Thursday, 8 May 2014

Jailbreaking and BYOD

By Marcin Lukow of Appear Networks

With an increasing acceptance of BYOD (bring your own device) there is growing scope for conflict between personal freedom and corporate responsibility.

According to recent statistics, 23 million mobile devices currently in use are jailbroken and the number of users deciding to use an alternative to Apple’s App Store is constantly growing. Every release of a new Apple device brings up the topic of jailbreaking in the context of security. It is next to impossible not to at least hear about the process, but what exactly is a jailbreak?

In 2007 a group of engineers called the iPhone Dev Team, as a reaction to Apple’s hermetic software ecosystem, released a tool which made it possible to install third-party applications on the first iPhone – i.e. applications not approved by Apple and not bought via the Apple App Store.

The tool took advantage of a security flaw in the iPhone’s operating system (iPhoneOS, renamed iOS with the launch of the iPad) which allowed it to run with far greater rights than it should have been able to (a privilege escalation attack). It then used these rights to break out of a BSD jail – the system the iPhone used to stop applications gaining full control of the device. It was this that gave the name to the process. Other ecosystems use different names for doing the same thing - on Android it is called “rooting”.

Since then Apple has made a constant effort to improve the security of their operating system in order to make jailbreaking impossible. However, hackers have kept pace and new releases of iOS are quickly followed by new versions of jailbreaking tools. It took just 3 months for iOS 7 to get cracked.

For most people Apple’s App Store is a sufficient source of applications. However, some users do not like being limited by Apples’s strict policies of what software can be installed or what preferences can be changed on their mobile phones. There are unofficial applications that mimic the Android home screen, blacklist unwanted phone calls, enable tethering without carrier consent or give access to hidden settings that allow users to customize their iPhone experience far beyond Apple’s intentions.

In 2010, as part of their review of the Digital MillenniumCopyright Act the U.S. Copyright Office introduced an exemption for thejailbreaking of smart phones – essentially making it legal (a corresponding EUdirective was published in 1991). This provided users with an additional incentive for unlocking their devices but does legal and fun mean safe?

The probability of a user installing a malicious program from an unverified supplier is much higher than when using the official Apple App Store. A good illustration of the risk is an example of data protection. One of the file security modes on the iPhone is to protect the data until the device is unlocked using a PIN code. It would be unfeasible to brute force PINs using the standard login screen because the device gets wiped after a certain number of failed attempts. However, it is possible to programmatically check all 9999 combinations by bypassing the login screen and using a private API (application programming interface). Use of this is prohibited by the Apple App Store rules. 

Although there are cases where such applications have been accidentally accepted on the Apple App Store, they are quickly pulled when the concealed functionality is discovered. Users installing apps from outside of the App Store have no such protection.

Another more sophisticated, yet equally viable example is a hidden process running in the background of the device and sending sensitive data to unauthorized third parties. Preventing this might be essential in a BYOD situation where sensitive business data has to be distributed to employees. One possible solution would be to encrypt the data independently of the operating system, but with a jailbroken device it cannot be assumed that the encryption functions have not been replaced with malicious counterfeits or that the encrypted files will not be transferred to a much more powerful computer and decrypted anyway. 

The risk persists even if a jailbroken device itself does not store the data but has access to a corporate network. Using commonly available tools it is possible to turn such devices into "sniffers" to provide hackers with confidential and potentially useful information about the network infrastructure.

Unsurprisingly security is the first and most important point cited by Apple with regard to unauthorized modifications – although one might assume they are also concerned about losing App Store revenue. Jailbreaking tools have been made extremely easy to use and even casual users are just a few clicks away from breaking open their devices. After cracking it is not possible to install official updates without removing the jailbreak, which means that vulnerabilities used to break into the system remain unpatched. Some tools used to crack into the iOS also close the security holes but this is not always the case, leaving the device open to further attacks.

The question arises of whether there is something that can be done to mitigate the risk of jailbreaking in a BYOD scenario. The most obvious defence is to prevent jailbroken devices from accessing sensitive data. There are mobile device management systems (MDMs) that try to detect whether the devices they are managing have been jailbroken or rooted, but they are not 100% accurate. There are even countermeasures that be applied to a jailbroken device to make it appear legitimate to an MDM (jailbreak jammers).

A more effective approach, as with many security issues, is to address user behaviour directly. Jailbreaking can be discouraged by raising security awareness among users and pointing out that the risks significantly outweigh the benefits – especially since many of the desired Apps or changes find their way into an official version sooner or later.  It is also important, if possible, to keep up to date with the new versions of the operating systems and install them as soon as they get released. It does not render the devices jailbreak-proof and it can sometimes introduce minor problems, but it definitely makes it more difficult for hackers.

1 comment: