The first jailbreak for Apple's iOS7 has emerged, posing a security risk for businesses that operate a 'bring your own device' (BYOD) policy.
The jailbreak, released by hacking group evad3rs, allows iPhone and iPad users to download apps and extensions not available through Apple's App Store.
Jailbreaking is not illegal in the UK but can violate Apple's end-user software license agreement. If compromised, jailbroken devices allow hackers to access personal and business information and can introduce malware, spyware and viruses.
A jailbroken device affects Apple's built in security, Nigel Robson, senior consultant at business and IT consultancy Waterstons told SCMagazineUK.com. "If apps are downloaded from another source than Apple's App store, it could introduce a virus on the device and into the corporate network," he said.
Mobile device management (MDM) tools will detect jailbroken devices, according to Robson. He added: "It is the busiest time for mobile devices as people are giving them as gifts. If businesses have MDM in pace, it will show when jailbroken devices connect to the network."
Most security vendor products can identify jailbroken phones, said Andrew Kellett, principal analyst at Ovum. As well as implementing the right tools, he advises firms to reiterate BYOD policies to staff to staff. "The user is absolutely the weakest link," he told SCMagazineUK.com. "We are now using our mobile devices to transfer information into insecure storage areas. Organisations need to provide extra clarity: as far as business is concerned, jailbroken phones are an absolute no."
Daniel Foster technical director at 34SP concurs. "It's a good time to review and make sure you have a BYOD policy in place," he said. "Jailbreaks are forfeiting security to a certain extent: Apple's updates are often bug fixes and if you are jailbroken, you are not able to get those."
According to Phillip Dick, NTS UK managing director, apps downloaded from a jailbroken iPhone could "open a back door into the company's network, and allow unauthorised users access to sensitive corporate data".
He added: "That's why it is essential not just to have a comprehensive set of policies around BYOD but also methods of policing and enforcing those policies. Enhanced freedom and access needs enhanced monitoring and enforcement."