Eleven days after the original iPhone shipped, hackers found a way to jailbreak it. Now that consumer devices are on corporate networks, admins have to worry about the risks associated with a rooted or jailbroken device.
Jailbreaking involves running a privilege escalation attack on your own device, exploiting a vulnerability to gain root access. Jailbreak tools for the iPhone use these root privileges to replace Apple’s factory-installed iOS with a custom kernel that imposes fewer restrictions and allows side-loading -- the installation of programs not reviewed by or distributed through Apple’s App Store. Unlike the iPhone, Android devices allow users to install apps from sources other than Google Play, but rooting these phones can lift other restrictions that carriers and manufacturers impose.
There are many other reasons that users jailbreak or root their own devices. Some want to bypass digital rights management restrictions that stop users from sharing copyrighted media. Others want direct access to the file system, user interfaces or network capabilities that are otherwise hidden or locked down. And some developers want root access to learn more about how the operating system works, or to scour the device and applications for exploitable vulnerabilities.
A rooted or jailbroken device is more susceptible to malware infection, and it’s easier for a jailbroken device’s operating system to be compromised. Some device manufacturers will nullify their warranty if a user jailbreaks his phone. Carriers can also stop providing services to users who have jalbroken their devices.
Rooting out the risks
Non-app store apps are not necessarily risky. In fact, many are well-intentioned programs that provide useful capabilities not normally accessible through Apple application program interfaces (APIs). It’s the absence of formal software review or rigorous code signing that opens the door for malware. Any iOS malware encountered in the wild to date has compromised only jailbroken iPhones and iPads. And although Google imposes less intense review or signature verification, unregulated third-party Android marketplaces have distributed the vast majority of Android malware.
Unfortunately, mobile malware is not the only risk that a jailbroken device faces. Unreviewed applications with privileged access drain battery life and destabilize the operating environment. A rooted or jailbroken device becomes vulnerable to side-loaded apps that performed a set of tasks upon installation, but when the user updates the app, it incorporates additional or unwanted functionality that exploits root access. Many jailbroken iOS devices also install a secure shell server that remote attackers can exploit.
Finally, although it is not illegal to jailbreak or root your own device, doing so may void the manufacturer’s warranty or violate the carrier’s terms of service. For example, carriers have been known to terminate subscribers who root or jailbreak their device to run a free Wi-Fi hotspot or tethering app to share 3G/4G service without added monthly fees.
Guarding the gate
Ultimately, employers can do little to prevent jailbreaking or rooting, but there are steps employers can take to deter it, detect when it has happened and contain the resulting business risk:
- Keep mobile devices and apps up to date. Privilege escalation attacks exploit vulnerabilities to gain root access, and both Apple and Google make strong efforts to close known vulnerabilities with OS updates and fixes. It can take longer for Android updates to make their way through manufacturer and carrier testing, but more delays tend to happen simply because users don’t seek out and apply available OS updates. Encourage users to enable auto-update options on devices that support them.
- Where practical, configure Android devices to disallow side loading (see Settings / Unknown sources). Coach users to install apps only from trusted sources such as Apple’s App Store, Google Play and Amazon’s Appstore. Educate users about the personal and business risks associated with a rooted or jailbroken device.
- Proactively assess the integrity of mobile devices used for business during device enrollment and periodically thereafter. One way to accomplish this is to install a mobile device management (MDM) agent that can detect a rooted or jailbroken device. Unfortunately, there aren’t any OS APIs to detect this, and IT can’t rely on a jailbroken device to know that it’s been hacked. MDM vendors have created proprietary tests to assess integrity with some success. Another option is to query installed apps and compare them to blacklists to detect when side-loaded apps are present.
- Take automated action to mitigate the threats compromised devices pose. For example, remove MDM-installed configuration profiles that enable corporate Wi-Fi, virtual private network or email access, or disable applications that users need and want. Use push notifications to inform users when a jailbroken device or root access is detected, and provide instructions to remedy their device. If all else fails, unenroll compromised devices or use tools to remotely wipe them.
These are just a few of the steps you can take to deal with jailbroken or rooted mobile devices. While users may still accept these risks on personal devices, employers can and should take steps to detect and contain this risky activity on devices used for business.