This is one of the aspects that appeal to many jailbreakers, but for the masses, jailbreaking can be a pretty reckless act. After all, nearly five years after Apple launched its App Store, we have zero in-the-wild malware samples on non-jailbroken iOS devices. Meanwhile, several malware incidents have occurred in the jailbroken app community, including at least one worm that exploited a default sshd password to copy itself among jailbroken iOS devices.
Now, this falls far short of being a condemnation of the underground app ecosystem, but if that community continues to proliferate as we've seen in the Android community, it's quite possible things will get worse. Numerous recent studies of Android apps have documented massive increases in malware in that community. Let's hope that's not the future for the jailbroken iOS app world.
All of this is why I say that who you are is what will ultimately guide you to deciding whether jailbreaking your iPhone is a wise thing to do. If you're among the tech-savvy, you've probably already made that choice. If you're on the fence, chances are the best answer is no. There is a burden that comes with jailbreaking your device. You need to exercise hyper caution in allowing apps into your now unprotected environment. A mistake here can be costly indeed. But if you're willing to accept that risk and the consequences of failure, have at it.
That said, there are a few use cases that bear further consideration. If you're an app developer, jailbreaking a test machine can be worthwhile. By doing so, you can accurately peruse the entire filesystem for data leakages, such as the spell checker key log, the cut-and-paste buffer and so forth. These data stores are normally off-limits, but if you truly want to understand the security risks posed by your own software, there's no substitute for seeing these things firsthand.
Also, if a jailbroken device is lost or stolen, you can pretty comprehensively understand what data may have been exposed, because you will be able to pore through all the other data stores on the device, such as the SMS/iMessage texts, address book, calendar, some (but not all) keychain items, and other system files that you'd normally be prohibited from exploring forensically. (You would do this by restoring from backup the data from the missing device onto a replacement device, which you would then jailbreak.) That can help you determine the risk exposure after a device has gone missing. Be warned that this process is time-consuming and costly, but in some cases it will be worth the effort.
The bottom line is that jailbreaking can be exhilarating and liberating, but it shouldn't be done by anyone who isn't willing to swim in an open sea of noncurated apps. For the vast majority of users, this translates to unnecessary and unjustifiable risks. Just walk on by.
With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.
More by Kenneth van Wyk
- Kenneth van Wyk: Apple's big fail
- Kenneth van Wyk: After Snowden
- Kenneth van Wyk: Target breach underscores how backward U.S. payment tech is
- Kenneth van Wyk: Enjoy your trip, but protect the data you take with you
- Kenneth van Wyk: Lingering faults with security by default
- Kenneth van Wyk: High hopes for iPhone's Touch ID
- Kenneth van Wyk: Why mobile apps beat Web apps for privacy
- Bug bounties: Bad dog! Have a treat!
- How to avoid Big Brother's gaze
- The true root causes of software security failures
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts