Jailbreaking a smartphone means fiddling with its OS so you can load the applications of your choice, bypassing the requirement to download digitally signed apps only from, say, Apple's iTunes App Store. Opinions tend to be binary: Either jailbreaking is an unalloyed act of end user liberation and empowerment, or it's the Digital Apocalypse.
Recently, Apple quietly and without explanation disabled a new API, introduced in iOS 4.0, intended to be used in discovering whether an iOS device had been jailbroken. Software vendors of mobile management applications insist they can, and do, use other techniques to discover that. (Apple has published a list of problems encountered by iOS users who have jailbroken their devices.)
[ InfoWorld's Galen Gruman shows how some Android devices lie about their security compliance. | Stay ahead of advances in mobile technology with InfoWorld's Mobile Edge blog and Mobilize newsletter. ]
Apple's decision sparked a new round of debate over jailbreaking, but without shifting the binary terms in which the debate has been framed. We went into more details about jailbreaking and the enterprise with Jeremy Allen, a principal consultant with Intrepidus Group, a consulting firm specializing in mobile security. Allen has a background in security and application development, and he focuses on iOS and applications that run on it.
Q: Some will argue that jailbreaking iOS is a right, not a risk. How do you see it?
A: My general thought on it is that, as shipped, iOS devices add a lot of security due to the code signing of everything on the device. When you live and play in the "Walled Garden of Steve," as I have seen it called, you get a lot of benefits for that ... The problem I have is that, usually, big organizations don't let users have administrative privileges on corporate-owned devices [such as laptops], so why would we be letting users have them on a corporate-owned iPad?
Q: What does code signing bring to the table for mobile security?
A: Code signing is a pretty giant roadblock to malware.
On a Windows PC, when you download a program from the Internet, you get a popup that tells you "publisher: unknown" or "publisher: Adobe" and so on. Windows figures that out through code-signing -- the code publisher gets a certificate from Verisign, and "signs" the code. That lets you, as the developer, prove you're the author of the code and that it's trustworthy.