It was discovered earlier this week that the first beta of iOS 10 includes an unencrypted kernel, which has allowed users and researchers access to the operating system’s inner workings. That led to a debate as to whether the kernel was accidentally left unencrypted by mistake, or if it was a calculated move by Apple. On Wednesday, the iPhone maker confirmed it was on purpose.
“The kernel cache doesn’t contain any user info, and by unencrypting it we’re able to optimize the operating system’s performance without compromising security,” an Apple spokesperson told TechCrunch.
While encryption is usually thought to go hand-in-hand with security, in this case, the lack of encryption may actually lead to a more secure device. Developers and researchers can now dive into the kernel and poke around a bit, making it easier for them to discover potential security flaws. This should make it easier and quicker for Apple to patch such holes.
As Apple is notoriously secretive about its products, and the operating systems that run them, some security experts had speculated the lack of encryption was accidental. But most believed such an oversight would be shocking to the point of being unbelievable. “… like forgetting to put doors on an elevator,” said iOS security expert Jonathan Zdziarski.
Lack of Encryption in iOS 10 Kernel Reduces Value of Security Flaws
Zdziarski suggested the unencrypted kernel was one way Apple could prevent the hoarding of vulnerabilities, such as the one used by the FBI to access the locked iPhone 5c of San Bernardino shooter Syed Farook. If flaws can be found quickly and the discoveries are widespread, it reduces their value, and the price that law enforcement officials (and the bad guys), will pay for the information, plus it should lead to quicker fixes of security flaws by Apple.