Several years ago, I had a conversation with an individual who adamantly claimed that jailbreaking and rooting mobile devices actually improved security. His claim rested on the argument that jailbreak and root tools commonly patch the vulnerability used to circumvent the OS protections designed to prevent system level access. He claimed that the patch actually leaves your device more secure than it was before. Unfortunately, this argument is fundamentally flawed.
When hackers successfully compromise systems, they will often fix the vulnerability they exploited to keep other hackers from taking control of “their” system. Is a compromised and patched server more secure than an unpatched server? Obviously not. If the underlying security foundation of an operating system is compromised, no amount of patches will restore it to a trustworthy state.
There are many resources available that clearly describe the risks of rooted and jailbroken devices. Here are just a few:
Yet Another Reason to NOT Jailbreak/Root Your Device
Earlier this week, a group of hackers released a 400 GB torrent file from a company named Hacking Team. This torrent file contained documents, product source code, as well as a previously undisclosed vulnerability in Adobe’s Flash product that has been reportedly used in recent attacks. source: https://helpx.adobe.com/security/products/flash-player/apsa15-03.html
Hacking Team produces “offensive technology” to help law enforcement and intelligence agencies “fight crime”. According to the company’s website:
“In modern digital communications, encryption is widely employed to protect users from eavesdropping. Unfortunately, encryption also prevents law enforcement and intelligence agencies from being able to monitor and prevent crimes and threats to the country security.
Remote Control System (RCS) is a solution designed to evade encryption by means of an agent directly installed on the device to monitor. Evidence collection on monitored devices is stealth and transmission of collected data from the device to the RCS server is encrypted and untraceable.”
The purpose of this blog post is NOT to provide commentary on the ethics of this company. Several privacy activists have provided deeper analysis of their concerns with Hacking Team’s business practices. Here are a few articles and resources for the interested reader:
So, what does this have to do with the decision to root or jailbreak your device? One of the documents released with the torrent contains a product pricelist. Among the more interesting elements on this pricelist is the following screenshot:
The list of capabilities provided by these mobile agents is impressive. The fact that this pricelist specifically identifies that some features depend on rooted and jailbroken devices should tell us something about the risks. At any rate, I seriously doubt that you will find Hacking Team employees (or customers) carrying a rooted or jailbroken device.
Do you need help evaluating the security of your mobile devices or mobile applications? Caliber Security Partners can help. Please contact us for more information.