

An analysis of iOS 5 OTA updates by innoying - dpearson
http://blog.innoying.com/post/15553263626/an-analysis-of-ios-5-ota-updates-by-innoying

======
adamjernst
_As it turns out, it’s just HTTP requests. The alarm bells should be going off
now. So you’re telling me that the part of the O.S. that runs as root and
replaces system files is downloaded via unsecured, unauthenticated HTTP? Yup._

Well, I'm not sure it makes a difference. As he later points out, update
packages are signed by Apple, so unless you have access to Apple's private key
you can't make an update package that will actually be installed.

Using HTTPS instead of HTTP would be wise, but in the end it doesn't make a
difference.

On the whole though, this is a fascinating exercise. Thanks!

