Jailbreaking 101: A Closer Look at Roots and Jailbreaks
What is a Jailbreak?
Before we get into the details, let’s first talk about what a “jailbreak” of a device actually is (or “root,” as it’s known on Android). A Jailbreak is a user-initiated exploit of a phone that puts the device in a compromised state. It’s important to emphasize that it’s the end user that exploits their own device, as opposed to a malicious third party attempting to gain access to the device through a network or application based exploit. The end user must run through some very specific steps – sometimes they aren’t difficult (as is the case with untethered jailbreaks where the end user usually navigates to a website), and sometimes they take a good deal of effort and technical knowledge when a root or jailbreak requires tethering to a computer. It’s worth noting, however, that once a device is jailbroken, the device is essentially stuck in time because updating to a newer version of the OS will almost always address the jailbreak and bring the device back into compliance.
Here are some common reasons that people decide to exploit their own device:
- Voice and Data Freedom. In the recent past (and still sometimes today), users have wanted the ability to change carriers on their devices, but weren’t able to because their carrier had locked their phone to only their SIM / network. For example, if someone wanted to pop in a local SIM while on vacation to avoid roaming charges, they couldn’t do it. Jailbreaking or rooting was one way to overcome these restrictions.
- App Freedom. End users may wish to deploy applications that haven’t undergone thorough app store vetting. In Apple’s case, unapproved or unsigned apps (apps not signed with an Apple developer cert) cannot run on iOS unless the operating system has been compromised. While Android is more liberal, users may still want to install apps that could do things the Android OS didn’t normally allow them to do. This led to the introduction of unofficial app stores like Cydia. In China, where Google services (and Google Play) are not supported, unofficial app stores are the only game in town.
- Customization. Users may want to create their own custom look and feel on a device that falls outside of what Google or Apple normally allow. This is more common on Android, and is often manifested in the installation of custom ROMs.
A cat and mouse game
In reality, jailbreaks are only very briefly available before they are addressed, and are targeted at a single version of code. That’s because Google and Apple are constantly addressing known and unknown vulnerabilities in new code releases – and in Google’s case, monthly security updates available for all late-model Android devices. Still, a smartphone is a very complex computing device, and vulnerabilities do occur in both the base operating system itself and in applications that run on the device (for instance, via an SMS application or WhatsApp).
There is an extremely motivated community of hackers working on exploits, and some very public and lucrative jailbreak bounties being offered. You can check out the current bounties on Zerodium’s website, but they start at $500,000 USD and can go as high as $2.5 million USD. Even Apple and Google pay bug bounties and exploit bounties, as Apple recently announced at Black Hat a $1 million bug bounty – the first of its kind. They want to ensure they have the most secure operating systems ever, so the battle wages on, with both white and black hat hackers constantly probing for exploits.
In 2017, Google introduced Google Play Protect (GCP) to the Android operating system. GCP periodically monitors the device and applications and its an extremely helpful tool, but companies that really want to protect against outside threats and zero day exploits need to consider a dedicated threat defense platform.
Notable recent examples
In August 2019, Vice’s Motherboard reported an example of an iOS 12.4 jailbreak which was due to a vulnerability that had been addressed in an earlier version of iOS, but was accidentally reintroduced in version 12.4. There are also claims of successful jailbreaks of the still in-beta iOS 13, which may have prompted Apple to release a beta 13.1 version of iOS. Not to be confused with a jailbreak, Google recently published findings on several iOS vulnerabilities apparently targeted at the Uyhgur community in China. This is called a Watering Hole attack, and targeted iOS, Android, and Windows devices that visited and exploited the device. Although the topic is currently in the news, Apple has patched the vulnerabilities that made this possible months ago in iOS version 12.1.4.
Do jailbreaks and roots put your company at risk?
Even if a user roots or jailbreaks a device just to put on a nifty screen saver, they are putting their organization at risk. Often a jailbreak will introduce hidden backdoors that malicious agents can access over the air, such as resetting the root password to a password they know. Once root access is available on a device, it’s free game – any stored passwords, access to the microphone and camera, business contacts, and the data that resides in company apps can be freely accessed. When a rooted or jailbroken device connects to the corporate network, attackers will have an excellent jumping off point from which to explore the rest of your company’s networks. In short, you should never allow an employee to access any company data from a device that is compromised. Period. Hard stop.
How can your organization protect against jailbreaks?
- Attestation. This is a basic control on the device, available in an app that checks for compromises and jailbreaks. Although these can be sophisticated (as with the MobileIron Go or Mobile@Work clients), it’s often best to implement several tiers of defense against roots and jailbreaks.
- Version enforcement through MobileIron. Using MobileIron UEM, admins can mandate that company-owned devices update to a specific version of iOS or Android. Admins can also specify that any device, whether personally owned or company owned, must be running a minimum version of code before they can access company content. With MobileIron Access, this can even be extended to any third party cloud services that users may be accessing. Finally, devices that don’t meet the minimum mandated code versions can be prevented from ever enrolling into MobileIron Core or Cloud.
- MobileIron Threat Defense. Threat defense is the key to customers that want to ensure their mobile devices have the most comprehensive level of protection. MTD has sophisticated jailbreak detections that go beyond what is available with device attestation, but will also protect devices against exploits that weren’t self-initiated like jail breaks as well as network attacks, malware, and phishing. In fact, MTD was able to successfully detect this recent high profile jailbreak on a fully updated Apple device.
Take the next step
If you’re interested in mitigating the risk of exploited devices to your organization, we’d recommend you take MobileIron for a test drive. Click here for a free 30-day trial of MobileIron Cloud. Want to take it a step further and protect against any vulnerability, including phishing, man-in-the-middle attacks, and malware? You may want to opt into MobileIron Threat Defense too. You can contact a MobileIron sales rep here to add MTD to your existing deployment or to any eval of MobileIron Cloud or Core.