The Macalope Daily: Cutting off your face to spite your nose
Did you hear the one about the PDF bug that allows a web-based jailbreak that then lets you install a patch that fixes the bug? Phew. All this story needs is a traveling salesman and a farmer's daughter.
Yes, a zero-day PDF bug in iOS allows you to jailbreak your phone and the jailbreak community already has a patch for the bug that you can apply after the jailbreak. It’s a real stretch, though, to Adrian Kingsley-Hughes’s contention that jailbreaking can make iOS devices more secure.
OK, Adrian, there’s a clause missing from your title. Because jailbreaking can make your iPhone device more secure from certain kinds of attacks. In the current instance that has Adrian suggesting his readers jailbreak their iPhones for the security, a zero-day PDF bug that can be executed through the browser.
One of the reasons given by Apple for locking down the iOS platform is security. A locked down OS is more secure than one that isn’t because it doesn’t allow unsigned code to be run on the platform. But what happens when a zero-day vulnerability is discovered that allows the security system to be bypassed that will take days, maybe weeks, to be fixed by Apple has already been patched by the jailbreak community?
Hey! Terrific! You can get yourself a couple of weeks of security against a threat you’re unlikely to encounter! And all you have to do is void your warranty. Adrian neglects to mention that small and unimportant tidbit of information.
Of course, it’s easy to restore your phone to factory conditions so Apple would never need to know, but here’s the other thing about Adrian’s suggestion: What’s the first thing this jailbreak installs? Cydia. What’s one of the major security benefits of the iPhone ecosystem? The fact that Apple curates the apps.
Who curates all the apps you can get through Cydia?
Now, the Macalope has no data on how secure apps available through Cydia actually are, but even Cydia’s creator advises against using sources other than the ones he’s confident are safe. But what’s the big malware problem on Android? It’s not zero-day browser exploits. It’s Trojans. You could be fine if you jailbreak your iPhone and move Cydia to the back page or only use the default sources. But then comes a day when you get curious, as people do when they’re alone in the dead of night. A couple of taps later you’re installing that app that promises to be full of celebrity nipple slips and all of a sudden you’ve got your pants around your ankles literally as well as figuratively.
Still, as irresponsible as Adrian’s post is, it isn’t really hyperbolic enough for the Macalope. Take it over the top, ExtremeTech!
Compared to what? Certainly not to Android. Possibly not to any operating system.
Look, the Macalope doesn’t really have anything against jailbreaking. If you want to use your iPhone on another carrier or you want to install apps that aren't on the App Store and are willing to take responsibility for your own actions, knock yourself out. But don’t do it for security. Apple’s already said it's working on a fix. Just try to resist the continued recommendation of ZDNet pundits that Apple customers set their hair on fire right now for a few days. As tempting as it may be.
[Editors’ Note: In addition to being a mythical beast, the Macalope is not an employee of Macworld. As a result, the Macalope is always free to criticize any media organization. Even ours.]