With this week’s revelations about a major security flaw on the iPhone – an SMS vulnerability that could lead to hackers taking full control of an iPhone with no user action required at all – we get a good reminder of one of the biggest reasons why many may choose not to jailbreak their iPhones.
I know many of you have said to me in conversations this week – on the site here and via Twitter etc. – that you cannot see ANY reasons not to jailbreak. Well, here’s one – firmware updates. Updates to the iPhone OS that is. And specifically how much of a pain in the arse it is every time you need to A) choose between applying an urgent or desirable firmware update or keeping your jailbreak and B) go through the relatively painful restore process that is usually involved if you’re jailbroken and want to install a new firmware update.
When you’re jailbroken you cannot usually just do an Update of the OS (which would keep your installed apps, settings etc), but nearly always are forced into one or more restores – which put you back at Square one, needing to resync your apps to your phone, re-do your settings, and so on.
There are reports today that we’ll see a security patch from Apple tomorrow to fix the SMS vulnerability – which will almost certainly come as a 3.0.x type update via iTunes. This of course is an urgent update for all iPhone users. It’s one that I would certainly plan to apply as soon as possible – and that means I’ll need to do a restore, which is never any fun (to put it mildly).
Most firmware updates don’t address security issues, but may contain fixes for major bugs or add shiny and attractive new features. In those cases, there is often a choice between grabbing the new firmware with its fixes and additions but knowing that it is not yet jailbreakable, or holding off on a firmware update because you want to wait until a new jailbreak process for it is released, which can take anywhere from a matter of very few days to several weeks (going by past history of the ongoing cat and mouse game on jailbreaking between Apple and folks like the Dev Team).
With the iPhone OS 3.0 – and upcoming 3.1 – firmware, the Dev Team have already warned that if you want to be sure you’ll still be able to jailbreak your iPhone after 3.1 is applied, you MUST run a restore process (or two) and grab two specific files that are generated during the process and keep hold of them. These files are meant to safeguard your ability to re-jailbreak post 3.1 update.
That’s an extra something I’ll try to get done today – in preparation for a security update and for wanting to re-jailbreak following it and / or 3.1.
So … I am mostly happy with running my 3GS jailbroken – almost entirely because of app switching – but not looking forward to the restore process coming up. And I think it’s fair to say that this is a valid reason for many people for not jailbreaking.
If you enjoyed this post, make sure you subscribe to my RSS feed!
{ 8 comments… read them below or add one }
If apple would just losen it's nazi grip, we could get the apps we wanted legit from the app store, thus removing the need for a jailbreak and allowing everyone to update their phones.
If apple was serious about security they'd do what every other OS does. Allow people to install what they want and recommend an anti-virus application.
It's only because of apple's own practices that we have to go through these measures.
I'd love Apple to let in apps like SBSettings and mQuickDo in the App Store, and hope they will gradually loosen the controls, though I probably won't hold my breath on that. I'm not sure that an anti-virus app is ever going to be a good option. Firstly, many of the worst threats these days are not viruses at all, but other forms of malware – and many times traditional AV programs are not the best defense. Also, on a mobile OS in particular, the performance hit that comes with continually running most 'protector' sort of apps is probably not one that most people would want to accept.
Actually, we don't need an antivirus because apple doesn't allow people to install anything they want.
That's good.
Actually there is a JB fix to this "Major security flaw". In any case anybody with enough nouse to JB certainly can see and defeat any attempt to hack their phone. In any case there is not one documented (even anecdotal) case of this flaw being used to hack a phone. I fail to see what all the fuss is about. I for one am not bothering untill at lease 3.1.
Actually there's no need for the "" marks – anything that allows a hacker to remotely takeover a device with no action required on the part of users, and via a service like SMS that it is difficult to impossible for a user to turn off, IS a major security flaw. With all your 'nouse' you might know that people don't get prime time slots at the Black Hat conference – which the two researchers who presented details on this vulnerability did – for anything minor. Also, anyone with even a passing knowledge of how security exploits work, knows that there is always a gap between the time a vulnerability (security hole) is presented and the time when somebody comes out with a real-world exploit for it. So nobody with any knowledge would necessarily expect to see a documented case within 48 hours, especially as it was patched 24 hours after the announcement (making it a less enticing target).
Lastly, your 'anybody with enough nouse to JB certainly can see and defeat any attempt to hack their phone' is an absurd and completely wrong statement. Because you were able to follow a very basic set of instructions (with some JB methods) or in some cases click one button to JB, you're all set to fix up a security flaw it took Apple over a month to develop a patch for and that was unanimously termed a very significant hole in SMS? Please. Let us know your plan for fighting that on the fly with your JB skillz and you should probably be working at the very top of the security industry if you pull that one off.
ooooooooooooooooo that was harsh.
Was it? This has always been one of the big drawbacks of jailbreak – but having said that the Dev Team seem to continually make it easier for us as well.
hehehe.
patrickj tickled me
You must log in to post a comment.