Educause Security Discussion mailing list archives

Re: Implications of Jail breaking ipod/iphones

From: Adam Carlson <ajcarlson () BERKELEY EDU>
Date: Thu, 23 Jul 2009 16:37:08 -0700

Just thought I would follow-up with this new article which appears to
be the best analysis thus far of the 3GS encryption scheme:

http://www.wired.com/gadgetlab/2009/07/iphone-encryption

I think these quotes unfortunately sum it up:

"I don't think any of us [developers] have ever seen encryption
implemented so poorly before, which is why it's hard to describe why
it's such a big threat to security.”"

"If they're relying on Apple's security, then their application is
going to be terribly insecure," he said. "Apple may be technically
correct that [the iPhone 3GS] has an encryption piece in it, but it's
entirely useless toward security."

So basically, it sounds like if you lose your 3GS and have encryption
enabled, your data can still be accessed (which is usually what you
try to prevent with encryption).

I had very much hoped that Apple would beef up it's security, but
this article talks about why many of Apple's security features are
still severely lacking.

I know that those who want iPhones are going to use iPhones
regardless of the security issues, but hopefully this will help
administrators argue that it should be used for less and never used
to store sensitive data.

-Adam

Russell Fulton wrote:

On 22/07/2009, at 12:41 PM, Russell Fulton wrote:

I have had several people ask me about this and I have tried  googling
around the area but most the stuff I have found consists of lists of
dos and don'ts with little or no background info.

The basic question is what are the security implications of jail
breaking your iphone?


Thanks very much to all of you who took the time to share your thought
on this one.

By and large you have confirmed what I had expected:

1/ Apple overstates the issue (of course).
2/ the built in security model does provide some real and useful
protection.
3/ a jail broken iphone in the hands of someone who is careful and know
what they are doing is not much different to a PC.
4/ an incautious novice can very easily shoot them selves in the both
feet (hmm... that isnt much different to a PC either ;).


So I think my advice will be: don't jailbreak your phone unless:
a/ you have a really good reason to (i.e. it gets you something that out
weighs the increased risk)
b/ you know what you are doing and are both tech and security savy.

Thanks again for all the wonderful input.

Russell


--
Adam Carlson
Chief Security Officer
Information Technology
Residential and Student Service Programs
Tel: 510-643-0631
Email: ajcarlson () berkeley edu

"Most of the things worth doing in the world had been declared
impossible before they were done." ~Louis D. Brandeis

Current thread:

Implications of Jail breaking ipod/iphones Russell Fulton (Jul 21)
- <Possible follow-ups>
- Re: Implications of Jail breaking ipod/iphones Anderson, Sherry (Jul 22)
- Re: Implications of Jail breaking ipod/iphones Rick Holland (Jul 22)
- Re: Implications of Jail breaking ipod/iphones Guy Pace (Jul 22)
- Re: Implications of Jail breaking ipod/iphones Adam Carlson (Jul 22)
- Re: Implications of Jail breaking ipod/iphones Russell Fulton (Jul 22)
- Re: Implications of Jail breaking ipod/iphones Adam Carlson (Jul 23)
- Re: Implications of Jail breaking ipod/iphones Doty, Timothy T. (Jul 24)
- Re: Implications of Jail breaking ipod/iphones Adam Carlson (Jul 24)
- Re: Implications of Jail breaking ipod/iphones Doty, Timothy T. (Jul 24)
- Re: Implications of Jail breaking ipod/iphones Adam Carlson (Jul 24)