ElcomSoft blog

«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»


Apple Warns Users against Jailbreaking iOS Devices: True or False?

July 2nd, 2018 by Oleg Afonin
  • 2
  •  
  •  
  •  
  •  
  • 1
  •  
  •  
  •  
    3
    Shares

Apple has an article on their official Web site, warning users against jailbreaking iOS devices. The article “Unauthorized modification of iOS can cause security vulnerabilities, instability, shortened battery life, and other issues” is available at https://support.apple.com/en-us/HT201954. How much truth is in that article, and is jailbreaking as dangerous as Apple claims? We’ll comment the article based on our extensive experience in jailbreaking more than a hundred devices running every version of iOS imaginable.

Security Vulnerabilities

Apple introduces the concept of jailbreaking by stating the following: “iOS is designed to be reliable and secure from the moment you turn on your device. Built-in security features protect against malware and viruses and help to secure access to personal information and corporate data. Unauthorized modifications to iOS (also known as “jailbreaking”) bypass security features and can cause numerous issues to the hacked iPhone, iPad, or iPod touch” (HT201954). According to Apple, jailbreaking introduces security vulnerabilities by “…eliminating security layers designed to protect your personal information and your iOS device.

True. Jailbreaking is a process that is specifically designed to circumvent security layers designed to protect information on iOS devices. In fact, this is exactly why we need a jailbreak for tools such as Elcomsoft iOS Forensic Toolkit to operate. Without a jailbreak, we would not be able to access the file system, extract sandboxed app data or decrypt the keychain (including items secured with the highest protection class). Installing a jailbreak, on the other hand, allows us doing all of that – and more.

What else can happen to your jailbroken device? According to Apple, “With this security removed from your iOS device, hackers may steal your personal information, damage your device, attack your network, or introduce malware, spyware, or viruses.” (HT201954)

True. Jailbreaking allows installing and running unsigned code such as apps and background services that can be used to “steal” your data  (or rather “access” your data if we speak of law enforcement). After all, we’re using a custom SSH daemon to access suspects’ data when performing physical acquisition with iOS Forensic Toolkit, so we don’t see anything contradicting our experience.

Our take: Since jailbreaking is a process designed to bypass the system’s security features, it is unsurprising that a jailbroken device is significantly less secure compared to devices without a jailbreak. How likely is this to happen? While users can install unsigned apps onto their jailbroken iOS devices, public jailbreaks obtained from reputable sources rarely are unlikely to install stealthy malware. Something like that last happened in iOS 9, receiving due publicity. Jailbreaks obtained from unofficial mirrors “may have unexpected bonuses – in the form of Malware. You have been WARNED.” (source)

Instability

According to Apple, “Frequent and unexpected crashes of the device, crashes, and freezes of built-in apps and third-party apps, and loss of data” can happen to a jailbroken device.

True. With the release of iOS 9, Apple introduced a new security feature called Kernel Patch Protection, or KPP. KPP is designed to prevent jailbreaks by performing periodic (boot time and random) checks of read-execute and read-only memory in the kernel cache.

Since a jailbreak must patch kernel code in order to make it a jailbreak, older jailbreaks attempted to disable KPP. However, it was very difficult to disable KPP in a clean way, and even a single random integrity check performed by the not-quite-disabled KPP would lock up the device, causing the cited instability, crashes and loss of data.

Another example of such instability would be the Pangu 9.0.2 jailbreak, which, being an untethered jailbreak (one that survives through reboots) attempts to race KPP early on during the boot sequence. Sometimes, KPP wins the race, causing a boot loop and requiring multiple reboots just to start the device. Technically speaking, it’s not a jailbreak freezing the device but Apple’s own jailbreak protection measures.

Apple is actively improving Kernel Patch Protection, making it much harder to defeat. For this reason, a new technique called KPPLess jailbreak has emerged. The KPPLess technique “modifies those components of the iOS operating system that are outside the purview of KPP and KTRR” (source). As a side effect, all KPPLess jailbreaks are semi-untethered, requiring users to manually launch the jailbreak app every time the iOS device is rebooted.

KPPLess jailbreaks are significantly more stable compared to jailbreaks that attempted to bypass KPP. While instabilities are still possible, they are more often caused by users installing unstable or incompatible mods than the jailbreak itself. However, even the latest jailbreaks mention something like “intermittent freezing issues that would affect certain devices on beta 10 -> 1.0.2”.

Our take: Jailbroken iOS devices are potentially less stable compared to unmodified ones.

Shortened Battery Life

The hacked software has caused an accelerated battery drain that shortens the operation of an iPhone, iPad, or iPod touch on a single battery charge.” (HT201954)

We don’t quite understand the meaning of “has caused” here. A jailbreak per se is very unlikely to negatively affect battery life. However, third-party mods users install from Cydia may cause all kinds of issues from instability to shortened battery life. The official Facebook app will probably drain your battery much faster than any jailbreak of mod can dream.

Our take: The jailbreak itself is unlikely to cause battery drain, while incompatible mods easily can.

Unreliable Voice and Data

Dropped calls, slow, or unreliable data connections, and delayed or inaccurate location data.” (HT201954)

True. We’ve tested several versions of jailbreaks that introduced this kind of issues. More often than not, this is fixed in subsequent builds. The jailbreaking community acknowledges the issue; there is even a guide on how to Fix Cellular Data, iMessage After iOS 10 Jailbreak. Having said that, we have not experienced voice/data/GPS issues with recent iOS 11 jailbreaks.

Disruption of Services

Services such as iCloud, iMessage, FaceTime, Apple Pay, Visual Voicemail, Weather, and Stocks, have been disrupted or no longer work on the device. Additionally, third-party apps that use the Apple Push Notification Service have had difficulty receiving notifications or received notifications that were intended for a different hacked device. Other push-based services such as iCloud and Exchange have experienced problems synchronizing data with their respective servers.” (HT201954)

We have no definite “yes” or “no” on this one, leaning towards “true“. While in the past jailbreaks could have caused the issues described in the above statement, no recent jailbreak is known to disrupt essential services. Of course, installing a bad/incompatible mod can easily break anything and everything in the system, including the push service stack, but a jailbreak itself is unlikely to cause such issues. We have seen problems playing back DRM-protected content on a jailbroken Apple TV, which may count towards “disruption of services”.

Inability to Apply Future Software Updates

Some unauthorized modifications have caused damage to iOS that is not repairable. This can result in the hacked iPhone, iPad, or iPod touch becoming permanently inoperable when a future Apple-supplied iOS update is installed.” (HT201954)

True and False. Attempting to apply an Over-The-Air (OTA) update to a jailbroken device can result in the update failing, causing a boot loop or bricking the device altogether.

However, hardbricking an Apple device is extremely difficult. In worst case scenario, users can restore their devices through the Recovery Mode (more often than not without losing any data, yet going from a jailbroken no non-jailbroken state is likely to cause instabilities in day to day operations). And even if this fails, we are yet to see a jailbreak or failed OTA update to defeat the DFU mode.

In other words, an OTA received on a jailbroken device by an unexperienced user (who should not be installing a jailbreak in the first place) is likely to cause problems, but none of them would be as permanent as Apple claims.

Jailbreaking Violates EULA

It is important to note that unauthorized modification of iOS is a violation of the iOS end-user software license agreement and because of this, Apple may deny service for an iPhone, iPad, or iPod touch that has installed any unauthorized software.” (HT201954)

True. Jailbreaking violates Apple’s End-User License Agreement, which could be punishable by denying warranty and out of warranty service. In our (limited) experience, Apple employees may turn a blind eye on devices that are jailbroken or used to be jailbroken. However, you may be in a different situation if caught jailbreaking and overclocking your device or tampering with thermal control values, causing damage to internal components due to overheating.

Other Issues: DRM Protected Content

We’ve also experienced some other issues that aren’t mentioned in Apple’s article. We’ve been recently testing a tvOS jailbreak on Apple TV 4, and experienced severe problems playing purchased content. In some cases there was sound but no video; sometimes playback wouldn’t start at all, and on several occasions we’ve seen a message notifying about an error playing DRM protected content. Considering the severity of the issue, we see little point in jailbreaking aTV devices other than for digital forensic and research purposes.

Conclusion

Apple’s “Unauthorized modification of iOS can cause security vulnerabilities, instability, shortened battery life, and other issues” document is mostly up to the point, with few caveats and one major exception. While we generally strongly advise against jailbreaking, we must also note that hardbricking an iOS device is nearly impossible due to the DFU mode that can do wonders on devices that may otherwise look completely dead.

We’ve already discussed the pros and contras of jailbreaking for the law enforcement personnel performing forensic analysis. While one can extract significantly more information out of a jailbroken device, there are also drawbacks associated with modifying the system partition.

Security researchers have no other options but to jailbreak regardless of the associated drawbacks. Thanks to the DFU mode, they can safely jailbreak devices and return them to non-jailbroken state at any time. Previously saved blobs even enable rollbacks to previous versions of iOS including those that are no longer signed.


  • 2
  •  
  •  
  •  
  •  
  • 1
  •  
  •  
  •  
    3
    Shares

Tags: ,

Sign up for free ElcomSoft Password Recovery Software newsletter

Comments are closed.