This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Why iOS jailbreak detection is a fundamentally flawed security process

Share this article:
Why iOS jailbreak detection is a fundamentally flawed security process
Why iOS jailbreak detection is a fundamentally flawed security process

I was recently speaking with a company about their concerns regarding security and the topic of jailbreak detection came up.

Clearly the person I was speaking with considered jailbreak detection to be an important line of defence against attack. Of course, as the article title implies, I disagree.

Before I get into jailbreak detection's flaws, a quick review of why jailbreak detection exists in the first place is in order. As employers open up company resources to mobile devices, one common way to do so is to install WiFi and/or VPN credentials on a device so that device can access the company network.

Mobile device management (MDM) makes it relatively easy to do so. The risk of admitting a device in to the network though, is that all applications on that device are now on the corporate network. Hence it is important to ensure that nothing untoward is happening on the device as a first step.

Jailbreaking on iOS (or 'rooting' on Android) refers to the practice of leveraging a vulnerability in the operating system code to circumvent the device's built-in protections. These protections include the separate 'jails' that are maintained for each app, and all controls restricting what software is or isn't installed on the device.

Given this backdrop, jailbreak detection is often touted as a feature that vendors (particularly MDM vendors) offer to improve the safety of mobile devices connecting to the company network via a VPN or corporate WiFi connection.

Unfortunately, jailbreak detection is deeply flawed for both social and technical reasons and provides nothing more than a false sense of security to IT.

Starting with the social reason, the first question one should ask when devising a security policy is who that policy is designed to stop. If your concern is that one of your employees' children will root a device and install a virus, then you can stop reading here.

Jailbreak detection is a reliable method to stop most jailbreak or rootkits that you can download and install on your Mac or PC at home. If your goal is to stop a determined attacker, then read on. Before you jump into the former camp, the reality is that almost all attackers fall in the sophisticated and determined category; read what Verizon has to say about who the brains are behind most data breaches.

So called 'script kiddies' are not the real threat if your business has sensitive and valuable information that a financially motivated or state-affiliated organisation could benefit from.

Now that we've agreed that the threat we are concerned with is a determined and sophisticated attacker, it's time to debunk jailbreak (and its Android equivalent) once and for all. The critical point is this; when an application is loaded by the operating system (on any platform, really), it is dynamically linked against built-in libraries on the device (e.g. all iOS 'frameworks') and system libraries.

Once an attacker has rooted a device, he or she can essentially intercept all calls to system libraries or operating system functions by either: (a) changing the search path of the dynamic linker in the environment prior to launching the app, or (b) searching for known symbols in the decrypted binary while in a debugger and rewriting the application code.

Once an attacker has compromised all system calls, then correspondingly, all methods of jailbreak detection are defeated. There is no hard and fast way to know that a device has been jailbroken; instead the normal practice is to do a comprehensive search for evidence that the built-in system protections have been disabled.

If positive evidence is uncovered that these protections are not functioning properly, then the device is deemed jailbroken. However, if an attacker controls the functioning of all system calls, then probing the system to determine if it has been compromised is useless. A sophisticated attacker simply ensures that all system probes return the expected, safe result regardless of what is actually happening on the device.

To sum it up:

  • It is possible to build an automated attack that jailbreaks a device by attacking the machine a user docks it to
  • It automatically fools your MDM software to defeat jailbreak detection as outlined above
  • It starts to steal data and intercept network communications that you thought were safe (of course, you can protect your data to prevent this – but we are talking about the common case where WiFi or VPN credentials are installed on the device)
  • Once the user with the now compromised device decides to log into the corporate network, your bad, bad day has begun.

Is there any good news in all of this bad news? Well, it depends on how you look at it. If your organisation is legitimately concerned about organised crime, foreign governments or skilful corporate spies, then you simply cannot trust the native device platform when considering how to securely access corporate data from a mobile device.

On a laptop, IT can apply a lock down policy combined with network access control to go to great lengths to prevent anything bad from ever getting on to that laptop in the first place. Mobile devices simply don't provide that degree of control to IT, so the only safe assumption is that any mobile device (whoever owns it) may be jailbroken and running malicious software without your employee's knowledge.

First and foremost, any safe security solution for mobile devices, including personal devices, cannot rely on the device OS for sensitive operations such as encryption, and it cannot use the dynamic linker.

At the very least, once the dynamic linker is out of the picture most automated attacks will have a very hard time rewriting a binary to replace the statically linked encryption APIs.

Second, safe mobility solutions for mobile devices should focus on protecting the data, not the device, and in particular on: (a) encrypting all data when it is not in active use, and (b) diligently clearing sensitive data from device memory when it is not needed.

Seth Hallem, CEO and co-founder of Mobile Helix

Share this article:

Next Article in Opinion

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in Opinion

Step by step through the 'Phishing Kill Chain'

Step by step through the 'Phishing Kill Chain'

Stop the kill-chain higher up to increase chances fo preventing an attack says Patrick Peterson.

Combating 'malvertising'

Combating 'malvertising'

Web sites that take advertising need to protect against inadvertently delivering malware to their users, before, during and after an attack, explains Terry Greer-King.

Should flexible working result in flexible security?

Should flexible working result in flexible security?

Flexible working can bring security pitfalls, according to Imation's Nick Banks.