Should you risk jailbreaking your iPhone?

Chances are, if you don't know the dangers involved, you shouldn't jailbreak

Is a jailbroken iPhone for you?

The "evad3rs" team has published its "evasi0n" jailbreak tool (for free) to the iOS community. The team claims that in roughly a week, some 7 million users have used the tool to jailbreak their iOS devices. By any measure, the launch -- already up to Version 1.3 to support Apple's iOS 6.1.1 release on iPhone 4Ses -- has been wildly successful.

But is jailbreaking your device something you want to do? Let's consider a few issues before you dive in.

First, just what is jailbreaking? It's the process of removing the sandbox protections that Apple places in its iOS products. Its purpose is primarily to enable users to install unreviewed (by Apple) software on their iOS devices. Secondarily, it enables users to access files they normally wouldn't be permitted to, which opens up all sorts of possibilities for customizing an iOS system. Many technically inclined users find liberation in these things and loathe being locked into a sandboxed device.

There are entire unsupported (again, by Apple) communities where apps can be purchased or simply acquired for free. These communities don't have the strict curation policies that Apple employs in its App Store, and that is exactly its appeal to the jailbreakers. Indeed, many apps that were rejected by Apple over some policy violation or another have ended up in the jailbreak app communities.

Is it legal? Apparently it is, at least in the U.S. In 2010, the U.S. Copyright Office declared jailbreaking to be an exception to the Digital Millennium Copyright Act. But the situation is not exactly cut and dried. See here for more information, but it seems that jailbreaking an iPhone in the U.S. remains legal, while doing the same to an iPad is not. The bottom line is this: if you're at all concerned about the legality of jailbreaking your device, you're probably well advised to abstain. And be aware too that Apple maintains that jailbreaking may well void a device's warranty.

Is it safe? The answer probably has more to do with you than with anything else. Most jailbreaks completely remove iOS's app sandboxing features, even after the device has been booted up after the jailbreak process itself. At this point, all apps essentially run in a privilege state where they can all read/write pretty much anywhere on the device. This opens up a jailbroken device to possible malware, data exfiltration and so on. Essentially, a jailbroken device has all the file protections of a Windows 3.1 system. It's a single-user device, and every app can get to everything.

This is one of the aspects that appeal to many jailbreakers, but for the masses, jailbreaking can be a pretty reckless act. After all, nearly five years after Apple launched its App Store, we have zero in-the-wild malware samples on non-jailbroken iOS devices. Meanwhile, several malware incidents have occurred in the jailbroken app community, including at least one worm that exploited a default sshd password to copy itself among jailbroken iOS devices.

Now, this falls far short of being a condemnation of the underground app ecosystem, but if that community continues to proliferate as we've seen in the Android community, it's quite possible things will get worse. Numerous recent studies of Android apps have documented massive increases in malware in that community. Let's hope that's not the future for the jailbroken iOS app world.

All of this is why I say that who you are is what will ultimately guide you to deciding whether jailbreaking your iPhone is a wise thing to do. If you're among the tech-savvy, you've probably already made that choice. If you're on the fence, chances are the best answer is no. There is a burden that comes with jailbreaking your device. You need to exercise hyper caution in allowing apps into your now unprotected environment. A mistake here can be costly indeed. But if you're willing to accept that risk and the consequences of failure, have at it.

That said, there are a few use cases that bear further consideration. If you're an app developer, jailbreaking a test machine can be worthwhile. By doing so, you can accurately peruse the entire filesystem for data leakages, such as the spell checker key log, the cut-and-paste buffer and so forth. These data stores are normally off-limits, but if you truly want to understand the security risks posed by your own software, there's no substitute for seeing these things firsthand.

Also, if a jailbroken device is lost or stolen, you can pretty comprehensively understand what data may have been exposed, because you will be able to pore through all the other data stores on the device, such as the SMS/iMessage texts, address book, calendar, some (but not all) keychain items, and other system files that you'd normally be prohibited from exploring forensically. (You would do this by restoring from backup the data from the missing device onto a replacement device, which you would then jailbreak.) That can help you determine the risk exposure after a device has gone missing. Be warned that this process is time-consuming and costly, but in some cases it will be worth the effort.

The bottom line is that jailbreaking can be exhilarating and liberating, but it shouldn't be done by anyone who isn't willing to swim in an open sea of noncurated apps. For the vast majority of users, this translates to unnecessary and unjustifiable risks. Just walk on by.

With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Appleconsumer electronicssecuritylegalsmartphones

More about AppleCarnegie Mellon University AustraliaCERT AustraliaMellonPara-ProtectTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kenneth van Wyk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts