Is iOS jailbreaking an enterprise security threat?

Jailbreaking a smartphone means fiddling with its OS so you can load the applications of your choice, bypassing the requirement to download digitally signed apps only from, say, Apple’s iTunes App Store. Opinions tend to be binary: Either jailbreaking is an unalloyed act of end user liberation and empowerment, or it’s the Digital Apocalypse.

Recently, Apple quietly and without explanation disabled a new API, introduced in iOS 4.0, intended to be used in discovering whether an iOS device had been jailbroken. Software vendors of mobile management applications insist they can, and do, use other techniques to discover that.

Apple’s decision sparked a new round of debate over jailbreaking, but without shifting the binary terms in which the debate has been framed. We went into more details about jailbreaking and the enterprise with Jeremy Allen, a principal consultant with Intrepidus Group, a New York City consulting firm specializing in mobile security. Allen has a background in security and application development, and he focuses on iOS and applications that run on it.

Some will argue that jailbreaking iOS is a right, not a risk. How do you see it?

My general thought on it is that, as shipped, iOS devices add a lot of security due to the code signing of everything on the device. When you live and play in the "Walled Garden of Steve" as I have seen it called, you get a lot of benefits for that...The problem I have is that, usually, big organizations don't let users have administrative privileges on corporate-owned devices [e.g. laptops], so why would we be letting users have them on a corporate-owned iPad?

What does code signing bring to the table for mobile security?

Code signing is a pretty giant roadblock to malware.

On a Windows PC, when you download a program from the Internet, you get a popup that tells you “publisher: unknown” or “publisher: Adobe” and so on. Windows figures that out through code-signing – the code publisher gets a certificate from Verisign, and “signs” the code. That lets you, as the developer, prove you’re the author of the code and that it’s trustworthy.

For iOS devices, you as a developer get a certificate signed by Apple. When the code is downloaded, Apple will lookup the code and make sure it’s properly rooted to the certificate. For iOS devices, if the code signing is not from Apple, and Apple only, you can’t run it. It creates a secure playground. By forcing any code that you want to run on the mobile device to be [first] signed from Apple, you can eliminate a lot of problems.

So what does jailbreaking actually do?

It disables most of the code signing checks.

Apple offers [in iOS] public and private APIs. Any apps in the App Store use only the public APIs. Private APIs aren’t necessarily secret but only Apple can use them, and Apple can change them at any time.

Jailbreaking lets you use the private APIs. Then, you can implement things like multitasking in iOS 3.0 [before Apple partly enabled it in 4.0]. You have more control over the apps you write. And you can put anything you want on your iPhone. At bottom, it’s a Unix device. [So] you can install SSH [Secure Shell] and tunnel into your phone and use it, for example, for tethering. You can change the graphical look and feel of the iPhone pretty significantly.

What are the risks with jailbroken devices?

Any code can run on your phone: You could get malware that could steal all your emails or whatever.

Usually, jailbreak users install software from Cydia [an open source code package manager and, now, online store], and who knows where that code came from? You could throw some backdoor on those programs a lot more easily than you could on Apple’s servers.

Second, if you install and configure SSH, the root user password would be weak and make it easy for anyone to take over your phone. There are all kinds of bad and unexpected outcomes with jailbreaking.

Having said that, the chances of someone currently targeting jailbroken iPhones are low, because there are not that many of them. From the standpoint of a developer writing ‘malware that will run anywhere,’ it’s a very small user audience.

[Apple has a list of problems encountered by iOS users who have jailbroken their devices.]

Based on your work with enterprise IT in mobile deployments, how do they see jailbreaking?

They want a way to detect it. The iOS 4.0 release was focused on mobile device management: Jailbreaking sidesteps all that. Even when it’s a personal [iOS] device, IT is saying “we know this is your personal device, but if you want to access to corporate email on you phone, you need to have some security configured.”

A lot of endusers may not realize all the other risks they take when they jailbreak.

Some say “jailbreaking is not a big deal.” And it’s not, from my perspective. But you don’t need a lot of the features you get with a jailbreak, and the phone is less secure. So why do it?

Why do you say jailbreaking is no big deal?

At Intrepidus Group, we’re always talking about this. We agree that jailbreaking isn’t an instant death sentence. If you’re a “consenting IT practitioner,” and you jailbreak your device, you probably know what you’re getting into. You know the risks.

But a lot of end users who do this, they don’t even change the root password on their device. That’s the problem: If you make an informed decision, it’s like being on your laptop as “administrator,” which you have to be in order to install programs. But in iPhone, you can’t do that [legally], and the phone is intended to take care of itself. If you change this by jailbreaking, you take on the responsibility for doing what the phone was doing for you.

So, I would say it is a big deal for end users to jailbreak their phones. But the result is not technically different from most of the other devices out there on the Internet today.

But I think if a user wants to bring their mobile devices "into the corporate fold," they need to accept some things like “not removing things that make your device more secure.”

Do third-party mobile management applications offer reliable jailbreak detection mechanisms?

Apple’s mobile device management APIs have been released to these vendors, but they’re under NDA. You or I can’t see these, or how they’re used. Apple doesn’t even give this information to the Department of Defense.

The classic mechanism is to write an application that tries to do things it shouldn’t be able to do. But the question is, will that still work in six months, with the hackers always one step ahead?

John Cox covers wireless networking and mobile computing for Network World.Twitter: john_cox@nww.comBlog RSS feed:

Read more about anti-malware in Network World's Anti-malware section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Appleconsumer electronicsNetworkingwirelesssmartphonesiPhonePhonesWireless Managementmobile

More about Adobe SystemsAppleApple.SSHVeriSign Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Cox

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts