake or done deliberately to encourage more bug reports.

Security experts say the famously secretive company may have adopted a bold new strategy intended to encourage more people to report bugs in its software–or perhaps made an embarrassing mistake.

In past versions of iOS, Apple has encrypted the kernel, aka the core of the operating system, which dictates how software uses the iPhone’s hardware and keeps it secure. According to experts who spoke to the MIT Technology Review, leaving iOS unencrypted doesn’t leave the security of iOS 10 compromised, but it makes it easier to find flaws in the operating system. Security flaws in iOS can be used to create jailbreaks or create malware.

The goodies exposed publicly for the first time include a security measure designed to protect the kernel from being modified, says security researcher Mathew Solnik. “Now that it is public, people will be able to study it [and] potentially find ways around it,” he says.

Apple has declined to comment on whether the lack of encryption was intentional or a mistake, but security expert Jonathan Zdziarski believes it was done by choice because it’s not a mistake Apple is likely to have made. “This would have been an incredibly glaring oversight, like forgetting to put doors on an elevator,” he told MIT Technology Review.

He further suggests Apple may have chosen this route to prevent the hoarding of vulnerabilities like the one that was ultimately used by the FBI to break into the iPhone 5c of San Bernardino shooter Syed Farook and to have more people looking at the code to discover latent security flaws.

 

Source