Educause Security Discussion mailing list archives
Re: Implications of Jail breaking ipod/iphones
From: Adam Carlson <ajcarlson () BERKELEY EDU>
Date: Wed, 22 Jul 2009 10:07:40 -0700
I think it somewhat depends on what you want to do with the iPhone and what risks you are concerned about. According to Apple, jailbreaking the iPhone strips off 80% of the built in protections and leaves your phone completely vulnerable. http://www.macworld.com/article/141506/2009/07/jailbreak_security.html I personally do not buy this story and think that a locked, un-jailbroken iPhone itself has serious security issues. The jail breaking process is essentially a circumvention and hacking of the security model Apple tried to put in place. The fact that the iPhone Dev Team has been able to re-hack every new firmware that has come out shows how fragile and easily broken it is, despite Apple's attempts to lock it down. This also means that if your phone is lost and obtained by a malicious user, they would be able to circumvent the security model in a similar way to bypass the protections and get full read-write access to the phone (so don't count on that 4-digit passcode to protect your data on the 3G. I still have not heard enough about the 3GS encryption to tell whether it was implemented properly, but let's hope so). That being said, an unbroken iPhone could be considered more "dangerous" because it is more powerful and will let you do more things. For example, you can run an SSH server on a jailbroken iPhone which is something you cannot do on a locked phone, and running an SSH server definitely introduces a new vector of attack (but is anyone going to argue that running an SSH server is so dangerous that it just shouldn't happen?). You also have the ability to install applications that have not gone through the Apple certification process and those processes will also have the ability to run as root on an unlocked iPhone: http://blogs.pcmag.com/securitywatch/2009/03/please_dont_jailbreak_your_iphone.php (it's funny that the researcher who says it is so dangerous to use an unlocked iPhone uses....an unlocked iPhone in a do-as-I-say-not-as-I-do type of manner) So if you use the unauthorized app software (cydia/icy) to install an insecure/malicious piece of software, then you could also be increasing your risk. However, this is true of any computer system where installing the wrong piece of software could have harmful repercussions. So basically an unlocked iPhone will not be able to protect you from yourself. If you know what you're doing, that probably isn't a problem. However, if you're not someone who has the patience or knowledge to research the apps that are installed(or update them), you might want to stick with the Apple store. In other words if you don't feel comfortable having administrator access on a computer, you also probably shouldn't unlock your iPhone. The other big issue is that updates are always a question mark on an unlocked iPhone. Thus far I believe Apple has allowed you to update an unlocked iPhone to the new firmware revisions, it just gets re-locked in the process. This means that you either have to wait to update and hope for the iPhone Dev Team to release a new unlock hack or update the iPhone and not use your jailbroken apps until a new unlock is released. Because there have already been a large number of serious security issues with the iPhone, choosing not to update to retain use of jailbroken apps could definitely introduce additional risk. Personally, I don't think anyone with serious security concerns should be using either a locked or unlocked iPhone 2G or 3G in a meaningful way. They just do not have the basic technical controls that any mobile device should have (mostly disk-based encryption along with some other things like centralized policy management and patch management). The 3GS is still new and I haven't seen a good technical analysis of how the encryption has been implemented. Unfortunately with encryption, the devil is in the details, so just having encryption present is not enough, it also has to be implemented well. For more information on the iPhone 2G/3G security model, you might want to check out this book: http://oreilly.com/catalog/9780596153588/ I have not had the opportunity to read it yet, but I have heard good things and the book description tells you what it covers and is possible. That book's author also has an insightful comment posted on this blog where he shares his feelings about the Apple's approach to security: http://anthonyvance.com/blog/forensics/iphone_encryption/ The blog also discusses some of the potential issues associated with the 3GS, however, I have seem some other sites with a much more positive review of the 3GS security improvements: http://db.tidbits.com/article/10416 This is probably way more information than you wanted about the security of a locked iPhone without actually answering your question, but hopefully it gives you a little food for thought ;). -Adam Russell Fulton wrote:
I have had several people ask me about this and I have tried googling around the area but most the stuff I have found consists of lists of dos and don'ts with little or no background info. The basic question is what are the security implications of jail breaking your iphone? Clearly this allows one to install applications that have not been blessed by Apple (with the risks that that entails). Are their less obvious risks such as making it easier for browser bugs to be exploited to do damage? Like most things in security I suspect that there are cases where phones should not be tampered with and others where the risk is acceptable. I would also appreciate any good references to the iPhone security model. Russell
-- Adam Carlson Chief Security Officer Information Technology Residential and Student Service Programs Tel: 510-643-0631 Email: ajcarlson () berkeley edu "Most of the things worth doing in the world had been declared impossible before they were done." ~Louis D. Brandeis
Current thread:
- Implications of Jail breaking ipod/iphones Russell Fulton (Jul 21)
- <Possible follow-ups>
- Re: Implications of Jail breaking ipod/iphones Anderson, Sherry (Jul 22)
- Re: Implications of Jail breaking ipod/iphones Rick Holland (Jul 22)
- Re: Implications of Jail breaking ipod/iphones Guy Pace (Jul 22)
- Re: Implications of Jail breaking ipod/iphones Adam Carlson (Jul 22)
- Re: Implications of Jail breaking ipod/iphones Russell Fulton (Jul 22)
- Re: Implications of Jail breaking ipod/iphones Adam Carlson (Jul 23)
- Re: Implications of Jail breaking ipod/iphones Doty, Timothy T. (Jul 24)
- Re: Implications of Jail breaking ipod/iphones Adam Carlson (Jul 24)
- Re: Implications of Jail breaking ipod/iphones Doty, Timothy T. (Jul 24)
- Re: Implications of Jail breaking ipod/iphones Adam Carlson (Jul 24)