Skip to content

Jailbreak Simplicity Threatens Mobile Banking

2010 August 5

iPhone jailbreak[Editor’s Note: The following is a guest blog by John Britton an engineer at Good Technology and formerly at mFoundry. The following is John’s personal commentary and does not represent the opinion of any organization or individual]

Last week the U.S. Federal government blessed mobile phone jailbreaking as legal — that is, unlocking a phone without carrier and/or manufacturer approval.  Everyone that has ever jailbroke their iPhone said “Thank you.”

Earlier this week the Unofficial iPhone Dev Team, the de facto iPhone jailbreak providers, released a new method for jailbreaking iPhones. The simplicity of their last jailbreak set off proverbial alarms across the mobile security and risk management community.

Previous jailbreak methods were cumbersome and idiosyncratic. Previously, users wanting to jailbreak their phone would have to download a file, jump through some hoops and 30-40 minutes later their Phone would be free. Unfortunately, after the jailbreak, all of their applications were gone and they would have to reinstall everything from scratch. Each upgrade required repeating the entire painful process.

The old process worked by bypassing Apple’s signing process. It was not something my mom would have ever attempted to try on her own.

The new jailbreak method exploits a vulnerability in Safari and is super simple. You can now jailbreak your phone by simply connecting to a website and swiping your finger. (If you want to see it, the site is: http://www.jailbreakme.com)

The whole process takes about 3 minutes and leaves all of your applications in place. It is a no fuss no muss approach and something my mom could do to be one of the cool kids.

To the credit of the jailbreak team they also included a patch to warn jailbreakers that encounter this exploit in the future.

Apple has currently released a rather vague statement about the approach:

“We’re aware of this reported issue, we have already developed a fix and it will be available to customers in an upcoming software update.”

The exploit is huge. It is only a matter of time before someone with sinister motives decides to exploit the issue for their own gain.  These bad guys could simply trick iPhone users onto navigating to their site or attaching a file to an email that once opened, quietly jailbreaks their phone.

Once the process is complete the phone would look and feel just like nothing happened at all. Except now, maybe the iPhone secretly has key logger software installed that steals usernames and passwords from mobile banking. Or maybe the hacker can hijack a browser session to go where they want it to go and not where users expect to go. Usernames, passwords, financial information including balances and name of banks can all be siphoned off to someone who wants to take money. The bad guy could even look at your anti-phishing site keys.

I hate to state the obvious but this is really, really bad.

Banks and software vendors can do little in their applications to prevent these types of attacks, but they are left to foot the bill for the attack. The bad guy would look and act just like the authentic user.

This problem isn’t just with native iPhone applications.  It also affects browser-based banking on the iPhone. The really advanced bad guy will also find ways to manipulate some of the more advanced SMS based banking.

I have now stopped mobile banking from my iPhone.

Bankers and consumers need to let Apple know that mobile banking and mobile payments need secure platforms. Apple wants to take advantage of mobile payments on their devices. They want to provide the next generation tools for all of us. Apple needs to provide strong protection for the sensitive data passing through iPhones around the world.

Without Apple-provided protection, the only recourse would be to remove their iPhone apps from the App Store and demand that Apple use the kill switch to remotely remove mobile bank apps from end user iPhones. Banks would also need to block all iPhone based browser traffic.

Of course, this is impossible. Mobile banking has already gone mainstream. Mobile commerce has as well. Furthermore iPhones are used by key executives with sensitive information throughout the world’s businesses.

The only true fix to this problem must come from Apple.  They need to patch the exploit quickly.  Apple needs to work with the banks and the security industry to vigilantly protect and continue to grow the opportunities that are in front of us all.

David Eads mentioned previously on this blog that code reviews for mobile applications should be standard fare.  Financial institutions must be vigilant in teaching their customers and members about staying current with software updates.  A couple of steps that you can take to protect yourself and you customers is to encouraged your customers to upgrade to the latest iPhone OS when Apple releases it.  You can also modify your terms of service to require that fraud protection is only valid if their mobile banking devices have the latest versions of the vendors operating systems and are using it in accordance with the hardware and carrier provisions.

Send David questions about this and I will be back next week to answer your questions on mobile security.

Written from my newly jailbroken iPhone 3GS with mobile banking applications uninstalled.

Be Sociable, Share!
7 Responses leave one →
  1. Adam permalink
    August 6, 2010

    I’m sorry but while I do agree that this should be fixed, I have to ask how this is different from the threats bankers face on their PC desktops every single day? Should we all stop online banking as well until a fix is in place that eliminates the possibility of web-propagated spyware and malware? While you’re at it, you should also advise that we not bank on our Android devices. Ever. They don’t require jailbreaking to install the spooky stuff. It’s readily available on their free and open store shelves.

  2. August 6, 2010

    John says he has stopped mobile banking because of his concerns. We’re not calling for everyone to stop mobile banking though. We couldn’t do it if we wanted to. And it’s not just mobile banking, it’s any confidential information passing through and iPhone — and to your point — an Android or any other platform with a vulnerability.

    It’s EXACTLY like what we’ve had with computers, except that the iPhone is a rare platform where the provider doesn’t provide a virus protection mechanism.

    A key logger on any phone (or computer) is a bad thing. We must prevent it NOW.

    Apple must help solve this problem.

  3. John Britton permalink
    August 6, 2010

    Adam –

    You are correct the threat is similar to what is seen on PC’s every day. However handheld device viruses, exploits, etc are relatively unheard of today. No one is thinking about putting an anti-virus package on their handheld. There is no anti-virus suite for the iPhone today. I really don’t forsee Apple opening up the multi-threaded environment to allow true run-time virus protection. The device would become so slow that no one would use it at all.

    The exploit used would, if written well, bypass traditional virus protection software.

    The “rooting” of Android devices still requires several manual steps that the user must do themselves. Those apps that you mention in the android market place all require the end user to do something. Will Android ever get exploited the way the iOS has? Probably, but it hasn’t been documented or seen in the wild yet.

    The jailbreak on the iPhone has now been automated to the point where the user may not know or understand that they just opened up their device.

    I still do mobile banking from my android and symbian devices. I haven’t stopped mobile banking. I am only waiting for Apple to address the issue.

    And for the record sitting next to me I have an iPhone 4G, 3GS(jailbroken), an Android Incredible, a Symbian E72 and a MacBook Pro sitting next to me as I type.

  4. John Britton permalink
    August 12, 2010

    Apple has announced and released iOS 4.0.2 which according to Apple addresses the vulnerability addressed in my initial post. I would encourage the banks to continue to encourage their customers to upgrade to the latest operating system releases including iOS 4.0.2.

  5. John Britton permalink
    August 12, 2010

    Responsible or not, the author of the iPhone exploit has released his source code. Upgrading to the iOS 4.0.2. should be highly encouraged of anyone that doesn’t understand the risks associated with the exploit.

  6. Jon Donnis permalink
    August 21, 2010

    Unbelievable piece of miss reporting I’ve even seen. 30-40 minutes to jailbreak an iPhone? FFS. I use to do it will the likes of Blackrain etc in about 10mins that’s including getting on the software required. The actual jailbreak takes about 5mins (before this so called new software was out). The process has gotten easier but you lot are sheep. Apple’s phone being locked down doesn’t mean its secure. Do a search for key loggers on Apples keyboards and you’ll see how insecure Macs are. All PCs/Macs are insecure, you just have to keep an eye out. Run programs you’re unsure of and get infected, then it’s your own fault. Apple isn’t gonna save the world from bank fraud you idiot.

  7. John Britton permalink
    August 25, 2010

    Jon,

    I had a hard time explaining these points to David, so I am not surprised that my communication skills are a little too obtuse.

    Couple of points directly from your post:

    1) I said it takes about 30-40 minutes to jailbreak prior to the jailbreakme.com exploit. You mentioned that this is a 10 minute process. Let me state that the 1st time most regular folks jailbreak it is about a 30-40 minute process. Blackra1n is a much simplier and faster method than other jailbreaks, including the original yellowsn0w. But I will stand by my initial 30-40 minutes of research, download, and jailbreaking of the iPhone. Once you get the hang of it and some optimized tools it probably is down to the 10-15 minutes or so that you state.

    2) Many people have felt that because of the closed application deployment model that Apple has relied on that their devices are safe and secure. You point out that this is not the case. Generally I agree. Fundamentally though it is a much more secure platform than most other mobile platforms generally available today.

    3) I think the biggest point that many are missing is that prior to jailbreakme.com you the holder of the phone needed to invest some time (10 minutes per your post, 30-40 per my comments, see #1 above) and have a secondary piece of equipment (laptop, desktop) and some 3rd party software to jailbreak your phone yourself. With the jailbreakme.com all a user has to do is click on a link on their iPhone. No investment in time of researching, downloading, no connecting the iPhone to additional hardware. Simply clicking a link. A link that could be innocuously delivered to the recipient and innocently clicked on thinking that they can’t harm their device.

    Please realize that the simplification of jailbreaking makes the iPhone alot less secure.

    I am not a psychic or a medicine man, just pointing out that this exploit is much more dangerous than any other jailbreak methodology previously available.

Leave a Reply

Note: You can use basic XHTML in your comments. Your email address will never be published.

Subscribe to this comment feed via RSS