iOS4 Jailbreak Method Brings Security Concerns

[MacRumors]

There is renewed concern today over iOS security after a website-based jailbreaking tool was released for iOS 4 for iPhone and iPod touch and iOS 3.2 for iPad.

While the jailbreak appears to be a relatively benevolent attack against a security hole in iOS, concern remains that there is a yet-unpatched and largely unidentified security vulnerability in iOS that hackers could use in a similar way to remotely plant malware on an unsuspecting victim's device.

Multiple reports suggest that the jailbreak method attacks a flaw in the iOS PDF viewer in order to gain access to the device, however the principle developer of the project "comex" writes via his Twitter account that he is wondering "how long until someone figures out the actual bug I'm exploiting."

A similar jailbreak method was devised for iPhone OS 1.1.1, where developers even fixed the targeted bug after the jailbreak was complete.

Article Link: iOS4 Jailbreak Method Brings Security Concerns

 

[Small White Car]

Exactly. I said this in the other thread, too. I don't have a problem with jailbreaking, but the fact that this particular method of doing it is possible worries me somewhat.

 

[iDisk]

What do you expect to happen when you break Apple rules. The only reason I would see to jailbreak in the USA (since I live here) is to do FACETIME chats over 3G and to tether. I could care less about both. Jailbreaking has no other real killer feature, Apple has eliminated the need for inane people to jailbreak, which is a childish and pointless act atm

 

[thederby]

What do you expect to happen when you break Apple rules

huh?

 

[nwcs]

In this case it doesn't matter whether they are breaking Apple's rules or not. A web site could create a lot of problems by fooling people into downloading crafted PDFs. Apple should fix the holes ASAP.

 

[Consultant]

Exactly. I said this in the other thread, too. I don't have a problem with jailbreaking, but the fact that this particular method of doing it is possible worries me somewhat.

The difference is the under 10 people in the world who know how to do it, they are all known, and all working to help jailbreak the devices not for nefarious means.

 

[iDisk]

huh?

Apple has a rule about Jailbreaking ..... DONT DO IT!! it's really simple, don't break Apple rules.

 

[Small White Car]

The difference is the under 10 people in the world who know how to do it, they are all known, and all working to help jailbreak the devices not for nefarious means.

I'm just not so sure I understand what's stopping person #11 from learning how to do it and using it to bust into my phone.

it's really simple, don't break Apple rules.

So owning an iPhone is "breaking Apple rules" now?

What?

 

[likemyorbs]

What do you expect to happen when you break Apple rules.

What?? what are you even saying? did you read the article? it's saying the exploit used to create this jailbreak can be used to create malware on NON-JAILBROKEN phones. has nothing to do with apple's rules.

 

[iDisk]

In this case it doesn't matter whether they are breaking Apple's rules or not. A web site could create a lot of problems by fooling people into downloading crafted PDFs. Apple should fix the holes ASAP.

People who have jail broken devices do so by there own actions, this isn't Apples fault, the user shouldn't jailbreak there device, period.

 

[Consultant]

I'm just not so sure I understand what's stopping person #11 from learning how to do it and using it to bust into my phone.

People said the same thing when the first web-based iPhone jailbreak came out.

Apple will also patch this with the next software update.

 

[iRobertM]

Who's code to trust here, Apples or hackers.... Choice is clear, Apple!

 

[iDisk]

I'm just not so sure I understand what's stopping person #11 from learning how to do it and using it to bust into my phone.



So owning an iPhone is "breaking Apple rules" now?

What?

What?? what are you even saying? did you read the article? it's saying the exploit used to create this jailbreak can be used to create malware on NON-JAILBROKEN phones. has nothing to do with apple's rules.

whoops, please have mercy on me for not understanding the article , sorry I somehow missed this .....

 

[iVoid]

Well, if Apple wants these exploits to remain hidden, they should allow non Apple Store apps to be installed on the iPhone.

In the end, these exploits are found and reported every day (which is a good thing). I'm sure apple will figure out what the exploit is and patch it in 4.1.

Then jailbreakers will just find an new hole.

Apple's just asking for the jailbreakers to find holes as long as they try to keep their little walled kingdom free of freedom.

 

[severe]

What do you expect to happen when you break Apple rules. The only reason I would see to jailbreak in the USA (since I live here) is to do FACETIME chats over 3G and to tether. I could care less about both. Jailbreaking has no other real killer feature, Apple has eliminated the need for inane people to jailbreak, which is a childish and pointless act atm

This post is full of contradiction, my friend. But I'll bite.

So how is Jailbreaking "a childish and pointless act"?

Apple has a rule about Jailbreaking ..... DONT DO IT!! it's really simple, don't break Apple rules.

With my phone?

 

[jamesryanbell]

Just use the product as Apple intended it.

No one's impressed.

lol

 

[kas23]

Just use the product as Apple intended it.

No one's impressed.

lol

Looks like you need to RTFA too. The current Safari App is how Apple intended it. Only problem is that it has security hole any non-JBing person can accidently fall into.

 

[longofest]

Apple has a rule about Jailbreaking ..... DONT DO IT!! it's really simple, don't break Apple rules.

I think you need to re-read the article to see what the point of the thread is.

The point is: there is an open vulnerability on every iOS device that a hacker could use to do whatever they want with your device. You don't have to jailbreak your device in order for this vulnerability to happen, it's just that the jailbreak method happens to use the pre-existing vulnerability to achieve its goals.

 

[psac]

Regardless of the jailbreak, it's good this guy found the hole and has now made it public (in a non-malicious manner) so Apple can fix it. They should give this guy a reward.

 

[jav6454]

There is always a security concern when jailbreakers use an specific exploit. That is how this is played.

 

[petermcphee]

ITT: iDisk getting taught to read.

 

[longofest]

Regardless of the jailbreak, it's good this guy found the hole and has now made it public (in a non-malicious manner) so Apple can fix it. They should give this guy a reward.

he hasn't exactly made it public.

 

[rmatthewware]

What?? what are you even saying? did you read the article? it's saying the exploit used to create this jailbreak can be used to create malware on NON-JAILBROKEN phones. has nothing to do with apple's rules.

Okay, it's legal to jailbrake, sure. But it seems the US is the only place where people expect to be able to break the rules and still be protected by the manufacturer. I want to jailbreak the phone and still have Apple take care of me. I'm talking about jailbreaking in general here, not this specific incident. It's not about being controlled, it's about demanding imaginary freedoms.

This is like buying a car, taking out the engine, tires, brakes, transmission; replacing those with after market parts; then getting mad at the car manufacturer when things go wrong.

You jailbrake your phone, you're taking your chances. And yeah, just as the car manufacturer shouldn't honor their warranty, Apple shouldn't honor theirs if you do this.

 

[longofest]

There is always a security concern when jailbreakers use an specific exploit. That is how this is played.

True, but exploits from the web, where you can just surf to a page and get hit by it ("zero-day" exploits) are a bit more serious.

 

[Aleco]

The download interface for iOS 4 on the PDF means it has to do something with iBooks, and PDF download exploit?


Edit:
I'm wrong, I looked at the PDF for the iPhone 4 (3,1) 4.0.1 file, looking at the PDF file with TextEdit shows that its a PDF exploit and not through iOS.