A tireless collaborative effort by the iOS Jailbreak Dream Team (a group comprised of members from the Chronic-Dev Team and the iPhone Dev Team) has yielded Absinthe 2.0--a jailbreak utility for iOS 5.1.1. While some appreciate being able to break out of Apple’s “walled garden”, the fact that iOS devices can be rooted poses a significant security risk.
A press release for Absinthe 2.0 explains the concept of jailbreaking: “iOS jailbreaking, or simply jailbreaking, is the process of removing the limitations imposed by Apple on devices running the iOS operating system through use of custom security exploits. Jailbreaking allows users to gain elevated access to the operating system. Consequently it also allows users to download additional applications, extensions and themes that are unavailable through the official Apple App Store.”
Those who choose to jailbreak their own iOS devices to get around Apple restrictions or limitations do so with conscious intent and understand the risks involved. A jailbroken iOS device is also able to install apps from outside of the Apple App Store which have not been vetted by Apple and could contain malicious code. Apple will not support jailbroken devices, so you’re on your own.
When it comes to company-issued devices, though, or personal gadgets that are used for work purposes with the current BYOD (Bring Your Own Device) trend, IT admins need to be concerned about jailbroken devices. Jailbroken iOS devices can be a significant security concern.
iOS itself is relatively secure--that is if you ignore how easy it seems to be for developers to root the OS. However, once it’s jailbroken all bets are off. Once you take down the wall, iOS is exposed to potential exploits.
Webroot Threat Research Analyst Armando Orozco explains, “The iPhone is susceptible to vulnerabilities just like other operating systems. A malware author could exploit Webkit and target users in some form of social engineering like a malicious link in a email or SMS.”
Andrew Storms, director of security operations for nCircle, offers an alternate perspective. Storms suggests that devices that aren’t jailbroken come with their own unique security concerns.
Storms says, “The real security risk is the false sense of security users get from vendor approved app stores. These stores create a false sense of safety so users drop their guard. Losing a healthy sense of paranoia is the first step to being phished.”
At least Absinthe 2.0 takes some conscious intent and user interaction to jailbreak an iOS device. However, there have been jailbreaks in the past that could root iOS just by visiting a website. A malicious developer could leverage a jailbreak like JailBreakMe to root a device with a simple phishing attack, and potentially install malicious apps without the user’s knowledge.
Brian Duckering, Senior Manager for Symantec’s Enterprise Mobility Group, cautions, “There is likely not much an enterprise can do to prevent a user from jailbreaking an iPhone, but there are tools--such as MDM [Mobile Device Management] and MAM [Mobile Application Management]--that can help organizations prevent jailbroken devices from connecting to corporate resources.”