A lot of people these days talk about how they have jailbroken their smartphones. The fact is that most people think that a jailbreak means connecting their devices to a computer, pressing a button, waiting for a couple of minutes, and voilá. The reality is a little more complex than that.

What is a Jailbreak?

Jailbreak means allowing third-party applications to be installed on your Apple iDevice. Contrary to popular beliefs, it’s entirely legal to run third-party applications on your device since James H. Billington’s DMCA revision.

Jailbreaking permits root access to the iOS file system and manager, allowing the download of additional applications, extensions, and themes that are unavailable through the official Apple App Store.

The only thing that prevents people from doing a jailbreak is Apple itself.

Types of Jailbreaks

When a device is booting, it starts with loading the Apple kernel initially. The device must then be exploited and have the kernel patched each time it is turned on.

An “untethered” jailbreak is a process where a jailbreak is achieved without the need to use a computer. As the user turns the device off and back on, the device starts up completely, and the kernel is patched without the necessity of a computer. While this sounds easy, this kind of jailbreak is harder to make and requires a lot of reverse engineering and experience.

With a “tethered” jailbreak, a computer is needed to turn the device on each time it is rebooted. If the device starts back up on its own, it will no longer have a patched kernel, and it may get stuck in a partially started state. Basically, the purpose of the computer is to “re-jailbreak” the phone each time it is turned on.

There is also a third kind called a “semi-tethered” solution. What this essentially means is that when the device boots, it will no longer have a patched kernel, which means you will not be able to run any modified code. But it can be used for normal functions. When you need to use features that require a modified code to run, the user must start the device with the help of a jailbreaking tool.

Here's How Jailbreak Really Works

How does a Jailbreak Work?

Jailbreak allows you to get control over the root and media partition of your device. This is where all the iOS files are stores. To do this, /private/etc/fstab must be patched.

fstab is like a switch that controls permissions to the root and media partitions. By default, this is set to a ‘read-only’ mode allowing you to only view but not make any changes. To be able to make modifications, we have to set the fstab to ‘read-write’ mode. It is the switch room of your iDevice, controlling the permission of the root and media partition.

While this might sound easy, the biggest problem is getting in all the files that you need through the various checkpoints. The checkpoints are Apple’s way of ensuring that the file is legit or a third-party. Every file is signed by a key, and without it, the file will be put aside and be unusable.

So where do we get the key? Well, it’s not as easy as it sounds. Now, we’ll have to act like Sherlock and solve the mystery of the hidden keys. In simple words, the access to the door can be provided if we either unscrew the lock (patch all checkpoints) or find a back door entry (bypass). Patching is a difficult task and mostly not worth the effort. So most people who jailbreak will try to find a backdoor entry or a bypass.

Before we understand how we can bypass these checkpoints, we must enlighten ourselves with some more information.

Essential Things to Understand Jailbreak Further

The Boot Process

Every time an Apple device boots up, it goes through something called as a “chain of trust.” This is basically a series of checks that ensures everything that is running is something that Apple approves of. Usually, the order is as follows:

  • Runs Bootrom: Also called “SecureROM” by Apple, it is the first significant code that runs on an iDevice.
  • Runs Bootloader: Generally, it is responsible for loading the main firmware.
  • Loads Kernel: Bridge between the iOS and the actual data processing done at the hardware level.
  • Loads iOS: The final step to the chain, iOS starts and we get our nice “Slide to Unlock” view.

Now that you know how to boot your device let’s go a step further.

The Roadblock

Every movie has to have a villain. The bad guy is what makes everything challenging. In this case, the signature checks are the bad guys. While the kernel is loading, there are thousands of tests being done to make sure everything being loaded is Apple approved.

To be more specific, there are many checks throughout the boot process which look, for one thing, a signature, or a key. If the key is correct we get a green light, if it is wrong, depending where the check was at or what file it was, it will either crash the iDevice causing a loop, or simply ignore it and does not execute that particular file at all.

The Objective of a Jailbreak

As a Jailbreaker, your objective is to either patch the checks or bypass them. As mentioned before, the conventional and fairly less cumbersome process is to bypass. This brings us to two broad categories of exploits:

  • bootrom exploit: Exploit done during the bootrom. It can’t be patched by a conventional firmware update, and must be patched by new hardware. Since it’s before almost any checkpoint, the malicious code is injected before everything, thus allowing a passageway to be created to bypass all checks or simply disable them.
  • userland exploit: Exploit done during or after the kernel has loaded and can easily be patched by Apple with a software update. Since it’s after all the checks, it injects the malicious code directly into the openings back into the kernel. These openings are not so easy to find, and once found can be patched.

Security Complications

Jailbreaking your iDevice has some pros, most important of which is you get to access and use third party apps. A jailbreak can also open up a lot of security loopholes:

Third Party Apps Can Be Dangerous

There’s a reason why Apple imposes more restrictions that any other mobile OS out there. A malicious app can cause a lot of havoc on your device. It’s always possible that you’ll get a bad app, but if you start downloading apps that haven’t been okayed by Apple for the App Store, the chances of getting malware goes up.

Security Patches Will Not Download

After you’ve jailbroken your iPhone or iPad, you won’t be able to update iOS without reverting to the un-jailbroken default mode. While this isn’t a big deal, most people who have jailbroken their iOS devices will wait until a new jailbreak is available for the update before they download and install it so that they don’t have to go back to the stock iOS implementation for an extended period of time.

Everyone Knows the Default Password

One of the worst-kept secrets about iOS is its root password, “alpine.” Everyone knows it, and Apple doesn’t intend to change it. Having the root password gives a user access to the core functions of the device, and this can be disastrous if it falls into the wrong hands.

The Good thing is that this password can be changed from a shell app, but post jailbreakers often forget to do this leaving their devices open to vulnerabilities.

To Sum It Up

It is not easy to Jailbreak a device. It requires a lot of skill, experience and a hell lot of patience. I hope this post helps establish that point. I hope that next time you think about jailbreaking your device, you understand the whole process and are also aware of the security issues that come along with it.

Apps that are installed on jailbroken devices are more exposed of their critical information.
Ensure your app is secured even if it sits on a jailbroken device.

Sign Up for Appknox SOS

If you have any questions, please feel free to write it in the comments below.

Credits: Synchronizing on Reddit