Exploits & Vulnerabilities
To Jailbreak or Not to Jailbreak? That is the Question
Many iPhones and iPads owners are tired of the stringent controls Apple places on their devices, limiting them from fully utilizing all iOS capabilities. Many users have decided to jailbreak their devices in order to unlock more of iOS features.
Apple maintains tight control over its iOS software and hardware. There is no file system per se to which users have direct access, applications cannot easily communicate or collaborate with each other, you can only get apps from the App Store and so on.
Apple has done this to ensure a high level of quality and uniform usability for its customers. The company also wants to maximize its iOS revenues by making sure that only apps it approves and hosts on the App Store can be downloaded and installed. As a side benefit to customers, all of these controls make the iOS a very secure mobile platform and a favorite in corporate environments.
For the most part, the iOS user community accepts this state of affairs. However, many other owners of iPhones and iPads have gotten tired of the stringent controls Apple places on their devices, limiting them from fully utilizing all iOS capabilities. Many users have decided to jailbreak their devices in order to unlock more of the features that iOS has to offer.
What is Jailbreaking?
Jailbreaking refers to the process whereby you can remove the controls and restrictions Apples has placed in iOS and you can use your device more like an Android, which does not have iOS style controls, or a personal computer.
Whether jailbreaking is something you do to your iPhone depends on what you want to accomplish, and whether you are willing and able to accept the risks.
iOS Security Architecture Overview
At this year's RSA Security Conference 2012, I attended a lecture session on iOS Security Fundamentals given by security threat researchers Dino Dai Zovi and Charlie Miller. The information in this section is a summary of the points they presented.
Jailbreaking an iOS device is a challenging obstacle course that requires considerable hacking skill and effort to conquer. It involves applying multiple exploits to poke holes through the several layers of security built into the operating system. Specifically, the iOS architecture includes these security elements:
- Reduced attack surface. There are fewer apps to attack in iOS and consequently fewer bugs to exploit. Flash and Java are frequent attack targets on other operating systems but do not run on iOS. Many file types either cannot be rendered or are only supported to a limited degree. Not all features of PDF files, for example, are supported. There is no terminal shell (/bin/sh) nor the binaries that you can run in shells, like "ls", "rm", "cp", "mv", etc. That means you cannot run shell code exploits.
- Privilege separation. Most iOS processes run in a limited user privilege mode. You don't get direct "root" access, which on other operating systems lets you do anything you want to your computer.
- Code signing. All executable and applications must carry signatures certified by Apple. Signatures are validated whenever any executable or application is run on iOS. This is why you only can get apps from the App Store. Code signing makes it nearly impossible for attackers to upload and run remote apps on your iPhone.
- Non-executable memory. Buffer overflow is a hacking technique where an attacker injects malicious code into areas of memory allocated to store data that are outside the memory boundaries of a given application. Once there, this code can be executed beyond your control to damage files or steal data from your system. By contrast, iOS does not allow code to be executed from memory marked for data storage. In other words, data written to memory by an application cannot be executed.
- Address space layout randomization. Operating systems that load code and data into fixed, predetermined memory locations are more susceptible to buffer overflow since attackers know in advance where code and data will reside in memory. iOS puts code and data in random memory locations so attackers must guess where their code will run. Wrong guesses can cause the malicious code to crash, which is usually an irrecoverable situation.
- Sandboxing. Applications obtained from the App Store run in a restrictive sandbox that limits access to iOS system resources. Apps that are installed with iOS, like Safari, also run in a sandbox, but one that is less restrictive than the purchased application sandbox. These apps can open your address book, photos, movies, and so forth, but are prevented from other potentially damaging activities like sending SMS messages.
Benefits of Jailbreaking
After reading the list of security protections offered by iOS, you might wonder why anyone would want to jailbreak their iPhone or iPad. There are, however, practical benefits to jailbreaking.
When you use your iPhone internationally, you are subject to roaming charges. For Internet access you can always use free Wi-Fi hotspots to hold down roaming charges, but free Wi-Fi is not as common in countries outside the US. You can unlock a jailbroken iPhone, allowing you to replace your original SIM with an inexpensive pay-as-you-go SIM that you purchase in the country you are visiting.
For an extra monthly charge, you can tether your iPhone to your notebook computer to give the latter Internet access in areas where there is either limited or expensive Wi-Fi. Alternatively, there are several apps that run on jailbroken iPhones that give you this same access for free.
Without jailbreaking, you have to use AT&T or Verizon – assuming you are located in the US – as your carrier for your iPhone. But jailbreaking and unlocking your iPhone lets you use any 3G or 4G carrier.
Risks with Jailbreaking
The security risks of jailbreaking are huge. You give up all the considerable security protection the iOS normally provides. This leaves your iPhone or iPad more vulnerable to attack.
When you jailbreak your iOS device, you are never completely sure what the jailbreaking code is doing. For all you know, the code could be installing other malicious binaries. Don't forget that by definition and practice the process of jailbreaking involves exploiting your iPhone in the first place.
If something goes wrong during the jailbreaking process, you automatically void your warranty with Apple. Don't bother taking your hopelessly dorked up iPhone to Apple service, they will turn you away on the spot. That said, all you have to do to restore your iOS device to factory settings is connect to the computer that you use to back up iOS and go through a restore operation.
When it comes to updating your iOS software, you are kind of stuck. The act of updating will undo your jailbreak and you may have to wait for a while before a jailbreak for your new iOS version is released. You may have to forego iOS updating if you prefer using your iPhone in a jailbroken state.
So far Apple has not created any updates that intentionally damage jailbroken iOS devices. At the same time, since the company does not condone nor support the practice, it is unlikely they will give much consideration to the effect any given update has on these devices.
Is Jaibreaking for You?
Jailbreaking unlocks some interesting capabilities in iOS devices for users adventurous enough to try it. However, in my opinion, the security risks and inconvenience of jailbreaking outweigh the benefits. I haven’t jailbroken my own iPad nor am I likely to in the near future.
If you bring your iOS device into work you should check to see if your company has a policy prohibiting jailbroken devices from connecting to the company network. If your company has such a policy you will have to forgo jailbreaking or restore the original iOS software on your device to comply.
It’s wise to think twice before jailbreaking your iPhone or iPad.