Katana VentraIP

iOS jailbreaking

iOS jailbreaking is the use of a privilege escalation exploit to remove software restrictions imposed by Apple on devices running iOS and iOS-based[a] operating systems. It is typically done through a series of kernel patches. A jailbroken device typically permits root access within the operating system and provides the right to install software unavailable through the App Store. Different devices and versions are exploited with a variety of tools. Apple views jailbreaking as a violation of the end-user license agreement and strongly cautions device owners not to try to achieve root access through the exploitation of vulnerabilities.[1]

Not to be confused with bootloader unlocking, SIM unlocking, or Rooting (Android).

While sometimes compared to rooting an Android device, jailbreaking bypasses several types of Apple prohibitions for the end-user. Since it includes modifying the operating system (enforced by a "locked bootloader"), installing non-officially approved (not available on the App Store) applications via sideloading, and granting the user elevated administration-level privileges (rooting), the concepts of iOS jailbreaking are therefore technically different from Android device rooting.

Security of the device[edit]

Once a device is jailbroken, the built-in security is compromised due to the vast amount of kernel patches that go into building the tool. Security structures like Apple Mobile File Integrity, Sandbox, Read-Only Root File system, and trusted apps get disabled or otherwise tampered with, to achieve the goals of the jailbreaking tool. This, in turn, creates potential security issues for the user of a jailbroken device.


Users of a jailbroken device are also often forced to stay on an inferior iOS version that is no longer supported by Apple because newer versions usually cannot be jailbroken right away. This has the potential to introduce security issues because for these older versions there are known security vulnerabilities, exploits, and exploit proof of concepts published.


In March 2021, jailbreak developer GeoSn0w[27] released a tweak called iSecureOS which can alert the users of security issues found on their devices. The application works akin to antivirus software, in that it scans the files on the user's device and checks them against a database of known malware or unsafe repos.


In June 2021, ESET Research confirmed that malware did exist on one of the piracy repositories in the jailbreak community. The malware actively targeted iSecureOS to try to bypass the detection,[28] but updates to the security app were quickly released and have mitigated the malware.

Comparison to Android rooting[edit]

Jailbreaking of iOS devices has sometimes been compared to "rooting" of Android devices. Although both concepts involve privilege escalation, they do differ in scope.


Where Android rooting and jailbreaking are similar is that both are used to grant the owner of the device superuser system-level privileges, which may be transferred to one or more apps. However, unlike iOS phones and tablets, nearly all Android devices already offer an option to allow the user to sideload 3rd-party apps onto the device without having to install from an official source such as the Google Play store.[29] Many Android devices also provide owners the capability to modify or even replace the full operating system after unlocking the bootloader, although doing this requires a factory reset.[30][31][32]


In contrast, iOS devices are engineered with restrictions including a "locked bootloader" which can not be unlocked by the owner to modify the operating system without violating Apple's end-user license agreement. And on iOS, until 2015, while corporations could install private applications onto corporate phones, sideloading unsanctioned, 3rd-party apps onto iOS devices from sources other than the App Store was prohibited for most individual users without a purchased developer membership.[33] After 2015, the ability to install 3rd-party apps became free for all users; however, doing so requires a basic understanding of Xcode and compiling iOS apps.


Jailbreaking an iOS device to defeat all these security restrictions presents a significant technical challenge.[34] Similar to Android, alternative iOS app stores utilizing enterprise certificates are available, offering modified or pirated releases of popular applications and video games, some of which were either previously released through Cydia or are unavailable on the App Store due to these apps not complying with Apple developer guidelines.

History of exploit-disabling patch releases[edit]

Apple has released various updates to iOS that patch exploits used by jailbreak utilities; this includes a patch released in iOS 6.1.3 to software exploits used by the original evasi0n iOS 6–6.1.2 jailbreak, in iOS 7.1 patching the Evasi0n 7 jailbreak for iOS 7–7.0.6-7.1 beta 3. Boot ROM exploits (exploits found in the hardware of the device) cannot be patched by Apple system updates but can be fixed in hardware revisions such as new chips or new hardware in its entirety, as occurred with the iPhone 3GS in 2009.[118]


On July 15, 2011, Apple released a new iOS version that closed the exploit used in JailbreakMe 3.0. The German Federal Office for Information Security had reported that JailbreakMe uncovered the "critical weakness" that information could be stolen or malware unwillingly downloaded by iOS users clicking on maliciously crafted PDF files.[119]


On August 13, 2015, Apple updated iOS to 8.4.1, patching the TaiG exploit. Pangu and Taig teams both said they were working on exploiting iOS 8.4.1, and Pangu demonstrated these chances at the WWDC 2015.[120]


On September 16, 2015, iOS 9 was announced and made available; it was released with a new "Rootless" security system, dubbed a "heavy blow" to the jailbreaking community.[121]


On October 21, 2015, seven days after the Pangu iOS 9.0–9.0.2 Jailbreak release, Apple pushed the iOS 9.1 update, which contained a patch that rendered it nonfunctional.[122]


On January 23, 2017, Apple released iOS 10.2.1 to patch jailbreak exploits released by Google for the Yalu iOS 10 jailbreak created by Luca Todesco.[123]


On December 10, 2019, Apple used DMCA takedown requests to remove posts from Twitter. The tweet contained an encryption key that could potentially be used to reverse engineer the iPhone's Secure Enclave. Apple later retracted the claim, and the tweet was reinstated.[124]


On June 1, 2020, Apple released the 13.5.1 update, patching the 0 day exploit used by the Unc0ver jailbreak.[125]


On September 20, 2021, Apple released iOS/iPadOS 15, which introduced signed system volume security to iOS/iPadOS, meaning that any changes to the root file system would revert to the latest snapshot on a reboot, and changes to the snapshot would make the device unbootable.[126] As a result, jailbreak development slowed considerably, and for the first time in jailbreaking history, the latest iPhone did not get a jailbreak before a new model was released.


On September 12, 2022, Apple released iOS 16, which introduced a new firmware component known as Cryptex1. New Cryptex1 versions are almost never compatible with old iOS versions, making downgrading impossible except within patch versions (i.e. 16.3 and 16.3.1).

Risks[edit]

Security, privacy and stability[edit]

The first iPhone worm, iKee, appeared in early November 2009, created by a 21-year-old Australian student in the town of Wollongong. He told Australian media that he created the worm to raise awareness of security issues: jailbreaking allows users to install an SSH service, which those users can leave in the default insecure state.[157] In the same month, F-Secure reported on a new malicious worm compromising bank transactions from jailbroken phones in the Netherlands, similarly affecting devices where the owner had installed SSH without changing the default password.[158][159]


Restoring a device with iTunes removes a jailbreak.[160][161][162] However, doing so generally updates the device to the latest, and possibly non-jailbreakable, version, due to Apple's use of SHSH blobs. There are many applications that aim to prevent this, by restoring the devices to the same version they are currently running whilst removing the jailbreaks. Examples are, Succession, Semi-Restore and Cydia Eraser.


In 2012, Forbes staff analyzed a UCSB study on 1,407 free programs available from Apple and a third-party source. Of the 1,407 free apps investigated, 825 were downloaded from Apple's App Store using the website App Tracker, and 526 from BigBoss (Cydia's default repository). 21% of official apps tested leaked device ID and 4% leaked location. Unofficial apps leaked 4% and 0.2% respectively. 0.2% of apps from Cydia leaked photos and browsing history, while the App Store leaked none. Unauthorized apps tended to respect privacy better than official ones.[163] Also, a program available in Cydia called PrivaCy allows user to control the upload of usage statistics to remote servers.[163]


In August 2015, the KeyRaider malware was discovered, affecting only jailbroken iPhones.[164]

Fake/scam jailbreaks[edit]

In recent years, due to the technical complexity and often rarity of legitimate jailbreaking software (especially untethered jailbreaks) there has been an increase in websites offering fake iOS jailbreaks. These websites often ask for payment or make heavy use of advertising, but have no actual jailbreak to offer. Others install a fake, lookalike version of the Cydia package manager.[165] In some cases, users have been asked to download free-to-play apps or fill out surveys to complete a (non-existent) jailbreak.

Hacking of consumer electronics

iOS version history

Linux on Apple devices