One weekend, one million jailbreakers - what should Apple do next?

Filed Under: Apple, Featured

Last weekend, the loosely-knit coding collective known as Chronic Dev tweeted about the latest jailbreak tool for Apple's iDevices:

@chronicdevteam: Some stats since release of #Absinthe - 211,401 jailbroken iPad3's and 973,086 devices newly jailbroken!

Exciting news. (Exciting enough that I scarcely noticed, and almost forbore from mentioning, the misplaced apostrophe in the word iPad3s. Since no letter has been omitted, there's no place for an apostrophe.)

It's exciting not because there's a jailbreak for current devices running the current version of iOS. That's been possible for some time, as we reported nearly a month ago, back when iOS 5.1.1 first came out.

It's exciting because this is an untethered jailbreak. In jailbreak jargon, that means that your device retains its liberty even if you reboot it, and can freely be rebooted without plugging it into your PC or Mac first. The "tether" refers to the umbilical USB cord by which you physically interconnect your iDevice and your computer.

It's also exciting, or at least interesting and important, because the Absinthe untethered jailbreak tool was only released to the public two days before the abovementioned tweet.

Clearly, despite being banned by Apple, jailbreaking is considered useful by a small but significant minority of iDevice users.

And that raises the $64,000 security question, "Should you do it?"

The problem is that there's no simple answer to that question. Should you buy a pick-up truck or a sedan? A 32" or a 40" TV? A fridge-freezer with the freezer compartment at the top or the bottom? Should you say tomayto or tomarto?

If you're a sysadmin struggling with your organisation's Bring Your Own Device (BYOD) policy, you'll probably, and understandably, start off with a blanket ban on access to corporate resources from jailbroken devices.

There is more to go wrong - to be sure, the only successful self-replicating malware (i.e. true virus) for the iPhone, Ikee, relied on finding devices which had been jailbroken but not properly secured afterwards.

On the other hand, well-informed users who have jailbroken their devices needn't be less secure, and may even end up better off than those who haven't.

The jailbreaking community has a habit of offering security patches for the holes it found and rode in on, even for older iDevices which Apple itself is happy to leave out in the security wilderness.

Indeed, Apple won't let anyone - not even well-known and trusted security companies - write software which runs outside iOS's strictly-walled garden, and won't officially allow anyone to offer iOS software for download or update outside its own marketplace.

So, although you can buy The World's Most Popular Digital Fart Machine directly from Apple's website, you can't even build, let alone distribute, a proper, preventative anti-virus solution for your iPhone or your iPad.

There's no Apple-endorsed way for ISVs (independent software vendors) to research, develop and publish low-level security add-ons such as kernel drivers.

In short, independent security innovation for iDevices is pretty much off the agenda - except in the jailbreaking community.

Ironic? I think so.

For me, the question isn't whether jailbreaking should be legal. (I simply can't think of a way to argue that jailbreaking could reasonably be made unlawful, so for me this question ought not even to arise.)

It's whether or not Apple would benefit both the community and itself by offering an official route to jailbreaking - a route which could form the basis of independent invention and innovation in iDevice security by an interested minority.

What do you think? Vote in our poll:


-

, , , , , ,

You might like

24 Responses to One weekend, one million jailbreakers - what should Apple do next?

  1. iPad3 · 693 days ago

    The apostrophe placement in iPad3's is arguable. iPad3s could be a model designation, adding the apostrophe makes it clear it's a plural, although context alone should probably indicate that. The Chicago Manual of Style instructs to use the apostrophe to form the plural of an abbreviation that combines upper and lowercase letters, which iPad3 does. So, iPad3's.

    How satisfying is it that the first comment is a grammar pedantry?

    • Paul Ducklin · 693 days ago

      Enormously satisfying!

      And both sides make good points - me, to eschew the apostrophe, and you, to suggest that adding it clarifies that this isn't a single iPad3S, but multiple examples of an iPad3.

      Of course, adding the pesky thing back inserts another ambiguity - that it's a possessive, leading the reader to await a noun which never comes.

      (Your CMofS injunction doesn't really apply here - there is no abbreviation :-)

      • WB1 · 693 days ago

        The easy way to fix this is say iPad3 devices. Then the trademarked name stays the way it was designed to be used.

        • Paul Ducklin · 693 days ago

          The real irony is that there isn't really anything called an iPad3. It's just an, errr, a new iPad.

  2. Pedant · 693 days ago

    > (Your CMofS injunction doesn't really apply here - there is no abbreviation :-)

    By your grammatical pedantry you have enveloped a statement within brackets. Removing the brackets leaves a non-sensical termination to the sentence. See below.

    Your CMofS injunction doesn't really apply here - there is no abbreviation :-

    What a shame!

    • Paul Ducklin · 693 days ago

      You seem to have assumed I wrote a smiley followed by a missing bracket.

      Perhaps that final bracket really IS a bracket, and the emoticon left behind when it is removed represents just the sort of tight-lipped look that a pedant might give when he (or she) has just finished being correct, but doesn't want to make an explicitly big deal out of it?

      :-

  3. Pedant · 693 days ago

    You've got me there! In fact, I think you should triumph in creating a new emoticon!

    ;-

  4. Guest · 693 days ago

    The reference to the iPhone worm, "relied on finding devices which had been jailbroken but not properly secured afterwards." is totally misleading and incorrect.

    It did not rely upon merely jailbroken hardware, but those who also went once step further and installed the OpenSSH package. If you know enough to be mucking about installing OpenSSH, then you should know enough to change default passwords.

    • Paul Ducklin · 693 days ago

      Perhaps if I had written "jailbroken and not properly secured afterwards" you would be happier?

      (I don't want to suggest that installing OpenSSH and not changing the root password is satisfactory behaviour. But you have to blame Apple at least in part, for shipping every iDevice with the same, six-character, dictionary password on the root account. If you know enough to be shipping a UNIX-derived OS to millions of people in return for financial reward, you should know enough to change default passwords :-)

  5. Bill Kreps · 693 days ago

    How humorous. This article talks about jail breaking the newest iPad, but so far the comments have focused on a grammatical item. I think there's a story in that. I'm not dissing the article, but these little diversions can be so much fun.

  6. Matt · 693 days ago

    In my opinion it's a clever move by Apple to neither support nor decry jailbreaking. A "grey area if you will. By not embracing it they're able to provide a product that (forgive me) "just works".

    The moment you give people any kind of control over a device you open up the possibility for them to break it or make it work less efficiently. For the majority, the restrictions on iDevices make sense.

    The speed at which Apple devices are jailbroken these days is perhaps an indication that Apple don't see it as a threat, or they'd make it harder with every iOS revision.

    The cynic in me says Apple understand the market so well, that they know jailbreaking will attract the sort of person that wouldn't have bought an iDevice if they couldn't mess with it.

  7. Nigel · 693 days ago

    The rampant use of the apostrophe to denote a plural suggests that "iPad3's" is more likely a symptom of epidemic illiteracy than an indication that the writer has consulted the Chicago Manual of Style. Or, as Dave Barry has pointed out in his occasional "Mr. Language" column, the purpose of the apostrophe is (apparently) to alert the reader than an "s" is coming up.

    And while we're being pedantic..."preventative"? As in, what...that which "preventates"? Sorry, but I've never understood the logic behind that one.

    • "Preventative" logic depends on how you rel to the term. No, I'm not attempting to obfusc. Isn't English a wonderful language?

  8. Black A.M. · 693 days ago

    If you can pick up on an apostrophe there is no way we should skim over you referring to worm.ikee as a "true virus"

    • Paul Ducklin · 692 days ago

      You're right - there is no way we should skim over that. So let's reiterate it: the only true virus (that I am aware of) for the iPhone which has made it into the wild is the Ikee worm.

      Ikee relied on a listening SSH server, which itself required a jailbroken device.

      I say "true virus" to differentiate it from the modern metonymic use of the word "virus" to imply any sort of malware, including non-self-replicating malware.

      (And, yes, a worm is a virus. All worms are viruses. Not all viruses are worms - parasitic viruses, for example, infect existing host files. Worms are self-contained executable objects which, generally speaking, need only an existing filing system, not an existing file. Trust me. Defining worms and viruses as disjoint sets is a needless confusion best avoided. So take it as an axiom: {all worms} ⊂ {all viruses}.)

  9. asfonseca · 693 days ago

    I think jailbreaking should continue to be a legal activity. But that does not necessarily mean that a practice should be encouraged at all. Well, at least not for any type of user.

    And assert that the practice of jailbreaking contributes to safety is a complete mistake.

    • Paul Ducklin · 692 days ago

      Currently, received wisdom seems to be that _not_ jailbreaking contributes to safety and thus that jailbreaking not only doesn't, but can't, improve your security posture.

      Yet every jailbreak that I'm aware of has relied on a security hole left behind by Apple - holes which weren't supposed to be there, and which have subsequently been fixed.

      Whether you like jailbreaking or not, there's certainly an existence proof that it can and has contributed to security...and, as I mentioned in the article, the jailbreakers have a history of publishing fixes where Apple won't, notably for "older" devices (sometimes just a year or two older) which have already fallen off Apple's own security radar.

      • asfonseca · 692 days ago

        Totally agree with jailbreak as a legal activity and as an incentive to improve the security of iOS.

        However I think irresponsible recommend its unrestricted use by everyone. There is no guarantee of improvement in the security using jailbreak. Actually the opposite is true in most cases.

  10. Sean · 692 days ago

    Given that in Android space the ability to easily allow non-market applications (simply check the option...) has resulted in a proliferation of the most blatant kind of trojan apps, my opinion is that the current jailbreak scene is the best possible solution.

    As long as jailbreaking a device is not illegal - damn the DMCA etc. - I believe that the effort it takes to jailbreak ensures that cydia isn't overwhelmed with "Free angry birds space" premium SMS sending sucker bait.

    The folks jailbreaking the device for research, compatibility, or to be able to develop their own software to work on their own hardware without having to pay Apple a further tithe to just to let them copy an ipa are able to.
    The great unwashed consumer public, who would like a sense of security in being able to play in the protected garden are well served.

  11. Sean · 692 days ago

    I DO think that the fruity corporation should work more closely with ISVs since it is in their interest to have some kind of fallback plan for when a remote collection of exploits (escape sandbox, elevate privilege, modify kernel, modify firmware) that make a jailbreak possible are actually used to own a bunch of iPhones from a website for nefarious purposes. jailbreakme.com was such a fun site to visit in apple stores :-)

    I have no comment about apostrophe's ;-)

  12. Mark · 692 days ago

    "For me, the question isn't whether jailbreaking should be legal. (I simply can't think of a way to argue that jailbreaking could reasonably be made unlawful, so for me this question ought not even to arise.)"

    That is a strange comment - When you purchase a unit you agree to abide by the terms, which clearly state you are not allowed to jailbreak. I am not arguing the "rightness" of the terms, just that they exist, which by definition means that jailbreaking is unlawful.

    • Sean · 691 days ago

      Not necessarily illegal. If you modify your dell desktop you may lose your support contract benefits, and the parts you insert won't be covered by warranty, or the whole system may not be covered, but there is no chance that it will be confiscated by law enforcement r that you will be arrested.
      Jailbreaking, on the other hand, may put you on the wrong side of the digital millennium copyright act in that you are circumventing a technological protection in the jurisdictions where this is in play.

      Breaching terms and conditions of use may result in a civil suit from the company. Much like ignoring an EULA. Breaching the DMCA in the states is a criminal offense resulting in criminal charges.

  13. domesi · 692 days ago

    At least for my iPod and iPad2 (no phone) I am dismayed that there are no protections against the evils out there. Of course there exists the fantasy that the Apple fathers built them so well that nothing could ever happen: hog wash. If I were a hacker, I'd be a good one and would focus on that fantasy to take over. Which brings me to my point: with an "authorized" jailbreak, patches would follow and we could then sleep better with a Norton-like program to protect us. Just my opinion, and I'm certainly no expert.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog