Skip Links

Apple quietly drops iOS jailbreak detection API

Version 4.2 disables a query to discover compromised OS

By , Network World
December 10, 2010 02:10 PM ET

Network World - Apple has disabled, without explanation, a jailbreak detection API in iOS less than six months after introducing it. Device management vendors say the reasons for the decision are a mystery, but insist they can use alternatives to discover if an iPhone, iPod touch or iPad has been modified so they can load and modify applications outside of Apple's iTunes-based App Store.

Jailbroken devices pose a serious security threat to the enterprise. Even if the end user doesn't intend to load malware, he will be completely unaware of malware present in unauthorized apps.

Managing smartphones calls for new realism and flexibility

Apple declined to comment.

The new API was part of a bundle of mobile device management (MDM) APIs released in June with iOS 4.0. These APIs were available to third-party MDM applications, such as AirWatch or Sybase's Afaria. With the new APIs, these servers could access directly a range of features and information in iOS or on the device. But in the recently-released 4.2 version, the API intended for detecting jailbreaks has been either removed or disabled.

This detection API let the MDM applications in effect ask the operating system if it had been compromised. Jailbreak exploits typically change a number of operating system files, and exploit one or another low-level OS features to let users directly load their own or third-party applications. In October 2010, two separate jailbreaks made use of different vulnerabilities uncovered in the iOS boot ROM, for example. Apple warns that jailbreaking voids the device's warranty and could damage the phone.

Previously, some MDM vendors had created their own series of OS checks to detect jailbreaks, analogous to those performed by an anti-virus application on a PC, to discover if a jailbreak had occurred.

But the new detection API gave these applications direct access to information in the OS. In theory, the iOS device then "confesses" that it has been jailbroken, thereby triggering automatic responses such as alerting the helpdesk or shutting down access to corporate Exchange Server e-mail.

"We used it when it was available, but as an adjunct," says Joe Owen, vice president of engineering at Sybase, which offers the Afaria device management software. "I'm not sure what motivated their removing that....I've not had anyone [at enterprise customer sites] talk to me about this API being present or being removed."

In practice, Apple's idea of using an API-based query turned out to be much more complicated than it sounds. "It's an interesting concept - asking the OS to tell you if it has been compromised," Owen says. "Because a smart attacker might first change that very part of the OS. Jailbreaks often get better and better at disguising the fact that anything has been compromised."

When that happens, the API in effect either lies about or is simply unaware of the jailbreak.

"[I]t may be feasible to detect jailbreaks of a specific version or type, but they will still be trapped in the cat and mouse game they play with jailbreakers," says Jeremy Allen, principal consultant with Intrepidus Group, a security consulting firm. "Whatever they add [in the OS] to detect the jailbreak, if it is to be queried from the iOS kernel, it must be accessible and have the ability to be changed. Meaning, if it is going to be a useful detection method it can also be circumvented. It is a fairly intractable problem to solve 100%."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News