The iPhone jailbreaking saga continuesby Steve Ragan - Aug 12 2010, 21:00
Apple has released an update for iOS that patches the vulnerabilities used to jailbreak iPhones and iPads when users surfed over to jailbreakme.com. At the same time, the source code for the newest jailbreak method was released, and expectations are that malicious attacks could follow. The question is, should anyone worry?
When Apple patched the vulnerabilities in iOS 4 (link), it addressed Safari’s inability to parse fonts in PDF documents. The font issue allowed the browser to be compromised, which resulted in code execution. From there, a second vulnerability was leveraged in IOSurface, which allowed code running as a user (thanks to the font issue) to gain system access. The result was full root on the device.
Several experts took notice that Apple didn’t patch OS X against the same issues, which is curious given the attack vector is expected to work on that platform just as well as it does on iOS.
It is interesting to note that Apple patched the flaws in iOS 4 just 10 days after they were made public on jailbreakme.com. Due to that, Apple has proven it can ship security fixes in record time -- yet no one is willing to bet this is a consistent theme for the software and pop culture giant.
Meanwhile, users of the first-generation iPhone and iPad Touch were left shafted by Apple, as there was no patch for early adopters. The good news is that the jailbreaking community as a whole responded to this slight. Jay Freeman, known for the creation of Cydia, which is used on millions of jailbroken devices, started testing a Cydia package recently that patches the earlier iOS versions.
“If you still use an iPhone 2G or iPod Touch 1G, Apple will not update your device. You now need to jailbreak to secure yourself,” Freeman posted in a message to the 95,000 people who follow him on Twitter.
So what about the attacks and the coming stream of Malware for the iPhone and iPad, thanks to the exploit code being published? Well, if you are worried about attacks, simply don’t jailbreak your device.
Jailbreaking an iPad or iPhone is legal. Advocates of jailbreaking are correct in the notion that given the fact the consumer purchased their device legally, they should be allowed to do what they want with it. This includes removing restrictions placed on carrier and installed applications.
At the same time, if you jailbreak an iPhone, you need to assume all the risks as well as rewards. While you can install anything you want on your newly jailbroken device, you risk having it turned into an expensive paperweight if a forced update from Apple bricks it. If that happens, there is no warranty, and Apple will do nothing to support you.
Also, you risk malicious applications finding their way onto the device, given that many of the security precautions have been removed. Moreover, there have been previous attacks on jailbroken devices that take advantage of the root password that remained in its default state.
Yet, jailbroken Apple devices are not the only ones at risk. The Android platform, available on several carriers and devices, which needs no jailbreak to install any one of the hundreds of thousands of applications developed for it, has been targeted by criminals.
Just this week, it was confirmed there is Malware circulating for Android. The point being that jailbreaking your device does not invite attacks, and it doesn’t mean you will be instantly attacked. Attacks can come from anywhere.
Keep in mind the exploits used on jailbreakme.com required that a non-jailbroken Apple device be directed to the site, so jailbreaking doesn’t mean insecurity, nor does keeping factory settings assure total security.
The key for jailbreaking is to understand what it is you are doing, knowing the risks involved, and choosing to jailbreak your device anyway.
Don’t let fear stop you from taking full advantage of what an unlocked iPhone or iPad can do for you. Just remember there will always be risks, but if they are acceptable ones, you’ve nothing to worry about.
[This editorial is the opinion of Steve Ragan, and not necessarily those of the staff of The Tech Herald or the Monsters and Critics (M&C) network. Comments can be left below or sent to firstname.lastname@example.org]