iOS 10 kernel cache was found unencrypted shortly after the WWDC. Rumors and speculations are abundant. What is kernelcache, & should iOS users be ecstatic? While the experts in the field of iOS security try to come to a unified opinion, would you want to upgrade to iOS 10 beta?
Official Version – It’s Deliberate
A mysterious event got the tech sphere explode with rumors and speculation – iOS 10 kernel cache was found to be unencrypted, which is odd of Apple to say the least. A somewhat vague statement from Apple did not help bring much clarity to the scene:
“The kernel cache doesn’t contain any user info, and by unencrypting it we’re able to optimize the operating system’s performance without compromising security, ” an Apple spokesperson told iMore.
You will find the mainstream websites hailing Apple for going more transparent, and letting the good folks out there hunt the bugs and report them to Apple.
This move, or as some suspect a royal blunder, is supposed to make jailbreaking easier, as well as reverse-engineering the code that was previously encrypted from curious eyes. Why do many believe it was an accident, or a major oversight? Because such changes are normally preceded by an official announcement, and not followed by a short reply lacking details post-factum.
What is kernelcache?
The term “kernelcache” refers to the kernel, drivers and extensions. So, it includes the full kernel and some bonus.
The kernelcache is basically the kernel itself as well as all of its extensions (AppleImage3NORAccess, IOAESAccelerator, IOPKEAccelerator, etc.) into one file, then packed/encrypted in an IMG3 (iPhone OS 2.0 and above) or 8900 (iPhone OS 1.0 through 1.1.4) container.
Only in iOS 10 Beta, it’s not encrypted.
The opinions you can find online of the iOS and security professionals differ from excited praise to thoughtful doubt. Let’s see why.
First and foremost reason to be on the skeptics side is Apple does not offer a bug hunting bounty program, like Google or Microsoft does. If, for example, you were to discover a kernel-level exploit in Windows, you would be a candidate for a hefty six digit reward. Whereas with Apple, the iOS loving crowd suggests the good people would simply disclose their findings to Apple because it’s the right thing to do. And earn nothing.
At the same time, the recent FBI vs Apple case shows just who such technical wizards can turn to for a hefty prize for finding an exploit (FBI paid a million dollar bounty to the undisclosed company that found a work around iOS encryption).
More accessibility means the prices of such findings will drop, and the bug hunters will be able to earn significantly less because of the increased competition. It also means law enforcement will be pressed for time when counting on exploiting such bugs because more people will be able to find them and report to Apple for them to get fixed.
The good will of the law-abiding Apple fans and white hat hackers is wonderful, but the real world does not work that way
If that’s the kind of equation that is supposed to make iOS 10 safer, I’d bet on the dark web going wild before Apple finds the exploits with the help of the loyal community. That is, unless Cupertino announces a competitive bug bounty program.
On the other hand, security through obscurity in the proprietary software does not always mean good security. In fact, often times STO is referred to as bad security as compared to open source projects like Linux. Yet, some processes need encryption to be hidden from malware.
The proprietary software encrypts the code to prevent it from being reverse-engineered. Yes, leaving the iOS 10 kernel cache unencrypted may help the good guys find and report the exploits. It can also help the bad guys find the exploits faster, and take advantage of them.
The lack of a detailed response from Apple, and the fact that the company responded after the media buzz got too loud to ignore, gives room for doubts whether the move to leave iOS 10 kernel cache unencrypted was deliberate. If, for a split second, we imagine it was a blunder, a company as big as Apple can’t afford to admit it. Not after the FBI case.
Another important question is whether or not the security fears would be dispelled if the company is giving any interested parties an unofficial way to poke into the code?
Encryption sounds tech gibberish-ly, but an average user associates it with better privacy and security. Unencrypted kernelcache sounds rocket science for most users, and it does not help instill the sense of security. Even if Apple did intend to leave it unencrypted, it certainly seems like a dubious PR move to let it slip without an announcement.
There is no word on whether the iOS 10 kernel cache will be encrypted by the time the iOS 10 exits Beta testing. There is no word from Apple about how the unencrypted kernel cache affects performance so far, but with the pressure from the media buzz we might expect a statement soon. We also hope Cupertino opts in favor of the bug bounty program because an idealistic view of the tech-savvy iOS users who stand united against the abuse of the suddenly accessible data is too far-fetched.
If you want to know more about iOS 10 Beta, check out: