JailbreakMe 3.0 and the iOS PDF Flaw: Protect Your Business
The cat-and-mouse game between Apple and those who would "liberate" its iOS devices is back on after Wednesday's launch of JailbreakMe 3.0, a website that hacks iPhones, iPod Touches, and iPads to allow software unapproved and undistributed by Apple onto the devices.
The site is the first "jailbreak" that includes support for the iPad 2, and offers an "untethered" jailbreak, meaning that devices hacked via the site don't have to be connected to a computer to boot up, unlike other "tethered" jailbreak options.
In response, Apple acknowledged vulnerabilities in iOS and announced that it is working on a fix for those holes, which are present in versions of the mobile operating system up to and including the current iOS version 4.3.3.
More troubling still for iOS users, Germany's Federal Office for Information Security Wednesday posted an alert in which it said iOS has security flaws that can be used with a specially-crafted PDF to steal personal data and even have access to the phone's built-in camera, phone, and GPS functionality. It's exactly this kind of PDF flaw that makes JailbreakMe possible.
Coming just days after security software vendor Symantec released a report calling iOS more secure than Android in theory, businesses can be excused for being confused over security on mobile devices.
Avoiding the PDF Bug
It's important to note that to date, there have been no in-the-wild examples of the PDF flaw being exploited, aside from JailbreakMe. However, until there's an iOS update that deals with the potential nightmare of malicious third parties getting unfettered access to sensitive corporate data on iOS devices, there are some common-sense steps to take.
The bug concerns how fonts in PDF documents are handled in the Safari Web browser on iOS devices. In other words: A PDF document must be opened via Safari on the device for the attack to be executed.
Until there's a fix in from Apple, it would be wise to make sure those using iOS devices in your business are aware of this flaw and how to mitigate the risk. A reasonable policy would be to be wary of opening PDFs on the device--a more severe approach would be to outlaw using iOS devices for PDF files at all until further notice.
But it's important to note that the bug only pertains to the Safari Web browser--PDFs sent by mail and opened in a specific app capable of reading the file are not vulnerable in the same way. If your users can be trained in this difference and to recognize the danger signs, they should still be fine firing up PDF files in their favorite app.
But beyond avoiding PDF files, the flaw and the launch of JailbreakMe 3.0 bring back the ongoing debate of whether or not to jailbreak iOS devices. It's tempting, especially on personal devices, because of the range of software and capabilities not otherwise available through Apple-approved channels.
The Problem With Jailbreaking
But for the vast majority of businesses, the risks of jailbreaking the device far outweighs any potential personal benefits. There's the risk of accessing software that's from unknown and potentially untrusted sources. There's the risk of being unsupported: when devices are brought in for service, Apple checks for the software footprints of a jailbreak, and will deny warranty support if it finds them.
And then there's the risk of lost stability and longevity. At best, users who jailbreak devices will be stuck with the choice of upgrading to newer versions of iOS and getting new features, functionality, and fixes, or sticking with the current operating system and keeping their jailbreak apps. At worst, users can risk making their iDevice unusable.
Either way, it represents a support and policy challenge for any business, and it's wise to make sure users on iOS devices know that the company expects them to steer clear of any jailbreaking activities, and the reasons for which that policy in place.
The (Potential) Good of Jailbreaking
While it's certainly a long shot to say that businesses should encourage or even allow Jailbreaking of devices that are going to be used on the corporate network, the JailbreakMe.com exploit does point out the speed advantages of having a broad, passionate and open community of developers supporting a device.
While Apple is still working on its patch for the flaws in its OS, one of the developers of JailbreakMe has posted a new piece of software, PDF Patcher 2, which fixes the troubling PDF hole. The kicker? It's only available to those who have jailbroken their devices and therefore have access to the unofficial Cydia app store, a collection of repositories for applications for jailbroken phones.
"Until Apple releases an update, jailbreaking will ironically be the best way to remain secure," the JailbreakMe site notes on its FAQ page.