I was recently speaking with a company about their concerns regarding security and the topic of jailbreak detection came up.
Clearly the person I was speaking with considered jailbreak detection to be an important line of defence against attack. Of course, as the article title implies, I disagree.
Before I get into jailbreak detection's flaws, a quick review of why jailbreak detection exists in the first place is in order. As employers open up company resources to mobile devices, one common way to do so is to install WiFi and/or VPN credentials on a device so that device can access the company network.
Mobile device management (MDM) makes it relatively easy to do so. The risk of admitting a device in to the network though, is that all applications on that device are now on the corporate network. Hence it is important to ensure that nothing untoward is happening on the device as a first step.
Jailbreaking on iOS (or 'rooting' on Android) refers to the practice of leveraging a vulnerability in the operating system code to circumvent the device's built-in protections. These protections include the separate 'jails' that are maintained for each app, and all controls restricting what software is or isn't installed on the device.
Given this backdrop, jailbreak detection is often touted as a feature that vendors (particularly MDM vendors) offer to improve the safety of mobile devices connecting to the company network via a VPN or corporate WiFi connection.
Unfortunately, jailbreak detection is deeply flawed for both social and technical reasons and provides nothing more than a false sense of security to IT.
Starting with the social reason, the first question one should ask when devising a security policy is who that policy is designed to stop. If your concern is that one of your employees' children will root a device and install a virus, then you can stop reading here.
Jailbreak detection is a reliable method to stop most jailbreak or rootkits that you can download and install on your Mac or PC at home. If your goal is to stop a determined attacker, then read on. Before you jump into the former camp, the reality is that almost all attackers fall in the sophisticated and determined category; read what Verizon has to say about who the brains are behind most data breaches.
So called 'script kiddies' are not the real threat if your business has sensitive and valuable information that a financially motivated or state-affiliated organisation could benefit from.
Now that we've agreed that the threat we are concerned with is a determined and sophisticated attacker, it's time to debunk jailbreak (and its Android equivalent) once and for all. The critical point is this; when an application is loaded by the operating system (on any platform, really), it is dynamically linked against built-in libraries on the device (e.g. all iOS 'frameworks') and system libraries.
Once an attacker has rooted a device, he or she can essentially intercept all calls to system libraries or operating system functions by either: (a) changing the search path of the dynamic linker in the environment prior to launching the app, or (b) searching for known symbols in the decrypted binary while in a debugger and rewriting the application code.
Once an attacker has compromised all system calls, then correspondingly, all methods of jailbreak detection are defeated. There is no hard and fast way to know that a device has been jailbroken; instead the normal practice is to do a comprehensive search for evidence that the built-in system protections have been disabled.
If positive evidence is uncovered that these protections are not functioning properly, then the device is deemed jailbroken. However, if an attacker controls the functioning of all system calls, then probing the system to determine if it has been compromised is useless. A sophisticated attacker simply ensures that all system probes return the expected, safe result regardless of what is actually happening on the device.
To sum it up:
- It is possible to build an automated attack that jailbreaks a device by attacking the machine a user docks it to
- It automatically fools your MDM software to defeat jailbreak detection as outlined above
- It starts to steal data and intercept network communications that you thought were safe (of course, you can protect your data to prevent this – but we are talking about the common case where WiFi or VPN credentials are installed on the device)
- Once the user with the now compromised device decides to log into the corporate network, your bad, bad day has begun.
Is there any good news in all of this bad news? Well, it depends on how you look at it. If your organisation is legitimately concerned about organised crime, foreign governments or skilful corporate spies, then you simply cannot trust the native device platform when considering how to securely access corporate data from a mobile device.
On a laptop, IT can apply a lock down policy combined with network access control to go to great lengths to prevent anything bad from ever getting on to that laptop in the first place. Mobile devices simply don't provide that degree of control to IT, so the only safe assumption is that any mobile device (whoever owns it) may be jailbroken and running malicious software without your employee's knowledge.
First and foremost, any safe security solution for mobile devices, including personal devices, cannot rely on the device OS for sensitive operations such as encryption, and it cannot use the dynamic linker.
At the very least, once the dynamic linker is out of the picture most automated attacks will have a very hard time rewriting a binary to replace the statically linked encryption APIs.
Second, safe mobility solutions for mobile devices should focus on protecting the data, not the device, and in particular on: (a) encrypting all data when it is not in active use, and (b) diligently clearing sensitive data from device memory when it is not needed.
Seth Hallem, CEO and co-founder of Mobile Helix