In my previous blog, The time is now for mobile app protection, I talked about how the current state of the world since COVID-19 is driving an increase in the usage of mobile apps for everyday activities. This increase in use of mobile app platforms inevitably leads to mobile apps becoming more attractive targets for cybercriminals.
Software and data transformation to make reverse engineering difficult remains important, but in a war against hackers and competitors, a single line of protection is not enough – defense-in-depth is key.
In the art of war, understanding the terrain that you’re operating in makes all the difference between winning and losing. This principle is also true in our battle against hackers. It’s important to understand what terrain the app is operating in to understand the risk exposure as part of our defense-in-depth strategy.
For this blog, we’ll focus on one of the most common attacks against an iPhone: Jailbreaking. Wikipedia defines Jailbreaking as a “the privilege escalation of an Apple device for the purpose of removing software restrictions imposed by Apple on iOS, iPadOS, tvOS, watchOS, and bridgeOS operating systems”. The purpose of this attack is often to unlock an Apple device from a carrier, to download tweaks or new functions like call recording or to obtain access to free games. Whatever the reason, this alteration of an iOS device is a significant change to its default security posture. We’ll look at:
- The impact of Jailbreaking an iOS device and how it impacts the terrain for an iOS app.
- Why an app developer needs to understand if the device is Jailbroken and what are some of the remediations that can be put in place when this occurs.
- Some of the traditional barriers to implementing Jailbreak detection.
Help! I’m Jailbroken; now what?
Security is one of the well-known strengths of the Apple ecosystem. Apple is widely acknowledged to be one of the most secure computing platforms in the world and, when vulnerabilities are found, Apple is quick to issue patches. The iPhone itself follows a defense-in-depth strategy with hardware security features such as secure enclaves and secure boot and app security features ranging from code signing to sandboxing.
The iOS application sandbox is specifically designed to “contain damage to the system and the user’s data if an app becomes compromised”, and it does this by restricting access to system files and application resources. The sandbox, for example, prevents apps from accessing the data and resources belonging to another app. On an unmodified device, this protection forms a significant barrier to threats such as malware. On a Jailbroken device, this barrier between apps and the general filesystem is removed, and all apps have root access to the device. Any malware present on the device would have access to all resources and files. For example, . In short, the presence of a Jailbreak significantly modifies the app attack surface or terrain of a device and leaves it vulnerable for an attack.
In a notable attack a few years ago, hackers attempted to use several zero-day exploits to install a remote Jailbreak on the phone of a prominent journalist. This Jailbreak would have allowed the attacker to collect a variety of information including email contacts and messages. In another case, KeyRaider malware specifically targeted Jailbroken devices to steal Apple ID and password information as it was sent to iTunes. In both cases, Jailbreaking the device to access resources and data outside of the sandbox was critical to the attack.
To an app developer, the presence of a Jailbreak indicates a change in the standard security posture of a device. When an app developer can programmatically detect a Jailbreak, that knowledge could be used by the app developer to drive a range of app behaviors. For example, Irdeto customers have implemented Jailbreak detection responses such as:
- Denying access to the app itself (common in financial apps).
- Disabling sub-functions from the app, such as blocking Airplay or lowering the maximum available bitrate on a video stream.
- Changing the type and location of data stored on the device.
- Logging the Jailbreak status or sending it as an event to be processed at the server.
These are just a few of the examples that we’ve seen at Irdeto where app developers have used the information uncovered by Jailbreak detection to modify the overall behavior of an application.
We know about Jailbreaking, so what do we do?
To date, Apple’s response to Jailbreaks has been to release security patches as soon as possible in order to remediate the detected issue if possible, so no APIs are provided by iOS to help detect Jailbreaks. As a result, app developers who wanted to implement Jailbreak detection had to:
- License a mobile software security solution.
- Learn how to use the software and install it in their environments or IDE.
- Modify their app to insert the checks and handle any return codes.
- Periodically update and re-integrate the mobile security solution to detect the latest Jailbreak technology.
This process adds significant business and engineering complexity to the development of a mobile app and is likely a substantial barrier to the adoption of Jailbreak detection technology. Given the time and economic pressures on app developers, this functionality would only be adopted in cases where the app owner is compelled to implement such checks by regulations or other requirements.
Again, so what?
From my previous blogs, we know that because of the increase in use of mobile apps due to COVID-19, the risk of cyberattacks has increased significantly and it’s best to have some form of defense-in-depth strategy in place.
The security issues which occur on Jailbroken devices that we looked at in this blog demonstrates how Jailbreak detection plays a pivotal role as part of a defense-in-depth strategy for iOS apps. Unfortunately, in the past, implementing Jailbreak detection was achieved by purchasing and integrating a third-party security solution, which formed a significant barrier to adoption.
In today’s world, app developers need a solution that makes it easy and affordable to implement security to their apps as part of their defense-in-depth strategy. Irdeto’s Trusted Software is here to help!