Apple Outs Anti-Jailbreak Update 429
Stoobalou writes "Apple has issued an emergency update for devices running the iOS 4 mobile operating system. iOS 4.0.2 plugs the security hole exploited by the iPhone Dev Team to allow pain-free jailbreaking of the iPhone 4 and its manifold siblings as well as... actually, that's about it."
Re:Why does the submitter see this as a bad thing? (Score:5, Interesting)
If jailbreakme can use that exploit then so can someone malicious. Imagine having your phone bricked because you viewed the wrong PDF on some website. The update is a very good thing.
That's true. Although recently jailbreakme got some legal footing about the legality of jail-breaking a phone, the way they did it was an issue, so it's good that the hole was broken.
Another good example, not of bricking a phone, was shown on the UK tv news last night - of an example app on Android being able to record arbitrary audio after performing a similar hack.
So although this says it's anti-jailbreak, that's just secondary - it was one hell of a hole in the first place.
Security Holes & Closed Platforms (Score:4, Interesting)
Who's up for a virus that can't be removed by the user once it's in? How about a friendly bugger that takes advantage of your contact list? For that matter, let's bring back the old dialer viruses and have your phone call a 10$/minute hotline every night for an hour.
Re:Why does the submitter see this as a bad thing? (Score:4, Interesting)
Thirded. Usually I would say Apple was just trying to keep people from unlocking their phones...but I think that was just a symptom of the problem they were trying to fix here.
Re:No update for older iPhone and iPod Touch... (Score:3, Interesting)
The evil "jailbreak vendors who say you shouldn't upgrade" (term used by F-Secure) have stated that they will be releasing a fix for the exploit on the iPod Touch 1G and the iPhone 2G. Ironically, this means that all owners of such devices MUST now jailbreak unless they want to be vulnerable to this exploit forever.
McAfee? Symantec? You seriously expect them to do something useful instead of whining about how Apple doesn't let them write software to hog down your phones even more?
It doesn't help the passwords are well known (Score:2, Interesting)
I still am amazed that Apple releases the iPhone code with simple, easy to discover passwords that are the same across every device. That is UNIX rule 101 - "protect root". Knowing the password means that if you can execute arbitrary code on the iPhone via any means, you can su to root and break out of the user space security protection. User priviledge controls have been the basis of UNIX security for as long as UNIX has been around (as it has been for most OSs to more or less a degree)
If the iPhone had random root passwords on each device, and used certificates to trust iTunes, the risk of a driveby attack doing permanent (ie surviving reboot) damage must be lower? Or have I missed something obvious here?
Re:Why does the submitter see this as a bad thing? (Score:5, Interesting)
This exploit is the least of their problems ... http://www.sbsfaq.com/?p=2165 [sbsfaq.com]
Re:Why does the submitter see this as a bad thing? (Score:4, Interesting)
I thought android phones needed to be "rooted". Double standard much?
Re:No update for older iPhone and iPod Touch... (Score:5, Interesting)
Yup, already out for testing [iphone-dev.org].
Thu Aug 12 15:20:25 unknown MobileSafari[421] : MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/PDFPatch_CVE-2010-1797.dylib
[...]
Thu Aug 12 15:20:56 unknown MobileSafari[421] : Prevented PDF Exploit
Thu Aug 12 15:20:56 unknown MobileSafari[421] : FT_Load_Glyph failed: glyph 1: error 130.
Thu Aug 12 15:20:56 unknown UIKitApplication:com.apple.mobilesafari[0xc4c][421] : Thu Aug 12 15:20:56 iphone MobileSafari[421] : FT_Load_Glyph failed: glyph 1: error 130.
And suddenly jailbreaking is the smart security option for all the users that Apple left behind.
Re:Why does the submitter see this as a bad thing? (Score:3, Interesting)
> 2010: The Year of the Linux Phone
It is! Android and others!
Re:Why does the submitter see this as a bad thing? (Score:5, Interesting)
Re:Why does the submitter see this as a bad thing? (Score:5, Interesting)
A rooted Android phone is almost always still decently secure, and usually the rooting process involves something with adb, something a Dalvik VM app will be hard pressed to get unless it asks for permissions.
Say a piece of malware gets downloaded from Google's Marketplace. The su app pops up asking, "hey, the Vomitron Toaster app wants root privs?" Anyone with a clue is going to tick "no" and "remember this decision". In a couple hours after the app gets flagged, Google fires off the kill switch and the app gets zapped from the store and phones.
Rooting gives one more functionality, but it doesn't significantly add functionality to a device like an IOS JB does.
Here is the funny thing. If I want a command line shell to do stuff on a phone, Android is easy -- download a terminal app. The iPhone, I need to do the following:
1: JB the device. /etc/sshd/sshd_config to only allow access via RSA key, and disallow root access.
2: Hunt down "MobileTerminal 426", the Debian package.
3: Get on a wireless network.
4: Enable OpenSSH.
5: ssh into phone, change root and mobile password to something respectable (20+ characters.)
6: scp the Debian package and install it.
7: Install sudo from Cydia and configure it so I don't need to type in the insanely long password when I want root access.
8: Edit
9: Make sure the sshd is turned off in SBSettings unless it is needed. It will turn back on after a reboot.
All this so I can have full command line access to my iPhone and a method of copying files to and from the filesystem without restriction. The reason why I do the gymnastics with sshd as opposed to uninstalling it is so I can sftp in.
To boot, the only command line terminal app [1] that works on the iPhone (the Terminal app in Cydia is not iOS4 compatible and crashes on startup) doesn't seem to have the ability to do control keys other than control-C. Of course, I wonder if I can just use a normal app and ssh to loopback, but so far, that hasn't worked unless the device is on a Wi-Fi network.
Personally, if someone can make a good terminal emulator and put it on Cydia, I'd pay $5-$10 for it. Especially if it has an easy mechanism for doing control and meta keys, so if I feel insane enough to run emacs, I can.
[1]: A true terminal app that uses a shell and such. There are apps for ssh and such, but those don't have access to the whole phone's filesystem, and I doubt they would get approved if they had the ability to do so.
Re:Why does the submitter see this as a bad thing? (Score:1, Interesting)
I'd like to change the notification sounds on my iphone. The problem is there is no way to do that without jailbreaking. I'm sure there are more than a few people who would like that functionality.
Re:Why does the submitter see this as a bad thing? (Score:4, Interesting)
I have found a few reasons for jailbreaking - and I used Jailbreakme to break it. The first is backgrounding Apps. Apple, in their "brilliance", decided to limit this to just the iPhone 3GS and the iPhone 4. I can now run Pandora in background on my iPhone 3G. Second are things that add or compete with Apple apps. Being able to download files in Safari is a huge thing. So are running ports of VLC that allow me to play files other than in the crazy resolution and .h264 that Apple requires - i can now play MPEGs as well as a few other formats. Another app I have lets me download youtube videos. Sure, I can fire up my PC, use firefox and flashgot, pull the videos, run them MediaCoder or Adobe Meida Encoder, import them into iTunes then sync my iPhone, but this is way more convienent.
Re:Why does the submitter see this as a bad thing? (Score:3, Interesting)
it looks like that is a problem with Exchange, and has nothing to do with the iphone (other than the person who actually took screenshots of the Flash SMS uses an iphone, not surprising given most phones have no way to take screenshots :)
Re:Outing the update (Score:2, Interesting)
For most any phone from AT&T, after the contract is up, they will let you unlock it. This makes since, because after the contract is done, you have effectively paid for it, and it does belong to you. I just recently did this with a Motorola RAZR V3xx. I called them up, said the phone was from an ended contract, and asked to unlock it. There were no questions or uncertainty, just "I can help you with that", and the person then gave me the unlock code and instructions after getting the phone's IMEI number.
This does not happen with the iPhone. After your contract is over, you still are not allowed to unlock it.
In addition, I personally will probably be paying the full ($600) price for my next iPhone, so that I am not tied into a contract. Why shouldn't I be able to have the phone unlocked?
Also, don't forget that you need to enter a contract with AT&T to get an iPhone in the first place. If you decide to get the phone for $200, you'll need to pay an extra $325 - $10 a month if you end the contract early. Plus there's the $36 for activation. If you cancel in the first month, you must return the phone, so you have to pay for at least one month of service, which is $65. So if you go this route, you end up paying a minimum of $200+$315+$36+$65=$616 plus taxes and fees.
So no, it is not in fact possible to have any sort of iPhone for a mere $200. Your complaints about entitlement are misplaced.
Re:Why does the submitter see this as a bad thing? (Score:4, Interesting)
citation please.
Welcome to Slashdot. We're discussing here. You might find that it's a different than, say, Wikipedia.