Jailbreaking device paves way for malware

Mobile users root devices to gain better control over their gadgets and have platform choice, but doing so increases security vulnerabilities, note security experts.
Written by Liau Yun Qing, Contributor on

Jailbreaking a device is similar to implanting malevolent code into the device, thereby increasing its vulnerability to malware, warns a security researcher, while another notes that ultimately, such efforts boil down to "personal choice".

In an e-mail interview with ZDNet Asia, Kwee Anping, senior technical consultant at Symantec Singapore, likened jailbreaking a device to exploiting vulnerabilities in an operating platform. "It is how malicious codes are typically installed on a gadget and it increases the risk of the device being infected with malware," Kwee said.

He pointed to the Ikee worm and a hacktool, which exploited third-party Secure Shell (SSH) utilities installed on jailbroken Apple iPhones. "While Ikee simply changed the infected device's wallpaper to a photo of singer Rick Astley, the hacktool could reportedly steal data on the device and connect back to the attacker, giving him control over the phone including the ability to download and install other malware onto it," he said.

He added that attackers are also able to change the root password of the affected device and prevent the owner from accessing the phone.

However, that does not mean non-jailbroken devices are not vulnerable to security risks, he noted.

The growth in smartphone and tablets and their increasing connectivity and capability means there is a corresponding increase in attention, targeting mobile platforms, from both threat developers and security researchers, he said.

Axelle Apvrille, senior mobile antivirus analyst and researcher at Fortinet FortiGuard Labs, added that even the closely-guarded Apple App Store is not immune to malware such as the Adware/LBTM app, which poses as a free application.

Other than viruses, both jailbroken and non-jailbroken phones are vulnerable to security holes in the device's browser, she added in an e-mail.

Jailbreaking to more choice
Despite the security risks, Apvrille said it boils down to "personal choice" in which users decide if jailbreaking their gadgets is worth the trouble. "People who are not at ease with technology won't jailbreak their device, and they are probably better off that way," she said.

"[On the other hand], those who are more familiar with computing devices can feel too limited in Apple's business model and wish to 'escape the jail'," she said. "Sometimes, it's also [about subscribing to] a philosophy, [such as] not being tied to a single vendor or having the possibility to use open source software."

Apvrille said: "In any case, by jailbreaking your device, you may be able to give more power over your device.

"But of course, with greater power comes greater responsibility."

She urged users who are looking to jailbreak their device to go through the manuals carefully. "It is critical to read README [files], release notes and installation notes to install [the jailbreak] properly," she said.

Apvrille cited the case of the iPhone/Eeki.A worm, which infected jailbroken devices of users who did not read an important recommendation to change their root password. Users who jailbroke their device but changed the password were not susceptible to the worm, she said.

Symantec's Kwee, though, is adamant that users should not modify their device.

"Consumers jailbreak their mobile devices believing that it expands the functional or customization capabilities. What they are unaware of, however, is that the process of jailbreaking a device through exploits is not very different from using exploits to install malicious code," he said.

Similar to desktop computers, the exploitation of vulnerabilities can bring more inconveniences than benefits as initially thought, and users of jailbroken devices would leave themselves open to malicious attacks, he cautioned.

Despite the security risks, some mobile users have not refrained from tweaking their devices. In fact, the jailbreak software for Apple's iOS 4.3.1 release was available less than two weeks after the update was launched.

One self-proclaimed "loyal" Apple fan, who jailbroke her iPhone two months ago, said she was not fully aware of the security risks but did hear from friends that such phones were more vulnerable to viruses and system crashes. The 22-year old allied healthcare worker, who declined to be named, said she jailbroke her phone mainly to access free apps and "themes" which are only available on jailbroken devices. Themes provide more icons, skins and wallpapers for the iPhone.

She said she decided to jailbreak her phone only after the warranty ended.

"With the warranty, if my phone crashes I can still get it replaced. But after the warranty expires, it doesn't matter," she said.

Manufacturers warn against jailbreaks
Hardware makers and software developers have made efforts to combat jailbreaks by limiting the warranty of jailbroken products or pursuing the legal route to stop jailbreakers.

"Users should be advised that the loading of unapproved software on a Motorola device can void the warranty," said a Motorola Mobility spokesperson in an e-mail interview.

"Motorola's primary focus is the security of our end-users and protection of their data, while also meeting carrier, partner and legal requirements," he said. "A majority of Motorola's Android-based consumer devices in the market today have a secured bootloader in order to meet these security needs."

Microsoft also implemented similar initiatives for its mobile OS. "Microsoft does not support Windows Phones that have been altered from manufacturer- and carrier-specifications, and we caution that such alterations can dramatically impact reliability, performance, compatibility and security," said a company spokesperson in an e-mail.

Asked what the company is doing to prevent jailbreaking, he pointed to a whitepaper on anti-piracy in the Windows Phone Marketplace.

"Developers fuel Microsoft platforms, and we understand the importance of intellectual property in these ecosystems. We have a long history of developing protection strategies for our software and services and those of third-party developers, Windows Phone 7 and Windows Phone Marketplace are no exceptions," he said.

When contacted, Korean consumer electronics giant Samsung declined to reveal specifics on how it is preventing users from jailbreaking its Android handsets. Winston Goh, the company's product marketing manager of telecommunications, told ZDNet Asia in an e-mail that such information is "highly confidential" and cannot be revealed to the public.

Goh did stress, though, that consumers who root their Android devices will have their warranty "rendered null and void".

"If we allow users to root our devices and, subsequently, those users [make tweaks to] their Samsung Android device that cause it to fail, then brings it back to our customer service centers for repair--it would be very difficult for us to diagnose and pinpoint the exact issue since we may not have any evidence of what the user actually did," said Goh.

"This could potentially tie up our customer service resources, resulting in less time and resources available for other customers with valid issues.

"While we appreciate the fact that Android devices are inherently very flexible devices, we do need to maintain a certain level of control for the sake of [delivering] more efficient product management and customer service process," he said.

Editorial standards