Here's What Does Jailbreak Works

A lot of people these days talk about how they have jailbroken their smartphones. The fact is that most people think that a jailbreak means connecting their devices to a computer, pressing a button, waiting for a couple of minutes, and voilá. The reality is a little more complex than that.

What does Jailbreak Means?

Jailbreak means allowing third-party applications to be installed on your Apple iDevice. Contrary to popular belief, it's entirely legal to run third-party applications on your device since James H. Billington's DMCA revision.

Jailbreaking permits root access to the iOS file system and manager, allowing the download of additional applications, extensions, and themes that are unavailable through the official Apple App Store.

The only thing that prevents people from doing a jailbreak is Apple itself.

Types of Jailbreaks

When a device is booting, it starts with loading the Apple kernel initially. The device must then be exploited and have the kernel patched each time it is turned on.

  • Untethered Jailbreak

An "untethered" jailbreak is a process where a jailbreak is achieved without the need to use a computer. As the user turns the device off and back on, the device starts up completely, and the kernel is patched without the necessity of a computer. While this sounds easy, this kind of jailbreak is harder to make and requires a lot of reverse engineering and experience.

  • Tethered Jailbreak

With a "tethered" jailbreak, a computer is needed to turn the device on each time it is rebooted. If the device starts back up on its own, it will no longer have a patched kernel, and it may get stuck in a partially started state. Basically, the purpose of the computer is to "re-jailbreak" the phone each time it is turned on.

  • Semi-tethered

There is also a third kind called a "semi-tethered" solution. What this essentially means is that when the device boots, it will no longer have a patched kernel, which means you will not be able to run any modified code. But it can be used for normal functions. When you need to use features that require a modified code to run, the user must start the device with the help of a jailbreaking tool.

[Must Read] The Ultimate iOS Security Checklist While Launching Your iOS App

Why Avoid Jailbreak?

There are numerous reasons why you should avoid jailbreaking your iPhone or iPad. Once you jailbreak, you will be forced to jailbreak each time you a new iOS update. Moreover, you will get those updates much later than other devices. Jailbroken devices are known to be potentially unstable too. You might have problems with your system and your apps will tend to crash frequently and the phone will reboot more often. 

During the jailbreak process, there is also a chance that you might end up bricking your iDevice. This term refers to some software issue that might lead to your device becoming useless without getting some hardware replacement. And most importantly, the fact that jailbroken devices are more prone to cyberattacks can’t be denied

Good Read- iOS App Security: 6 Ways How Apple Protects the User’s Data

How does a Jailbreak Work?

Jailbreak allows you to get control over the root and media partition of your device. This is where all the iOS files are stored. To do this, /private/etc/fstab must be patched.

fstab is like a switch that controls permissions to the root and media partitions. By default, this is set to a 'read-only' mode allowing you to only view but not make any changes. To be able to make modifications, we have to set the fstab to 'read-write' mode. It is the switch room of your iDevice, controlling the permission of the root and media partition.

 

While this might sound easy, the biggest problem is getting in all the files that you need through the various checkpoints. The checkpoints are Apple's way of ensuring that the file is legit or a third party. Every file is signed by a key, and without it, the file will be put aside and unusable.

So where do we get the key? Well, it's not as easy as it sounds. Now, we'll have to act like Sherlock and solve the mystery of the hidden keys. In simple words, access to the door can be provided if we either unscrew the lock (patch all checkpoints) or find a back door entry (bypass). Patching is a difficult task and is mostly not worth the effort. So most people who jailbreak will try to find a backdoor entry or a bypass.

Before we understand how we can bypass these checkpoints, we must enlighten ourselves with some more information.

Essential Things to Understand Phone Jailbreak Further

1. The Boot Process

Every time an Apple device boots up, it goes through something called as a "chain of trust." This is basically a series of checks that ensures everything that is running is something that Apple approves of. Usually, the order is as follows:

  • Runs Bootrom: Also called "SecureROM" by Apple, it is the first significant code that runs on an iDevice.
  • Runs Bootloader: Generally, it is responsible for loading the main firmware.
  • Loads Kernel: Bridge between the iOS and the actual data processing done at the hardware level.
  • Loads iOS: The final step to the chain, iOS starts and we get our nice "Slide to Unlock" view.

Now that you know how to boot your device let's go a step further.

2. The Roadblock

Every movie has to have a villain. The bad guy is what makes everything challenging. In this case, the signature checks are the bad guys. While the kernel is loading, there are thousands of tests being done to make sure everything is loaded is Apple approved.

To be more specific, there are many checks throughout the boot process which look, for one thing, a signature, or a key. If the key is correct we get a green light, if it is wrong, depending on where the check was at or what file it was, it will either crash the iDevice causing a loop, or simply ignore it and not execute that particular file at all.

3. The Objective of a Jailbreak

As a Jailbreaker, your objective is to either patch the checks or bypass them. As mentioned before, the conventional and fairly less cumbersome process is to bypass. This brings us to two broad categories of exploits:

  • bootrom exploit: Exploit done during the bootrom. It can't be patched by a conventional firmware update and must be patched by new hardware. Since it's before almost any checkpoint, the malicious code is injected before everything, thus allowing a passageway to be created to bypass all checks or simply disable them.
  • userland exploit: Exploit done during or after the kernel has loaded and can easily be patched by Apple with a software update. Since it's after all the checks, it injects the malicious code directly into the openings back into the kernel. These openings are not so easy to find, and once found can be patched.

A few Security Complications are 

Jailbreaking your iPhone or iDevice has some pros, the most important of which are you get to access and use third-party apps. A jailbreak can also open up a lot of security loopholes:

1. Third-Party Apps Can Be Dangerous

There’s a reason why Apple imposes more restrictions than any other mobile OS out there. A malicious app can cause a lot of havoc on your device. It’s always possible that you’ll get a bad app, but if you start downloading apps that haven’t been okayed by Apple for the App Store, the chances of getting malware to go up.

2. Security Patches Will Not Download

After you’ve jailbroken your iPhone or iPad, you won’t be able to update iOS without reverting to the un-jailbroken default mode. While this isn’t a big deal, most people who have jailbroken their iOS devices will wait until a new jailbreak is available for the update before they download and install it so that they don’t have to go back to the stock iOS implementation for an extended period of time.

3. Everyone Knows the Default Password

One of the worst-kept secrets about iOS is its root password, “alpine.” Everyone knows it, and Apple doesn't intend to change it. Having the root password gives a user access to the core functions of the device, and this can be disastrous if it falls into the wrong hands.

The Good thing is that this password can be changed from a shell app, but post-jailbreakers often forget to do this leaving their devices open to vulnerabilities.

To Sum Up - Jailbreak

It is not easy to Jailbreak a device. It requires a lot of skill, experience, and a hell lot of patience and you should know everything about iOS Jailbreak Detection. I hope this post helps establish that point. I hope that next time you think about jailbreaking your device, you understand the whole process and are also aware of the security issues that come along with it.

Apps that are installed on jailbroken devices are more exposed to their critical information.
Ensure your app is secured even if it sits on a jailbroken device.

Book a Demo

Published on Jun 24, 2018
Subho Halder
Written by Subho Halder
Subho Halder is the CISO and Co-Founder of Appknox. He started his career researching Mobile Security. Currently, he helps businesses to detect and fix security vulnerabilities. He has also detected critical loopholes in companies like Google, Facebook, Apple, and others

Questions?

Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now