For iOS devices, you as a developer get a certificate signed by Apple. When the code is downloaded, Apple will look up the code and make sure it's properly rooted to the certificate. For iOS devices, if the code signing is not from Apple, and Apple only, you can't run it. It creates a secure playground. By forcing any code that you want to run on the mobile device to be [first] signed from Apple, you can eliminate a lot of problems.
Q: So what does jailbreaking actually do?
A: It disables most of the code-signing checks.
Apple offers [in iOS] public and private APIs. Any apps in the App Store use only the public APIs. Private APIs aren't necessarily secret but only Apple can use them, and Apple can change them at any time.
Jailbreaking lets you use the private APIs. Then, you can implement things like multitasking in iOS 3.0 [before Apple partly enabled it in 4.0]. You have more control over the apps you write. And you can put anything you want on your iPhone. At bottom, it's a Unix device. [So] you can install SSH [Secure Shell] and tunnel into your phone and use it, for example, for tethering. You can change the graphical look and feel of the iPhone pretty significantly.
Q: What are the risks with jailbroken devices?
A: Any code can run on your phone: You could get malware that could steal all your emails or whatever.
Usually, jailbreak users install software from Cydia [an open source code package manager and, now, online store], and who knows where that code came from. You could throw some backdoor on those programs a lot more easily than you could on Apple's servers.
Second, if you install and configure SSH, the root user password would be weak and make it easy for anyone to take over your phone. There are all kinds of bad and unexpected outcomes with jailbreaking.
Having said that, the chances of someone currently targeting jailbroken iPhones are low, because there are not that many of them. From the standpoint of a developer writing "malware that will run anywhere," it's a very small user audience.
Q: Based on your work with enterprise IT in mobile deployments, how do they see jailbreaking?
A: They want a way to detect it. The iOS 4.0 release was focused on mobile device management: Jailbreaking sidesteps all that. Even when it's a personal [iOS] device, IT is saying "we know this is your personal device, but if you want to access to corporate email on you phone, you need to have some security configured."
Q: A lot of end users may not realize all the other risks they take when they jailbreak.
A: Some say "jailbreaking is not a big deal." And it's not, from my perspective. But you don't need a lot of the features you get with a jailbreak, and the phone is less secure. So why do it?
Q: Why do you say jailbreaking is no big deal?
A: At Intrepidus Group, we're always talking about this. We agree that jailbreaking isn't an instant death sentence. If you're a "consenting IT practitioner" and you jailbreak your device, you probably know what you're getting into. You know the risks.