Mobile Security: iOS Jailbreaks Pose Risks

*** UPDATE 9/1/2015: KeyRaider Compromises 225K (jailbroken) Apple Logins ***

http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/

Jailbreaking is happening in the millions: don’t turn a blind eye.



The latest jailbreak for iOS 6.1, released on 4 February, was downloaded by a whopping 5 million users in the first 48 hours alone, according to the website stats posted by Cyril (a.k.a. pod2g), the developer of the latest hack published on evasi0n.com. During these first two days, the websites served 40 million page views of which a good 50 per cent to 2.5 million unique visitors from the U.S.

This is consistent with the figures I learned from Jay Freeman (a.k.a. Saurik) who I met a few months ago at the JailbreakCon 2012 in San Francisco, 2nd edition of the jailbreak community world congress – yes, they do have one. Jay Freeman is the owner of Cydia, the – perfectly legitimate – independent app store catering to those who’ve liberated their Apple device. Jay explained to me that, based on his website stats, at any given time 5 to 10 per cent of the overall Apple iOS installed base is jailbroken.

Why should it bother you? Well, it shows these devices are vulnerable. That the security measures Apple is so famous for can be broken and bypassed in a matter of days – iOS 6.1 was officially released on 28 January: it took Cyril and friends less than a week to inflict Apple this very latest humiliation. Even though the jailbreaking community is doing this for non-monetary reasons, you can bet the bad guys (i.e. organized crime and commercial spyware vendors) are plotting ways of exploiting this – in fact they may have even done so already.

In essence, jailbreaking is a classic example of what happens when you push users too far and force them into a corner. They rebel. We have seen the very same pattern in many other consumer electronic segments, from game consoles through digital TV set-top boxes. Apple’s problem is that it wants total control over every aspect of the ecosystem, from printers and peripherals through to which apps users can download. These users love their Apple devices but they are treated like children. With Android, users are treated like adults: they are allowed to download any apps they please from any sources they trust. The Andorid OS security features a permissions model, admittedly less than perfect, whereby users are asked via a pop-up box if they agree to an app accessing the user’s calendar, phone book and so on. Apple pre-vets all apps beforehand and allows no such pop-ups, which as we will see later on, can backfire in the world of jailbroken devices.

By the way, jailbreaking is not to be confused with unlocking, which is the process by which a mobile device bought on a contract with a particular operator can be altered so that it is usable with other operators’ networks. Jailbreaking, on the other hand, involves the deliberate breaking or bypassing of the iOS device’s security measures. It is as easy as a simple download and it is happening in ever greater numbers today, with a dedicated jailbreaking community working collaboratively on cracking the latest iOS version as soon as it comes out.

So, users are reacting to being treated like a child, to being told what apps they can and can’t download, in an extreme way, but what’s the harm? Well, legally, thanks to some exemptions to the Digital Millennium Copyright Act, it is perfectly OK to jailbreak a smartphone – the Android version of jailbreaking is called ‘rooting’ – but to do so on a tablet is illegal. Apple is obviously strongly opposed to users – and to developers – breaking free of its control in this way and warns of shortened battery life, unreliable data and other bad things happening. The only area it is 100 per cent correct on is the unacceptable security risks that jailbreaking introduces.

Because the Cupertino firm treats its users like children in offering them pre-vetted applications it says are clean and secure, when they decide to break out of that ecosystem and access apps from third party stores, which may be infected with malware, there are no protections and no pop-up permissions boxes. The children have effectively wandered into the jungle, with bad stuff all around and nothing to defend themselves with. Apple is still in denial and doesn’t allow security vendors to develop commercial solutions to mitigate these embarrassingly recurring security issues – look, for example, at the exploit currently targeting Mac users of the Safari browser included in Apple’s OS X, vulnerability cataloged as CVE-2013-0634.

This is obviously bad news for an IT manager. Especially in an increasingly consumerized IT world where the BYOD trend is a reality for the vast majority of organizations. Jailbroken iOS devices are simply a risk they cannot take in the enterprise – there are mobile device management tools which will detect any such device trying to access the corporate network and quarantine until it has been dealt with. Consider another scenario, however, of covert jailbreaking done without the user’s knowledge. Device jailbreaking can be done remotely and without the need for a user password, perhaps via one of the many vulnerabilities discovered – and regularly exploited – in popular cross-platform components like Adobe Reader or Java. In this context it could be the perfect gateway for a cyber criminal to covertly install spy tools or malware onto the device. Such espionage applications are no longer the preserve of James Bond. FinFisher International’s FinSpy Mobile, just to name one targeting Apple iOS, can monitor user location, contact list, phone calls, web history, text messages and even turn on the iPhone’s mic in specific locations to eavesdrop. How do you know your CEO hasn’t had his iPhone hacked in this way? How do you know how many “silent auditors” attended your last Board meeting? In the last few days alone the U.S. Energy Department – that design and build nuclear weapons, the U.S. Federal Reserve and The Wall Street Journal have all been hacked. What does it make you think your Executives haven’t received the same kind of attention – perhaps via their mobile devices?

Users put so much faith in Apple they think their iOS devices don’t need any additional security software, but it’s a false sense of security, just as it was on the Mac platform which is now being readily exploited by attackers. With between 5-10 per cent of the iOS installed user base accessing jailbreak app store Cydia, this is no longer an underground movement. IT managers need to be aware and they need to take suitable precautions.


Do you know how many jailbroken iPhones and iPads have access to your company’s email server? Is your IT security infrastructure able to detect and quarantine these jailbroken devices? Is jailbreaking contemplated by your company’s BYOD policy?