Security & Privacy

Don’t Jailbreak Your iPhone if You Want to Stop Government Spyware

Posted on August 13th, 2014 by

Don't jailbreak your iPhone if you want to stop government spyware

Normally, you can't run whatever software you like on your iPhone.

As a corporation, Apple has something of a "controlling personality" and has locked down your iPhone and iPad to prevent you from making a wide number of changes or tweaks.

The most obvious limitation is that on a regular iPhone you can only install programs approved by Apple, and distributed via Apple's App Store - unlike, say, the situation on your Windows PC or Apple Mac computer.

On a jailbroken iPhone, however, you can shop for apps anywhere on the net, not just the official App Store.

So, should you jailbreak your iPhone? Well, from the security point of view, I'd recommend that if you're thinking of jailbreaking you should proceed with caution, as two recent news stories demonstrate:

Firstly, surveillance companies love jailbroken iPhones.

Last week, news emerged that a company called Gamma International, which develops commercial network intrusion malware for the purposes of surveillance and sells it to governments around the world, had been hacked.

Gamma International has something of a notorious reputation over concerns that its software may have ended up in the hands of oppressive regimes, and that the company had no qualms about disguising its FinFisher spyware as bogus versions of the Firefox web browser.

According to Gamma International sales documents leaked by the hackers, FinFisher (also known as FinSpy) has no difficulties running on Androids and Blackberrys, but if it is up against a regular, non-jailbroken iPhone - it's powerless.

Jailbreak required for iOS devices

iOS: Untethered jailbreak required

So, if a government agent wants to listen in to the Skype calls you make, or track your location, or read files and steal phone numbers from your iPhone, they'll have their fingers crossed that you have jailbroken it - otherwise they're going to have to find a different way of spying on you and your activity than using FinFisher.

FinFisher requires jailbroken iPhones

The reason is that jailbreaking rips out much of the security that Apple built into iOS in the first place, to protect users from nastiness and misbehaving apps. Whereas with other popular smartphone operating systems, FinFisher can be installed and activated relatively easily - it's a lot harder with the iPhone.

Secondly, Chinese malware gangs make money out of jailbroken iPhones.

This week brings another warning for those considering jailbreaking their iDevices.

As Virus Bulletin reports, security researcher Axelle Apvrille has uncovered that some 75,000 jailbroken iPhones have been infected by malware known as iOS/AdThief.

The malicious code, written by a Chinese hacker calling themselves Rover12421, hijacks revenue from 15 different adkits, meaning that cash ends up in the pockets of criminals rather than the makers of the ad-funded apps themselves.

AdThief on iOS

"With 75,000 infected devices, iOS/AdThief is not extremely prevalent," wrote Apvrille. "However, there are an estimated 22 million hijacked ads, so the malware has probably had a fair amount of impact and generated significant revenue for the owner(s)."

Apvrille is right not to send owners of jailbroken iPhones running to the hills in panic. The threat should be put in proportion. Although there are clearly more risks associated with having a jailbroken iPhone compared to an un-meddled iDevice, there is still remarkably little malware written for the iOS operating system - particularly when compared to the huge problem that exists on Android.

Should you jailbreak your iPhone?

Personally, I think the typical smartphone user is safer with an iPhone than an Android, but an iPhone that isn't jailbroken is safest of all from the malware point of view.

Yes, you might be able to do some cool things which Apple doesn't want you to do with a jailbroken iPhone - but is it really worth the risk?

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →
  • Ben Bristow

    Yes it definitely is worth the risk. If you own a device it should be yours and not under the complete control of the company that designed/created it.

    • Coyote

      Not to be cynical or anything (okay I admit, I am very cynical) but in recent times I’ve seen rather pathetic spam from iPhones … sure, this happens with other devices, too, but you’re falling for a rather bad fallacy: if you think jailbreaking gives you complete control or even close to it, you’re too trusting. That itself is one of if not the biggest problems, in security. Granted, having control and knowing how to use it, is useful but removing security restrictions is naive. This is similar to *nix users doing everything as root, “Just in case”. It is a terrible mistake. It removes all privilege separation that is there for a reason. It exposes the system to mistakes as well (user mistakes, not just exploits you are hit by). I can go on about this for ages but the point is the same (which I already made clear, or it should be clear).

      • pyrodice

        I save a bunch of money every month by using a jailbroken hotspot enabler for my phone that cost me $20 to buy, instead of another $20 each month as a phone feature. That alone is worth a lot to me. That, and 5-column icons, custom ring and alarm tones without having to buy anything, a GPS spoofer to check in wherever I want, and a number of lesser features for eliminating nuisance features.

        • Coyote

          And that’s fine. I’m not about to tell you what to do with your phones let alone anything else in your life. Observe also I hate Apple more than I hate Microsoft but the thing is, this rule applies to everything in security. I was specifically after trusting which is a dangerous thing indeed. I could point you to references but I think it is a moot point for you and most people even. Aside that, I was not at all telling people they should or shouldn’t be jail-breaking their phone. I honestly don’t care what they do as long as it doesn’t affect me. And since other devices and software have the same problem (like everything in life) I don’t see the example I gave above as related but merely an aside (which is: no matter what there is no such thing as 100% safe). And as for jail-breaking, it still is true whether you like it or not – trust is given far too easily. Do I need to bring up SE (that’s social engineering), phishing, other scams, supposed free (insert something great) when in fact it is to manipulate you?

          • pyrodice

            Social engineering affects users of everything. In terms of comparisons, it’s a null point, unless you can show a difference in the savvy of the users.

          • Coyote

            You clearly missed the point. I don’t even know what you’re on about even. I mean I never told you what to do (whether or not to jail break or not) nor did I tell you anything specific at all aside from this: trust is given too easy (actually I was responding to someone else, not you, at least originally).

            Here, let me give you an example. I won’t elaborate on it though because you responded to me on something completely unrelated to what I wrote (or my point) and secondly, you don’t understand at all the idea of trust, not at least with what I’m pointing out. Of course social engineering affects others (so does it cause malware and malware affects others!). The point isn’t that, the point is how trust is given too easily. Do you want to know where trust fits in to social engineering? Anyone with even a little bit of experience in security would understand the correlation. Anyway, the example:

            rsh, hosts.equiv, .rhosts

            A notorious example at that.

          • pyrodice

            I didn’t miss the point. Social engineering doesn’t affect operating systems, it affects human beings. As we’re comparing operating systems, it’s a moot point, UNLESS you can show a correlation between the people using Android OS’s versus IOS users… And that there is some material difference in their likelihood to fall for cons. I have a network and communications degree, believe me, I’m HIGHLY versed in security and security holes. There was an entire course-track dedicated to it.
            Now that you’ve brought up malware, it’s worth pointing out that having a closed-market for approved software (apps) drastically lowers the likelihood of this.

          • Coyote

            I honestly don’t think you know what my point was. Mind telling me what my point is? You didn’t once mention it in your response, let me put it that way. Even if you know my main point there is so much more to it than you seem to be attempting to refute.

            And no, what drastically lowers the risk of malware is using a system that has less users. (As an aside: I spent years in the pro-virus community so I know very well the different types of people involved, although these days it is all about profit and far less talent, but it has always been that the targets are those that are actually worth hitting). Of course, if you’re talking phones and their apps specifically (and nothing else) then that is different (but only in a sense) but the point is: they target the environments that are going to affect the most. I should actually elaborate a bit: it doesn’t lower the risk at all, as far as what is possible. Closed source, open source, doesn’t really matter as far as what is possible. Safe(r) use is what matters (but there is never 100%, never).

            Lastly, as for security: a degree means nothing. You cannot truly be taught security and that is a fact. You can be taught certain concepts but aside from that you aren’t taught security in a school, even though they attempt it. Examples are over the place. Security isn’t about knowing holes, knowing this or that, it is so much more complicated. That’s not even considering the fact that security isn’t just computer use/phone use. I’ll give an example: a keylogger that attaches to keyboards. There’s many more examples, though (and those are not even what I was getting at).

          • pyrodice

            “I honestly don’t think you know what my point was. Mind telling me what my point is? You didn’t once mention it in your response, let me put it that way. Even if you know my main point there is so much more to it than you seem to be attempting to refute.”

            Let’s review. Copied from your earlier response:

            “…And as for jail-breaking, it still is true whether you like it or not – trust is given far too easily. Do I need to bring up SE (that’s social engineering), phishing, other scams, supposed free (insert something great) when in fact it is to manipulate you?”

            You’re discussing shortfalls of an iPhone. You bring up social engineering, a completely platform-neutral hacking technique resigned to hack ‘the user’ into giving up security secrets. It has nothing to do with the iPhone anymore, and is just as likely to affect the users of ANY phone, *unless*, and here’s my question, you have some evidence that one style of user is more canny, and less likely to give up their information without identifying their counterpart?

            “Lastly, as for security: a degree means nothing.”

            Spoken either as someone defensive about not having a degree, or being humble about having several. In any case, people learn in different ways, and a degree meant quite a bit, to me. I’m a second generation computer and networking geek. Dad was one of the MIT kids who inspired the joke about picking up the phone and making modem noise into it, to connect to AOL: They used to turn on the audio-coupler for the remote printer, and whistle the ASCII code for the K character at it, to see who could make it beep the most times in a minute, at 120 baud. (He also invented the ‘cookie monster’ virus, actually a misnomer, as it was named after a cookie bear, of some since-defunct breakfast cereal.)

          • Coyote

            I responded but don’t see it yet. But I wanted to respond to one other bit. Experience/etc. of users you say? You do realise, of course, that many experienced users have fallen prey to social engineering. Example is a person on the Apache team who fell prey to an XSS attack which led to a security breach (and they did a good job of detailing it, explaining where they went wrong, what they did right and what they learned). And guess what? It can happen to anyone. So no, my point isn’t ‘null’ as you put it. Even then though, my point wasn’t social engineering itself; social engineering is only one example of many others that abuse a critical human flaw. That’s what it comes down to. But see my example (when it shows up) if you truly do not get this. Aside that, I still wonder what you’re trying to get across, given that you’ve yet to respond to a point I was making. First response you referred to jail-breaking yet my original message was about trust in general (and I gave a broad example of it, not a true/false; I even pointed out the very fact that knowing how to use X is important but just because you know how to use X does not mean it is wise to ONLY use X). My second was also about trust yet you attached to one part of it rather than the whole point.
            It all comes down to this:

            The reason it is given too easily is because it isn’t understood or recognised and you’re showing exactly that (and I don’t mean that to be offensive but it is true). And it is a risk.

          • pyrodice

            “The reason it is given too easily is because it isn’t understood or recognised and you’re showing exactly that” Oh, hardly. I know just what I’m exposing myself to by having jailbroken my phone, and I typically do a bit of research on the coding source and the app repository in Cydia, but mostly I just keep close track of what things are allowed and are using the ability to ship info.

          • Coyote

            Once again you’re mixing things up or simply missing them entirely. Phones were not even in my mind when I wrote that (hence not once using the word phone and the only time I used jail break is because you used it and I was telling you I was beyond that point). As a matter of fact, with the exception of the original post I made, I wasn’t really getting at phones (and even then it was only partially). I believe, mostly, when referring to phones, I was reminding you I was not telling you what to do with your phone (which it seems – and maybe I am remembering wrong, interpreting wrong, imagining it wrong, maybe I’m just in another world – that your original response was because I somehow was suggesting no one should jail-break their phone. I actually don’t care if they do or don’t – it isn’t my business! Even when I responded about phones I was actually responding to something very specific and jail breaking by itself was not it).

            As for my point, let me give you another hint: while it is simple in one way it isn’t simple in other ways, and by simple I mean singular. Either way, you most certainly didn’t refer to my point when you were somehow suggesting you got the point.

  • Starman_Andromeda

    Ben, get your point, but the iPhone or iPad is hardly under “the complete control” of Apple. That’s just silly hyperbole!

  • fustian24

    While I have zero interest in jailbreaking any of my iDevices, I AM paranoid and cannot help wondering if this is just disinformation.

    One can imagine that an NSA that has a perfectly nice system going with Apple might not want people to jailbreak their phones and mess it up. What better way to keep them in the fold than to scare them in this way?

    • Coyote

      Well, what Graham wrote in recent news is true. As for what you suggest, it reminds me of the age old thing called FUD i.e., ‘fear, uncertainty and doubt’ (originally it wasn’t security but some security corporations abused it and it led to their demise.. I’m sure some used it and they did fine, though). And yes it has implications in security. But if you buy in to fear you’ve already lost the battle. See below on trust though. I can offer not only insight (regarding trust) from the security perspective but also another kind of issue with trust (or lack thereof).

      That’s not paranoia. Trust me when I write: be glad you don’t have that issue. No, make no mistake: you should be cautious and always on the lookout and not trusting, when it comes to security (and other things too). People that trust too many things too easily are at higher risk (this includes much more than scams… so much more than that… trust has far more implications than that). But that’s not paranoia. You’re being smart. Real paranoia is another issue entirely and yes I know this from personal experience. But trust is one of the biggest problems with security. There’s a big difference.

  • pyrodice

    Having done a fair share of ‘hacking around’… Looking to see what things did when you poked and prodded at them, and also having the benefit of a regimented educational experience, I recommend both, but if you have to choose, pick an education which not only allows you to get your hands into the gear, but also allows you to defer and/or refer to the experiences of those who made all the experiences before you. My degree is through DeVry, which, in its evening classes, was a class heavy with ex-military and technical types trying to bolster their resumes, and move up in the world. We were able to share so much prior experience, speaking to each other was at least as valuable as the class agenda.

    “As for you copying my message, it still didn’t have my point in it.”

    This part is feeling like a lost cause. I have a hard time believing that people write down stuff that’s pointless, and I felt like you were heading somewhere with it. I don’t know why you would reference social engineering, which IS an issue, and distance yourself from it later, or however one should say that. I really thought we were going to get to something like finding out that guys who use android are like guys who use linux… Those being the ones who know enough about the core of a machine and the deeper workings of one not to have many security concerns… Or some point like that.

    • Coyote

      “Having done a fair share of ‘hacking around’…” is, depending on definition, a large understatement for me. And as for school, well fine, some people learn things when taught. I learn – and always have – best on my own. It isn’t to suggest no one can teach me something (although it is fairly true in schools exactly because they focus on exams and also at the same time I learn better on my own or at least a small group). And as I think I suggested, I was way ahead of the classes.

      And the lost cause. Well yes, it was a lost cause after my first response which you responded to. As for social engineering and my reference. It is more like it is one of many in a category. It doesn’t matter what they use, what experience they have, what background … because all it takes is being tired, being distracted or in the case of being all too trusting (hint) it is in your nature. The issue is that trust is given too easily but that is a wide spectrum. Social engineering is one of many. No, absolutely not, using Linux means little these days especially (but even in the past trust is too easily given and I give a unix and unix-derived example (or elaborate on one I referred to earlier), below). Some of them are so easy for neophytes that it hardly is an indication of experience. Many believe Linux is somehow immune to malware and I remind them that one of the most (if not THE) notorious and significant worms attacked several vectors in Unix (particularly: fingerd, d = daemon, sendmail, as two that come to mind but I think there was another one). I have over the years used SunOS then Solaris, three of the free BSDs (and indeed including FreeBSD), various other Unix derivatives as well as many Linux distributions. I’m a command line junkie – it is in my blood. But no one is infallible, no one. And I make a fair share of mistakes. I usually laugh at myself because not doing so is taking life far too seriously (even for a lunatic like me which is to say I know I take things lightly but… I think many would do better if they did take things less seriously). So the issue is trust. That is what I was getting at with rsh/rexec and hosts.equiv … back in the 90s, before ssh took over (I’m ignoring telnet because it isn’t relevant to what I referred to), this was abused a lot, and in particular that some administrators (and users – indeed, it was system wide and user specific) would actually be brave enough to allow anyone to log in to the account (whichever it is) with no password from any host as long as what? The login was the same (login name, in other words). Some argued that it doesn’t matter because they won’t have a user. But they miss something: the attacker either has their own system to create that user OR they already compromised another system where they could do that same task. Now they’re much closer to compromising another system. In short: one of many examples of trust-relationship exploitations. As for how this involved phones? I don’t remember exactly what I was getting at and it isn’t really relevant (I wasn’t trying to suggest that jailbreaking is bad or good, even.. I was neutral there). And why didn’t I get to trust before? Simple: It seemed to me – but again I am somewhat of a lunatic … – that you could not understand that I wasn’t telling you to not jail-break or not (let alone that I suggested it isn’t my business)… and the following happened:
      – I tend to be vague, ambiguous and cryptic. Some times it is not intentional (and just the way my mind works) but sometimes it IS.
      – I was enjoying (and yes it was and is childish but that is me sometimes, especially with this type of thing) your attempts at trying to prove that you understood my point (and it is a vague/broad thing without me being vague, which allowed it to really work)… yes, quite arrogant but at least I admit it, right? I just enjoyed it even if I didn’t mean harm. It was like a drug.. the more you tried to understand it (as a whole and in other words move away from social engineering), the more amused I got.

      There you have it.

      • pyrodice

        It’s a pain trying to follow your multithreading, but I pretty much get what you’re saying. As for the ‘understatement’ of hacking around, I was nearly expelled from high school when one mis-typed command led to the revelation that I was in possession of the legitimate ‘keys to the kingdom’: The sysop’s username and password for not just the school computer, but the TOWN computer. (Forget the grade-tampering, could have given myself a raise, while working at the library!) So that was my initiation into the “learn early: don’t get caught” club, which is why I’m still particularly unlikely to give out my info even to LEGITIMATE sources. (“Tell you what, let me find that info, and I’ll call you back at your company’s official phone number, ok?” *click*)

        • Coyote

          I thought I made two posts but one in response to different messages of yours. I might be wrong though – I wouldn’t trust my memory (in regards to the multiple threads.. either way, it wasn’t intentional).

          Yes, I too am very very careful with what I do/don’t do. But more because in the early 90s I had friends that were raided, combined with some other things that made me be very careful. It isn’t to suggest I never did anything, school or… but even then, there was always ethics (and I have and to this day still do have ethics). As for school libraries, well, I was banned from touching computers even though I hadn’t done anything (they knew I could have though).. yet (okay I didn’t plan it but I could see why they feared it… and they knew I could have wreaked havoc if I wanted to). Ironically I helped fix computers for a teacher (but I didn’t actually do any wrong there, although the two others that worked with me… and I had a lot of fun with things that didn’t necessarily involve fixing computers).

          And yes, you’re correct: social engineering IS indeed an issue. I was after the broad-spectrum, though. Good example in trust: people are so used to utility workers needing access (to something) that it has been abused by others to get into premises. Then consider keyboard key-loggers (just attach the little device and come back later). Another one that the telcos have learned from the 80s, if not before: shredding everything. Dumpster diving anyone?

          But no, it doesn’t really matter what operating systems you use, it doesn’t really matter what hardware, how many years experience you have.. you’re going to make mistakes and those include security, too. One tiny distraction or being extra tired (and you don’t really know if the latter is true, all the time) is all it takes. Example of my own:
          I was just updating one of my websites and noticed that I suggested one thing but in an example I did the other. Ironically it was about risks of something (won’t elaborate except that I was trying to explain one thing and while I did show how it is a problem, in one of the examples I went ahead and made the same mistake). And yes, one of the risks is close enough to security. So there you have it.

          Lastly, I apologise for the confusion (with the multiple threads) and I also apologise for my behaviour.


  • Coleton O’Donnell

    Jailbreaking is still the best thing ever

  • News

    Long live freedom, the nsa started it. Once we all have a semiconductor laboritory and our own CPU the process the nsa started will be complete, total knowledge transfer. When Apple forgets this, then say goodbye to apples market share. Last I heard windows 10 is free, who wants it?