By exploiting a vulnerability in either the hardware or software of a mobile device, a user can gain access to more rights within a system – all the way up to superuser privileges. On some Android devices, manufacturers allow users to access the superuser privileges without exploiting a vulnerability. In either case, this results in the user being able to remove software restrictions made by Apple or Google, and puts installed apps at risk. This post will dive into detail on the common reasons why users jailbreak or root a device, the differences between jailbreaking and rooting, and the risks involved to developers.
There are many motivations for rooting or jailbreaking a device. Some of the most common ones involve gaining access to extra features of the device or device software that the manufacturer otherwise has restricted. Other examples include blocking ads or tracking software, gaining additional memory by uninstalling vendor “bloatware,” and installing software that comes from outside of Apple’s official iOS App Store.
Rooted and jailbroken devices have proven useful to reverse engineers and malicious users. Some malicious users may attempt to modify or customize software (for example, game cheats, intercepting data, reverse-engineering applications, and more). Using a jailbroken/rooted device, it's possible to access parts of the local file system where sensitive data might be stored by an app. Jailbroken/rooted devices can also be used to easily hook apps without the need to resign them; this is especially interesting if the app has built-in security features against resigning.
Although sometimes referred to as the same concept, jailbreaking on iOS differs subtly from rooting an Android device. In both scenarios, the user gains access to the superuser (root) of the device. The superuser is a special user account with an administrative role, for which no software or device restrictions apply.
Gaining access to the superuser on an iOS or Android device is not the final goal of jailbreaking or rooting. This is just the first step in removing any software restrictions put in place, such as installing apps from unauthorized sources, blocking certain URLs to prevent ads and tracking, or modifying and customizing software for game cheats, reverse engineering applications or intercepting data. Unlike jailbreaking an iOS device, gaining root access on an Android device allows the user to do nearly anything that you could do on any other Linux system, such as gaining access to parts of the file system that were normally only accessible by a certain app.
As Apple is against jailbreaking your device, it's necessary to exploit either a hardware or software vulnerability on the device to access the superuser. This is different for Android devices, as the choice is up to the manufacturer. Some manufacturers allow users to access the superuser without exploiting a vulnerability. Other manufacturers may prevent the end-user from gaining access to the superuser, therefore requiring an exploitation of a vulnerability.
When talking about the risks, it’s important to note that both the users of the device and the app developers face risks due to the jailbroken/rooted device. For the purposes of this article, we’ll focus on risks to the app developer.
Jailbroken/rooted devices are extremely useful for malicious users and reverse engineers, which is one of the biggest concerns for app developers, as already briefly mentioned. A jailbroken/rooted device cannot hold any software restrictions against the user. Therefore, parts of the device that might have been considered secure by developers are no longer secure (e.g. data stored in the keychain or in the app's sandbox).
There are tons of freely available tools that can be applied to jailbroken/rooted devices that can speed up reverse engineering. For example, SSLKillSwitch can be used to break SSL pinning features in apps, making it possible to perform man-in-the-middle attacks to understand the API that is being used. Also, hooking becomes easier, as it's possible to take actions such as installing the Frida server or Xposed on the device without the need to repack every app the reverse engineer wishes to hook.
On jailbroken iOS devices, another advantage for reverse engineers is that it’s possible to install and use apps signed with a personal certificate for an unlimited time. This cuts back the cost of a developer account and makes tampering easier. For example, If you wish to install homemade apps on an iPhone, you will need a developer account which costs about $100/year. Using this account, you can self-sign the app, which means you can install the homemade app (or tampered app) for seven days on a non-jailbroken device. When you jailbreak the device, you can install the apps for an unlimited amount of time (longer than seven days) without the need for a developer account.
Another important risk on both Android and iOS is malware. Malware can infect a jailbroken iOS device, either by a malicious app that was sideloaded, or via SSH. In 2009, an internet worm was spread that targeted jailbroken iOS devices that had SSH enabled with the default password (alpine). The worm compromised banking transactions made with the jailbroken device. Not only can malware find its way more easily onto a jailbroken or rooted device, it can also execute commands with root privileges, enabling that malware to control data of other applications (including sensitive data, such as account credentials.)
For the reasons mentioned above, it's important for app developers to prevent their app from running in a compromised environment. There are some widespread DIY implementations for jailbreak/root checks, although they are quite easy to defeat. DexGuard and iXGuard can prevent your apps from being executed in a compromised environment. Furthermore, these apps are better hardened against tampering, hooking or other reverse engineering techniques.