The latest iOS jailbreak tool, checkra1n, has entered into public beta, creating a new way for users to jailbreak Apple devices running iOS 12.3 through 13.2.2, made with A5 (2011) to A11 (2017) chips.
Jailbreaking allows hackers to change or open up developers’ apps for analysis in a few different ways. First, they can circumvent the encryption applied by Apple. Essentially, the jailbreak allows the hacker to dump the decrypted code from memory, which could expose sensitive IP and data. Second, the behavior of an app running on a jailbroken device can be modified or tweaked. For example, a hacker could circumvent an app’s license checks or built-in security checks.
Because of some of the misconceptions around iOS app security, developers need to take extra precautions to protect their iOS apps, including jailbreak detection and code obfuscation. We’ll outline more details about the latest exploit, as well as provide tips to protect your applications (and the sensitive data within) from vulnerabilities.
Based on the permanent, unpatchable BootROM exploit Checkm8, checkra1n jailbreaks A5 through A11 iOS devices, unless the device is rebooted. According to Threatpost, the jailbreak can also gain permanence by exploiting flaws in these chips’ BootROM (or read-only memory used at the device’s startup), making it unpatchable via security update. The makers of checkra1n warn that the jailbreak shouldn’t be used on primary devices, but it is ultimately up to the user’s discretion on where to install it.
Unlike other jailbreak tools, checkra1n promises to work on a wide variety of hardware, with models including iPhone 5s through iPhone X. Since the code is burned into the hardware itself, checkra1n will work with every new version of iOS installed over the lifetime of the vulnerable phone.
As mentioned above, the primary concerns about checkra1n for app developers are unauthorized data exposure or modification by hackers conducted via jailbroken phones. Since checkra1n makes it much easier to deploy the earlier Checkm8 exploit across security updates, it’s likely that there may be more jailbroken phones in operation for longer periods of time. This gives hackers more opportunities to expose sensitive code via decryption, or modify the behavior of apps to further compromise a user or system.
In the case of circumventing Apple’s encryption, the jailbreak is applied willingly by a hacker. On the other hand, in the case of app modification, either a hacker or a user could be willingly making changes to your published apps -- for malicious purposes, curiosity, or even convenience. The best defenses include a combination of code obfuscation, which prevents hackers from discovering sensitive information if an app is decrypted, and jailbreak detection, which can discover app modification issues in real time.
Between checkra1n, Checkm8, and other recent iOS exploit chains discovered by Google security researchers, app developers need to know that they cannot rely on iOS security defaults alone. The sense of urgency should now be higher than ever. Security-sensitive applications (especially those that store users’ personal data) should run from a position of Zero Trust (meaning never trust, always verify).
All iOS app developers should employ these three security measures as a baseline in order to ensure their apps are protected and that jailbreaking attempts can be detected:
Environment integrity checks, which ensures that basic assumptions about the execution environment of the application hold true. Often public and private jailbreaks will break some of the typical security restrictions, which can be detected.
Application and code integrity checks, which can detect runtime modifications to the application’s functionality or the system libraries it uses.
Obfuscation, which makes targeted attacks against apps more difficult -- especially with polymorphic protection, which generates a different code after every single release.
Mobile application security solutions that are purpose-built for iOS, like Guardsquare’s iXGuard, provide comprehensive app protection against the latest vulnerabilities and exploits. iXGuard defends app publishers against malware-infected jailbroken devices, as well as prevents cloning and tampering that can be done to create fake apps.