New Apple iPhone exploit reportedly enables iPadOS features like Stage Manager, floating app windows and split-view multitasking
Developer GeoSn0w has published a report on an iOS bug that may allow iPhones to access several iPad-only features, including Stage Manager, floating app windows, split-view multitasking and the iPad-style dock. According to the report, this behaviour appears to be triggered by modifying Apple’s MobileGestalt.plist file through a vulnerability affecting the itunesstored and bookassetd processes on iOS 26.1 and iOS 26.2 Beta 1.
MobileGestalt is an internal file Apple uses to decide what hardware a device has and which features it should enable. It stores encrypted values that tell the system things like whether the device has Dynamic Island, Touch ID, a microphone or support for multitasking. GeoSn0w notes that many existing tweak tools, including Nugget, Misaka and Picasso, already rely on MobileGestalt changes, although those tools usually require jailbreak-level access.
The bug lets the phone change files in places it normally shouldn’t, including the folder where MobileGestalt is stored, basically, it can edit stuff it’s not supposed to. However, it can’t touch the super-protected system folders that only the deepest part of iOS controls. GeoSn0w says that Older versions of this bug were used by people trying to bypass iCloud locks, but this report is only talking about using it to flip feature settings, not bypass anything.
As part of the demonstration, developer Duy Tran (@khanhduytran0 on X, formerly Twitter) shared a video showing an iPhone running interface elements typically found only on iPads. These include windowed apps, pinned apps, overlay apps, picture-in-picture mirroring, the iPadOS dock and Stage Manager controls. According to GeoSn0w, this is done by adjusting certain hidden settings that make the device identify itself as an iPad, which then enables the iPad-only features.
Because the MobileGestalt “CacheData” section looks scrambled, the article says developers look inside another system file to find the encrypted value that points to where the device type is stored. They use Swift to look at the needed parts of the file, and then use Python tools made by other developers to make the changes. GeoSn0w mentions that the exploit has an inconsistent success rate and may require multiple attempts before a reboot.
They can’t change the file from the phone, but they can still read it using an app they make. Then they send it to a computer to look at what’s inside.
It works on devices running iOS 26.1 or iOS 26.2 Beta 1, and some tools may use it in the future, but the report says this is only to explain how the bug behaves and not something regular users should try.
Disclaimer: The original article includes system-level modification steps that may void warranties or impact device security. Notebookcheck shares the link for context but does not advise users to replicate the process.
