How does an iOS jailbreak affect mobile application security?

The jailbreaking of iOS devices has a huge affect on security. It opens the door for malicious hackers, and not just via adventurous consumers.

What is an iOS jailbreak, and why is it important in mobile applications?

By default, the iOS operating system has a number of restrictions on what users can do on the device as well as what applications installed on the device can do. For example, default-configured iOS devices only allow device users to install applications from Apple's AppStore, and those applications are limited in how they can interact with the operating system as well as each other. An iOS jailbreak is a way of bypassing those regulations.

Jailbreaking is the act of getting root-level access to an iOS device, usually by exploiting an operating system security vulnerability. This root-level access gives device users the ability to bypass many of the restrictions imposed by the iOS operating environment. For example, jailbroken iOS devices can install non-AppStore applications either manually or via alternate mobile application stores, such as Cydia. Also other parts of the operating system, such as various user interface components, can be customized.

There are two leading reasons why a developer might care about jailbreaking:

  1. If they want to develop iOS applications and load them on devices without having to pass through Apple's AppStore
  2. If they are interested in making their applications behave differently when installed on jailbroken devices

Bypassing Apple's AppStore

In the first case, a developer might want to develop applications for iOS devices but not want to submit the applications to Apple's AppStore before installing them onto a device with an iOS jailbreak.

There are a number of reasons a developer might want to do this -- Apple curates the applications on the AppStore, and there have been a number of instances where they have not allowed applications into the store or pulled them from the store after deployment. Reasons applications have been denied entry to the AppStore include quality issues such as instability, containing "objectionable" content such as pornography, attempting to access "private" Apple APIs and duplicating existing Apple-provided apps already installed on the phone.

App developers looking to bypass one or more of these restrictions might make the choice to develop their application and make it available via direct download or an alternate app store such as Cydia. This would decrease the number of users who could take advantage of the app, but might be required if the app could not be developed or redesigned in such way that it could pass through Apple's vetting process.

Avoiding Jailbroken device security issues

In the second case, an application developer might be developing an application that would be made available conventionally via Apple's AppStore, but be concerned about scenarios where their application might be run on a jailbroken device.

By default, iOS provides significant facilities to wall off applications from one another so that no app should be able to see private files from another app and apps shouldn't be able to affect the behavior of one another. However, with an iOS jailbreak in place -- because the operating system has essentially been modified -- an app might have to run in an environment where super-powered applications have been installed on the device.

There are methods that app developers can use to attempt to detect if they're being run on a jailbroken device. Some of these include checking for the existence of files or directories and checking the return values of certain system calls. The problem with this type of detection is that it is a cat-and-mouse game that should not be expected to reliably work given there are different jailbreak methods and the jailbreaker has greater access to the device operating system than the legitimate app.

Our advice to app developers has always been to treat the device as if it had been compromised and design and build the application accordingly. App developers who follow this advice should fare well when assessing the impact of their apps being run on a device with an iOS jailbreak.

Have a question about software testing, application security or the ALM process? Let us know and we'll pass your question on to one of our experts.

Dig Deeper on Topics Archive