Critical iOS 10 component isn’t encrypted, but it’s a feature not a glaring oversight
Apple last week released the first beta of iOS 10 after explaining the main features of the upcoming iPhone, iPad and iPod touch update during its WWDC 2016 opening keynote. As expected, developers and researchers started poking around and some of them discovered that Apple left the kernel unencrypted. To some, this appeared to be an unexpected mistake from a company that’s known to prioritize user security and privacy, and to advocate for strong encryption. However, other researchers suspected this might be a feature, not a bug.
Apple has now confirmed the kernel is supposed to be decrypted in iOS 10.
“The kernel cache doesn’t contain any user info, and by unencrypting it we’re able to optimize the operating system’s performance without compromising security,” an Apple spokesperson told TechCrunch, seemingly settling the matter.
In previous iOS releases Apple has encrypted the kernel, hiding the way it works. The kernel controls how apps access hardware resources and manages security. However, it doesn’t handle user data that would warrant the use of encryption.
Apple hopes that an unencrypted kernel in iOS 10 will help third parties discover potential issues faster than before, despite allowing anybody to have a sneak peek at the inner workings of iOS.
Talking to MIT Technology Review before Apple acknowledged this hidden iOS 10 feature, security expert Jonathan Zdziarski said that leaving the kernel unencrypted by mistake “would have been an incredibly glaring oversight, like forgetting to put doors on an elevator.” He supported the idea that Apple left the kernel unencrypted by choice, linking the decision to Apple’s determined defense against the FBI in the San Bernardino iPhone case.
By making the kernel available to anyone, Apple is more transparent than ever with iOS, in the hope that companies dealing in critical iOS security issues that can offer law enforcement agencies access to an encrypted device would have a harder time hoarding these vulnerabilities.
Source | BGR