iOS Hubris

This is absurd people. I have seen a few articles recently praising iOS6 for its security. It’s become a bit of broken record lately:

“iOS 6 is the most secure mobile platform.”  “There will be no jailbreak for iOS 6”

iOS has had at least two vulns this year that led to introducing unsigned code to the OS. One at CanSecWest’s Mobile Pwn2Own:

The exploit itself took some jumping around. With the WebKit bug, which was not a use-after-free flaw, the researchers had to trigger a use-after-free scenario and then abuse that to trigger a memory overwrite. Once that was achieved, Pol and Keuper used that memory overwrite to cause a read/write gadget, which provided a means to read/write to the memory of the iPhone. “Once we got that, we created a new function to run in a loop and used JIT to execute the code without signing.

and another at HiTB:

 

The only reason they haven’t led to (or at least fast tracked the timeline) a full jailbreak is because they were exploits by security researchers who chose to disclose the vulns to Apple.

People need to stop using the fact that there is no “jailbreak” to protect themselves in mobile security realm. It’s not an excuse to not practice mobile application security, or to not enforce policies/an MDM protection system. A determined actor who is willing to spend the resources can and will crack the phone.

Leave a Reply

Your email address will not be published. Required fields are marked *