The Myths of Mobile Jailbreaking…

Ever since the beginning of the mobile revolution, device manufacturers and telecom carriers have sought very tight control of the terminals.

On the one hand, phone manufacturers argue that built-in safety measures such as encryption and restricted access to sensitive APIs are the only way to ensure the integrity of the software (including the firmware, the OS, and the apps running on top of the OS) and the privacy of its users. Carriers are also worried that rogue devices may be able to connect to their networks with unknown consequences.

On the other hand, hackers and free software advocates have been able to circumvent the security measures in the OS of these mobile devices. Finding and exploiting vulnerabilities in the OS to gain control of the terminal is often referred to as jailbreaking or rooting. Jailbreaking/rooting a device can have legitimate reasons: some users argue that they should be able to install any software on a device they own or get rid of the apps bundled by the carrier or phone manufacturer. For instance, a popular firmware like CyanogenMod for Android requires the device to be rooted prior to installation. Obviously, jailbreaking can also be used to commit fraud or crime: for instance, install a Trojan or key logger on a device, breach the security of a corporate network or remove the tracking function from a stolen device.

This tug-of-war has been going on for a while now and shows no sign of slowing down: hackers find a new vulnerability to exploit; security experts detect and analyze the exploit then issue a patch … until the next exploit surfaces. This situation is very similar to what has been happening in the software industry for years between virus writers and security experts.

Three major reasons explain this never-ending game of whack-a-mole. First, the size of the code of a typical OS (millions of lines of code) and the constant need for new releases means that there are always bugs that can be exploited. Second, there is always a delay between the active exploitation of a software vulnerability and the discovery/patch of this vulnerability by security experts. Finally, there is no bulletproof method to detect that a device has been rooted.

Generally speaking, the detection methods for rooting rely on finding specific fingerprints left behind by known programs that are used to root a device. The issue here is that these fingerprints change potentially with every version of the exploiting program, and sophisticated hackers can fool the detection program and hide these specific signatures altogether. In this respect, jailbreak and root detection is no different from anti-virus, and as we have seen in the World of anti-virus the protection always lags the exploit, and it is often available only after the damage has been done.

So, what does it all mean? For mobile developers, it means that they cannot make the assumption that the underlying OS they rely on to communicate with the device is not jailbroken/rooted.

With the growing realization that what needs to be secured is the data, not the device, the mobile industry is turning to secure containers to isolate the mobile apps from the (possibly compromised) OS. This reality is especially important as the BYOD movement is gathering steam in many industries rendering device wide security policies hard to implement.

While in theory, a container may be rooted as well, it is a lot less likely since the size and complexity of the code (the attack area) is much smaller than that of a typical OS and the code is usually very stable in time. Of course, a secure container is only a piece of a wider end-to-end secure delivery system, but it is an essential piece that must be designed and implemented with care. Particular care must be taken to ensure that attacks directed at the runtime system of the OS (e.g., the Dalvik VM) do not compromise sensitive functionality like encryption. While this places a higher burden on the container developer, when devices are handling sensitive data IT and end users should expect nothing less.

Find out how the Link solution can help you secure data and applications even on potentially jailbroken/rooted devices here.

– Frederic

ILTA SharePoint Symposium 2013 – Law Firms Lead Innovation

Thank you to all of the SharePoint, IT and development professionals who met with us at the ILTA SharePoint Symposium in Chicago last week.  The conference was buzzing  – the keynote sessions were standing room only with overflow in the hallways.  The ILTA staff and Co-Chairs Kara Portwood and Lisa Gianakos did a great job with the program.

For our part, we expected strong interest in our secure mobile SharePoint List App, our Filebox mobile file sharing app and our secure Email App. We were busy demoing all three. However, there were some surprises, too.

Level of innovation – many of these IT, Knowledge Management and development professionals are leading in usage of technology and SharePoint. The image of the stodgy, conservative law firm did not hold up at this conference. One example is the use of extranets. Law firms are architecting advanced extranets to give clients and partners access to critical files. With our secure browser in our secure Link Container we can help firms who need to extend security to people outside of their firms.

HTML5 development – a surprising number of attendees were already developing HTML5 applications for their law firms. Our Link HTML5 SDK will be released next month.  It is open, standards-based and free. There were more than a few developers at SPS2013 who are eager to download our SDK as soon it is available. In one case, we were asked if our HTML5 mobile apps could be modified by using our SDK. The answer – yes. When you license one of our HTML5 apps we give you the source code. You can modify, brand, enhance to your heart’s content.

To be clear, our objective with our Link HTML5 SDK is to encourage Pure HTML5 development. The SDK is open source and there is no vendor lock-in. You can use it to develop HTML5 mobile apps without cost or obligation to us. Where our business model enters the picture is in secure HTML5 app (and native app) delivery to mobile devices. If you want to deliver your apps securely to mobile devices, then one option which you have is license our Secure Link System with our secure browser in our secure Link Container.

There is much more to come about our HTML5 SDK, including the intriguing point as to how you can secure your native apps as well as pure HTML5 apps using Link.

If you can’t wait for the July release of our SDK, write to us and let us know what you need at Contact Us.