Jailbreaking iPhones – What’s at stake?

1 11 2012

by Adam Rauf

Chances are, if you’re a smartphone owner in the year 2012, you most likely are carrying either an iPhone or an Android device.  If you’re an iPhone user, you’re probably quite happy with your device; after all, it can run a lot of applications, make phone calls, and send text messages, amongst other features.  However, your Android brethren often will chastise you for having such a “locked down” device, considering rooting an Android has slowly become a very easy task over the years.  Granted, there are a lot of concerns in having a device that is rooted (or jailbroken), but the ability to overclock, tether, and generally do what you wish with your handset is a privilege that is not as easily bestowed to iPhone users.

A quick Google search for “jailbreak iphone” will lead to a Wikipedia article about “Privilege Escalation.”  To the common user, what is that exactly?  Privilege Escalation is “the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application used to gain elevated access to resources that are normally protected from an application or user[1].”  So in essence, jailbreaking allows the user to exploit some sort of bug in the operating system so that they can gain full access to their handheld device.  In the case of Android devices, people would install custom roms, new basebands and versions of the OS, or as stated previously, be able to tether or overclock their phones.  In the case of the iPhone, users may be less tempted to want to install custom roms, but being able to overclock, tether, and upgrade baseband radios for better signal are certainly neat advantages that bedroom hackers may be interested in.  Now, keep this in mind, it’s still an exploitation of the operating system.

Jailbreaking does come at a price.  Back in 2009, 21-year old Australian student Ashley Towns wrote the first “iPhone virus [2].”  Jailbreaking software available at the time installed an SSH service on their phone.  And if users did not change their default password [“alpine”], they could be hit with this version of this virus, which would change their wallpaper and play Rick Astley’s single, “Never Gonna Give you Up[2].”  So while this was no more than an annoyance at the time, Towns proved that as easy as it was to jailbreak your device, you also had to worry about now changing your SSH passwords, which many users could possibly neglect.  As the saying goes, “with great power comes great responsibility.”

This same bug was exploited just weeks later, but with more malicious intent.  Security company F-Secure pointed out that users in the Netherlands were being targeted, particularly in their banking logins [3].  While Towns may have been trying to bring awareness to this security hole as a Whitehat, this was clearly more of a malicious intent, basically treating the iPhones as a botnet, with a command & control post, and could propagate to more phones via unsecured wifi, for example [3].

Of course, Apple being the walled garden that it is, saw serious issues with this idea of jailbreaking.  Not only did it create new vulnerabilities, but the stability of the device was now compromised.  No longer could people have the device that “just works.”  Perhaps for the same reason that they build all of their machines to certain specs, the last thing the company wanted was for devices such as the iPhone and iPad as well as the iPod to be hacked.  For quite some time, they saw this as copyright violation.  However, in 2010, the DMCA (Digital Millenium Copyright Act) that Apple used as its legal muscles gave way to jailbreaking.  The copyright office found jailbreaking to not infringe on any rights and granted an exemption to it [4].  As much noise as Apple made about it, they had lost this battle.  So now, it was no longer illegal to jailbreak your phone, but much like Android handset carriers, they did warn you that it would void your warranty.

To also deal with the “walled garden” effect of Apple and provide a means to get apps, the Cydia app was developed.  Users can go to JailbreakMe.com on their device and quickly jailbreak their phone [5].  They also made it quickly reversible, so that you can go back to iTunes and restore your device [5].  There is however, no guarantee that you can’t brick your device, or cause some sort of damage to it.  And because Cydia is overlooked by a team of users not specifically working at Apple, you can’t always trust what apps you can download, and there’s no rigorous testing process; you’re basically going in somewhat blind into territory that’s unchartered.  None of the apps are going to be signed by any authority, and there’s nothing stopping a user from flooding the market.  Does that sound scary to any of you yet?

Apple has gone to great lengths to brand and image themselves as a secure vendor.  Their slogan of “It just works,” amongst their hip campaigns is supposed to imply that you won’t be dealing with all of the viruses/malware of Windows.  But, we’re starting to see phishing attacks on users.  Myself and friends included have gotten text messages leading to nefarious URLs.  And since some of us are on Android or jailbroken iOS devices, we can sideload apps.  What’s to say we haven’t downloaded something insecure?  Apple may say you don’t need an antivirus, but the mobile space is still relatively new to us and it may come back to bite us later.  For example, is there any way we could detect if we’re being DNS cache poisoned, or if people are intercepting our data when we sign into wifi?

Let’s fast-forward to the future, where we currently still have no cracks into the iPhone 5.  The iPhone 5 runs iOS 6, and has yet to be broken.  In fact, as early as today, October 9th, the jailbreak team working on it has disbanded [6].

Okay, so now we all have some background on what jailbreaking is, and where we are with it.  The questions I pose to you, the readers, is what incentives do we see with jailbreaking these days?  Is it purely to stiff the man and have full access to the device, or is it no longer important due to the malware and vulnerabilities that are propagating in the mobile space [and thus requiring users to install anti-virus and anti-malware apps]?  Does the fact that jailbreaking is now easier somehow make Android less attractive, considering how easy [*chuckle*] it was to root Android phones previously to get the same kind of performance from iOS?

If I may throw my hat in the ring, I tend to think jailbreaking was once a huge part of the “nerdy” culture, much like how people would choose to run Linux over Windows or Mac.  You might not do anything really amazing with it, but you got some “cool points” from peers for jailbreaking/rooting your device and throwing customized UIs and applications over top of it.  But then again, much like Linux, it was the privileged few that could afford to get iPhones or Android devices in the beginning.  But now, as we start to see devices drop to the cost of pennies, you’re a small part of a large majority.  You’re not really running a whole different OS than everyone; you’re running something modded.  And while that still might be “cool,” that hip appeal is slowly starting to fade.

Recently, the US Navy also showed how the mobile space is getting to be a scarier place.  The recently released “Placeraider” malware they developed would silently use your camera function to take pictures while you are unaware, upload the photos to one of their servers, and map out a 3D image of your surroundings [7].  This is absolutely frightening; rooting or not, security has become a bigger issue, and will continue to become an issue as we move forward.  It also emphasizes the importance of users being more diligent as to what permissions they grant applications when they install them, especially when this program asked for no more rights than your common photo app like Instagram [7].

I currently own a Samsung Galaxy Nexus [the Apple lawsuit is another story].  I’m running the latest Google OS of Jellybean.  I didn’t have to root my device like I rooted my original Motorola Droid to get a lot of the features I got on this device.  I no longer need to overclock, I no longer have an issues with tethering, and I’m able to sideload apps if I wish.  Is the appeal for rooting there for me?  Not really.  Unless I want to spend time bragging to friends, there’s not a whole lot I would like to change about my phone.  And with Apple devices, we’re starting to see the same thing.

Are users interested in voiding their warranties, downloading apps from possibly untrusted/untested sources, and opening themselves up to exploits outside of Apple?  Probably not.  While Apple does make mistakes, they do have a responsibility to their users to patch vulnerabilities.  In the Android world, there certainly are people who help take the sourcecode from the Google Devs and morph it into custom roms that may patch vulnerabilities that aren’t even patched with the official OS.  While that can still be true with Apple devices, the certainly do cost more, and definitely more to replace.  So the “fun factor” of jailbreaking your device may not stack up against the “cost factor” of having to replace the device.

______________

1. “Privilege Escalation.”  Wikipedia, The Free Encyclopedia.  Wikimedia Foundation, Inc.  4 October 2012.  Web.  <http://en.wikipedia.org/wiki/Privilege_escalation&gt;

2. Andersen, Brigid.  “Australian Admits Creating First iPhone Virus”  ABC News AU.  10 November 2009.  Web.  <http://www.abc.net.au/news/2009-11-09/australian-admits-creating-first-iphone-virus/1135474&gt;

3. “New iPhone worm can act like botnet say experts.”  BBC News.  23 November 2009.  Web.  <http://news.bbc.co.uk/2/hi/technology/8373739.stm&gt;

4. “Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control Technologies.”  Copyright.gov.  Web.  Revised 24 August 2012.  <http://www.copyright.gov/1201/&gt;

5. Comex, Grant Paul, Jay Freeman (saurik), MuscleNerd, et al.  “JailBreakMe.”  JailBreakMe.  Web.  <http://www.jailbreakme.com/&gt;

6. Harbison, Cammy.  “iOS 6 Untethered Jailbreak Team Splits As New Alliances Are Formed, Still Promising Results.”  International Digital Times.  9 October 2012.  Web.  <http://www.idigitaltimes.com/articles/11677/20121009/ios-6-untethered-jailbreak-team-splits-new.htm&gt;

7. McLellan, Heather.  “US Navy Helps Create Camera-Hijacking Smartphone Malware.”  The Escapist.  1 October 2012.  Web.  <http://www.escapistmagazine.com/news/view/119890-US-Navy-Helps-Create-Camera-Hijacking-Smartphone-Malware&gt;

Advertisements




Smartphone Security Revisited

20 11 2011

by Shanief Webb

In my previous blog post[1] I introduced the threat of mobile applications stealing personal user data from smart phones that they are installed on. However, at that time, I only focused on the Android mobile Operating System. Now, I’d like to focus on a similar situation but with mobile applications on Apple’s iOS.

TG Daily[2] reported today that Charlie Miller released submitted a malicious app to Apple’s app store. Unlike with the Android Market, Apple actually has someone review each app before it is allowed to enter the App Store. Although Apple has already removed the app from the App Store, we wonder how can a malicious app get through the cracks?

For Charlie Miller’s malicious app, it probably wasn’t human error that allowed his app entry into the app market, but instead “good” design. Apparently, Chris made an app that appeared to be doing something useful such that it would not have raised any eyebrows. Specifically the app appeared to be an app that monitored the stock market, but secretly was making the device(s) it was installed remote-controllable. Miller’s application was similar to the Android app I worked on in the Spring 2011 (noted in my previous blog post) and I should note that TG Daily claims that Miller published his app for experimental reasons (not to be truly malicious).

There have been several malicious apps similar to this have been released in Google’s Android market and for that reason I am surprised that Apple was not aware and cautious enough of these kinds of apps to train their reviewers to look for possible malicious behavior in the background activity of the applications. Furthermore, on average Apple takes about a month before they give an approval/disproval decision on an app’s entry to the App Store so, I doubt that Apple was simply hurrying to get the app out of the approval process.

In Apple’s App Store Review Guidelines[3], a “living” document, Apple describes some scenarios of what can cause an app to fail the review process. There are a few relevant scenarios that apply to Chris Miller’s app:

  • “Apps that do not perform as advertised by the developer will be rejected”
  • “Apps that include undocumented or hidden features inconsistent with the description of the app will be rejected”
  • “Apps that read or write data outside its designated container area will be rejected”
  • “Apps must comply with all legal requirements in any location where they are made available to 
users. It is the developer’s obligation to understand and conform to all local laws”

(Apple App Store Review Guidelines)

The last bullet encouraged me to look into Apple’s Privacy[4] policy to see what Apple guarantees their customers in terms of personal information on their mobile devices. I found that personal information shared on some Apple products is “visible to other users and can be read, collected, or used by them“ (Apple Privacy Policy) and that Apple expects users to be cautious of the information they share. In other words, Apple doesn’t provide much protection for their customer’s information and holds their customers liable for any theft or misuse of their personal information. Similarly Google’s Privacy Policy[5] for mobile devices has a conceptually identical clause “If you decide to use third party applications on your device, any information those applications collect may be sent to third parties and the Google privacy policies do not apply. “ (Google Mobile Privacy Policy)

Personally, I do not like the fact that Apple and Google hold their customers liable for their personal information on their mobile devices, but at the same time I respect their stance because they also open their app markets up to third-party developers and are not fully aware of all the damage malicious developers could potentially cause.





Mobile Device Security Approaches of iOS and Android

9 09 2011

The current generation of mobile devices have been designed with security in mind, but the way the two leading mobile OSes approach security is different. Symantec Corporation  released a report on June 28,2011 highlighting what they see as four main pillars of mobile security. Interestingly enough, Jon Oberheide produced a paper about demystifying the challenges of mobile security a year earlier.

Symantec’s device security model revolves around Access Control, Application Provenance, Encryption and Isolation. Mr. Oberheide has found that iOS and Android share common security attributes in the realm of Application Delivery, Trust Levels and System Isolation.

But why is this really important?

It’s important because smart phone and mobile app usage is on the rise. Gartner  Inc. estimates that “smartphone sales will reach 468 million units in 2011, a 57.7 percent increase from 2010.” [1] And during this period of explosive sales growth, the Android OS will be the market leader, with Apple’s iOS in second place. By 2015, Gartner projects sales of mobile devices to hit 1 billion units.[2] Besides sales of mobile devices, mobile apps downloaded from app stores are projected to hit 17.7 billion by the end of 2011, and while approximately 8.2 billion apps were downloaded in 2010.[3] Mobile apps are what provide smartphones users the greatest value.

So what are the more interesting findings from Symantec and Mr. Oberheide?

Apple’s strategy of vetting each mobile app produced for the public for its iOS platform is a sound practice and works well to ensure non-malicious apps make it on to non-jailbroken devices. Mr. Oberheide ranks iOS with a “high” rating for Application Delivery. This is due to the fact that Apple is the only one permitted to deliver apps to the public.  Additionally, Symantec give Apple high marks in Application Provenance. Again, this is because Apple checks all the apps before they are deployed to the public, and two, because each app is digitally signed by the developer, so the consumer and Apple know who produced what app.

On the other hand, Android, takes a different approach with respect to mobile apps. Android Application Delivery as described by Mr. Oberhiede is rank “medium” because the default app store for apps is the Android Market.  I disagree with his assertion. Android’s App Delivery rating should be considered “low” because it is easy to change which source an app is downloaded from, and Android apps can be downloaded from different app stores or even straight from a web page.  Interestingly, Symantec and Mr. Oberheide both agree that Android’s permission based control is great  compared to iOSes lack of granular control.

In the end, while  newer mobile OSes are more security conscious in their design, there are differences in how an open operating system incorporates security in their design as compared to a closed, proprietary system. iOS and Android devices dominate the smartphone market, and with the spread of these mobile OSes into other form factors, the way the OSes approach security will need to adapt as they begin to operate more than just telephony devices.


[1] Gartner Says Android to Command Nearly Half of Worldwide Smartphone Operating System Market by Year-End 2012.” Technology Research | Gartner Inc.. http://www.gartner.com/it/page.jsp?id=1622614 (accessed July 8, 2011).

[2] Ibid.

[3] Gartner Says Worldwide Mobile Application Store Revenue Forecast to Surpass $15 Billion in 2011. (2011, January 26). Technology Research | Gartner Inc.. Retrieved August 17, 2011, from http://www.gartner.com/it/page.jsp?id=1529214