Managing Jailbreak
Threats on iOS
Enterprise Mobile Security
WHITEPAPER
1
WHITE PAPER
II. The Path to Jailbreaking
Motivation
A wide variety of Apple-restricted iOS customizations and
content might incent a user to jailbreak their device, such as:
• Enabling app-multitasking with split-screen views
• Locking individual apps with Touch ID
• Creating mobile wi hotspots without paying
additional carrier charges
• Unlocking the phone to use the device internationally or
with other carriers
• Installing surveillanceware on a partner’s device to track
their communications or location
• Consuming pirated music or video
• Downloading apps from third party app sources, such as
Cydia or Lima
• Downloading pirated apps from app repositories, such as
Hackulous
I. Introduction
Apple strongly discourages iOS users from jailbreaking
their devices and for good reason: the practice can impair
key device functionality, such as OS upgrades, and can also
introduce signicant security risks, such as the
ability to download and execute unvetted and potentially
malicious applications.
Nonetheless, many people ignore these risks and jailbreak
their devices to unlock capabilities or content that Apple
otherwise prohibits on iOS. A range of free tools and
tutorials have made jailbreaking widely accessible, even to
non-technical users. Consequently, an estimated 7.5% of all
iPhones, more than 30 million devices worldwide, are
jailbroken. Jailbreaking is especially prevalent in China where
an estimated 13% of all iPhones are jailbroken.
1
Jailbreaking entails removing restrictions on iOS by modifying
system kernels to allow read and write access to the le system.
This form of administrative privilege escalation permits custom
software installation and device behavior modication.
While Apple diligently patches new jailbreak vulnerabilities,
it’s a constant game of Whac-A-Mole with the jailbreaking
community racing to nd new vulnerabilities whenever Apple
releases iOS upgrades. A well-known jailbreak developer, for
example, recently jailbroke a beta version of one of the latest
iOS versions (8.4) within six days of its release.
2
Today most jailbreak-detection methods rely on client-side
tests that the jailbreaking community has unfortunately
managed to reverse-engineer and evade.
This whitepaper provides an overview of the jailbreaking
process and its security risks and highlights Lookout’s unique
and innovative approach to managing this security threat on
iOS devices.
Jailbreakers can easily avoid detection
using free tools such as xCon
3
or
FLEX
4
that fool standard jailbreak
detection tests.
1
“WireLurker” Malware May Have Infected 100,000+ iPhones, No Jailbreak Required”. DailyTech. November 2014.
http://www.dailytech.com/WireLurker+Malware+May+Have+Infected+100000+iPhones+No+Jailbreak+Required/article36850.htm
2
“Android Wear Update Takes Aim at Apple Watch”. GottaBeMobile. April 2015. http://www.gottabemobile.com/2015/04/22/android-wear-update-takes-aim-at-apple-watch/
3
Con entry on TheiPhoneWiki.com: https://theiphonewiki.com/wiki/XCon
4
Forum webpage link: http://www.sinfuliphone.com/showthread.php?t=10032183
2
WHITE PAPER
Process
All jailbreaks exploit iOS vulnerabilities to either bypass,
disable or patch the signature checks that run when an
iOS device boots to ensure it loads only Apple-approved
software. One of the most popular sources of non-Apple-
approved software is Cydia, an app that helps users nd and
download software for their jailbroken iOS devices. While the
technical mechanisms behind each jailbreak technique remain
complex, the end-user experience today is relatively simple
due to tools that largely automate the jailbreaking process.
Popular jailbreaking tools include:
Absinthe
blackra1n
Corona
evasi0n
greenpois0n
JailbreakMe
limera1n
Pangu
PwnageTool
redsn0w
sn0wbreeze
Spirit
TaiG
Given their dependence on specic iOS vulnerabilities, each
jailbreaking tool typically works on only a limited range of iOS
versions and devices. The evasi0n tool, for example, which
helped jailbreak over 7 million iOS devices in 2013,
5
works
for iOS 6.0-6.1.2 and 7.0-7.0.6 (using evasi0n7). More recent
tools include TaiG, used to jailbreak iOS 8.0-8.1.2, and Pangu,
whose latest version, Pangu8, can jailbreak iOS 8.0-8.1.
In the early days of iOS, many jailbreak techniques could not
survive device reboots. These so-called “tethered jailbreaks”
required users to connect devices to a computer if they wanted
to reboot it in a jailbroken state. Most modern jailbreak tools
(e.g. evasi0n, TaiG and Pangu) are “untethered”, however, and
allow devices to independently reboot in a jailbroken state.
The automation provided by these tools has put jailbreaking
within the technical reach of most iOS users and reduced
jailbreak processing time to a matter of minutes. Most modern
jailbreak tools require users to take only the following steps:
1. Manually verify the iOS version (via: Settings >
General > About > Version)
2. Backup device data (An optional precaution)
3. Manually enable or disable a few basic device
settings (e.g. “turn off device passcode”)
4. Download the jailbreak software to a computer
5. Connect the device to a computer via USB, open
the jailbreak app, and run it
6. Wait for the device to automatically reboot
Jailbreak Detection Evasion
The enterprise security risks posed by jailbreaking compound
in the face of tools (e.g. xCon and FLEX) that can help users
easily evade common jailbreak detection methods. A user can
download xCon, for example, directly from the 3rd-party app
store Cydia.
Mobile device management (MDM) services provide
jailbreak detection, as do many media and nancial service
apps that want to limit content pirating and account
compromise, respectively. Unfortunately, these jailbreak
detections rely on a combination of relatively straight-forward
and evadable tests, such as:
• Checking for les or directories common to jailbroken
devices, such as Cydia
• Checking for elevated directory permissions
(i.e. more directories with “write” permission)
• Checking to see if an app can successfully write les
outside of its sandbox
The fundamental limitation with these and comparable detection
tests is that as client-side tests they can be accessed, reverse-
engineered, and evaded by attackers. In addition, the apps
performing these jailbreak detection tests (e.g. the MDM app)
must go through Apple’s app review process, limiting the scope
of data they can collect to analyze a device’s jailbreak status.
5
“Evasi0n Is The Most Popular Jailbreak Ever: Nearly Seven Million iOS Devices Hacked In Four Days”. Forbes. February 2013.
http://www.forbes.com/sites/andygreenberg/2013/02/08/evasi0n-is-the-most-popular-jailbreak-ever-nearly-seven-million-ios-deviceshacked-in-four-days
3
STYLE GUIDE
III. The Jailbreaking Threat
Apps on Jailbroken Devices
Jailbroken devices create a major enterprise risk given their
ability to run apps developed outside of Apple’s review,
which may be malicious or contain vulnerabilities.
Jailbreaking removes the normal signing certicate checks
that prevent these apps from executing and gives them
unrestricted access to the device, including the ability to
use undocumented APIs that Apple otherwise prohibits.
These private APIs can empower apps with a wide range of
dangerous capabilities on jailbroken devices, such as the
ability to install or launch additional code or collect location
data without notication.
When attackers target jailbroken iOS devices with malware
they often distribute these threats through third-party app
marketplaces and software repositories that have minimal to
non-existent app vetting policies. Surveillanceware, a type
of malware that conducts comprehensive data collection on
compromised devices, represents one of the greatest app-
based threats to jailbroken iOS devices. Most documented
iOS surveillanceware to date has specically targeted
jailbroken devices, including the recently discovered
XAgent threat.
6
OS Vulnerabilities
Jailbroken devices can also introduce enterprise security risk
by creating new OS vulnerabilities that attackers can exploit,
such as:
• Escalated admin privileges provided by jailbreaking are
an open door that can also be exploited by attackers to
insert or extract les from the le system, as happened
with the Xsser mRAT trojan.
• Some jailbreaking methods leave SSH enabled with a
well-known default password (e.g. alpine) that attackers
can use for Command & Control purposes.
7
• Apps on a jailbroken device can run with escalated
privileges and can access sensitive data belonging to
other apps, enabling widespread device surveillance by
an attacker who could steal credentials by installing a
keystroke logger on the device.
6
“iOS spyware steals texts, photos, contacts, switches on voice recorder”. ZDNet. February 2015.
http://www.zdnet.com/article/ios-spyware-steals-texts-photos-contacts-switches-on-voice-recorder/
7
“First iPhone worm discovered - ikee changes wallpaper to Rick Astley photo”. Naked Security Blog by Sophos. November 2009.
https://nakedsecurity.sophos.com/2009/11/08/iphone-worm-discovered-wallpaper-rick-astley-photo/
1-888-988-5795 | lookout.com
© 2016 Lookout, Inc. All rights reserved. Lookout, the Shield Logo, and Everything is OK are registered trademarks of Lookout, Inc. All other brand and product names
are trademarks or registered trademarks of their respective holders. 20161026-Lookout-USv2.2
4
WHITE PAPER
iPhone 6
iOS 8.1
Firmware
Fingerprint
iPhone 6
iOS 8.1
Firmware
Fingerprint
To better detect compromised operating systems on iOS
devices, the Lookout Security Platform collects a range of
device security telemetry to form a digital rmware
ngerprint of each device. This security telemetry includes
a range of OS le metadata, such as le size, and also OS
conguration data, such as build properties.
After collecting this data the platform then re-assembles it
in the cloud to form a device OS ngerprint. It correlates
the various data points of this ngerprint against Lookout’s
mobile intelligence dataset to identify when a device is
vulnerable or has been compromised through jailbreak,
predicting device risk based on anomalies or correlations
to known signals of compromise.
iOS 8.1.1
iOS 8.1
iOS 8.1.1
Anomalous Firmware
Fingerprint (Jailbroken)
iOS 8.1.1
iOS 8.1.1
iOS 8.1
Through this unique approach Lookout can offer more
comprehensive jailbreak detection thanks to two key
differentiators: rst, Lookout distributes its iOS security app
using enterprise provisioning, enabling Lookout’s iOS app to
analyze a much wider range of security telemetry to assess
a device’s jailbreak status. Second, Lookout analyzes this
security telemetry in the cloud, which makes it
substantially more difcult for attackers to reverse-engineer
and evade with tools like xCon as it would require them to
mimic every single security signal of a legitimate device, as
opposed to avoiding a specic client-side test.
IV. Lookout’s Approach to Jailbreak Protection
