Slashdot Mirror
Apple Outs Anti-Jailbreak Update
Stoobalou writes "Apple has issued an emergency update for devices running the iOS 4 mobile operating system. iOS 4.0.2 plugs the security hole exploited by the iPhone Dev Team to allow pain-free jailbreaking of the iPhone 4 and its manifold siblings as well as... actually, that's about it."
If jailbreakme can use that exploit then so can someone malicious. Imagine having your phone bricked because you viewed the wrong PDF on some website. The update is a very good thing.
I appreciate jailbreaking, but security is more important. What about older devices? Maybe McAfee or Symantec will have a solution.
If jailbreakme can use that exploit then so can someone malicious. Imagine having your phone bricked because you viewed the wrong PDF on some website. The update is a very good thing.
That's true. Although recently jailbreakme got some legal footing about the legality of jail-breaking a phone, the way they did it was an issue, so it's good that the hole was broken.
Another good example, not of bricking a phone, was shown on the UK tv news last night - of an example app on Android being able to record arbitrary audio after performing a similar hack.
So although this says it's anti-jailbreak, that's just secondary - it was one hell of a hole in the first place.
Java gaming nut - http://www.retep.org/ or for the rail http://uktra.in/
Exactly- phrased differently- "A vulnerability actively being exploited in the wild was patched".
Granted, some of those actively exploiting it were the owners of the devices... but hey. You seriously don't know if it was being exploited by others for financial gain. If they were that good, you'd never know. I'm all for patching the vuln.
"Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway" -Andrew Tanenbaum
We have to go back to jailbreaking the old fashioned way with a computer and a USB cable - it'll take ten minutes rather than five now and require you to RTFM. And all because Apple wants to fix a gaping security hole. DAMN THEE DRACONIAN STEVE JOBS!!1!
catch (HumourFailureException e) { e.user.send("You, sir, are a humourless idiot."); }
Bricked? I thought you could just re-synch your phone and restore it.
Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
Apple has not released the fix for the iPod Touch 1G and the iPhone 2G, so the iPhone Dev Team themselves are working on a fix that will work on all devices. So you'll be able to basically jailbreak and then plug the hole that was used to do it.
Donate free food here
This is a massively publicized remote exploit. That is the most critical sort of security issue for an operating system. There is nothing strange about them prioritizing it.
Nerd rage is the funniest rage.
Indeed. And similarly, it was wrong that the original news of the exploit was publicised as a good thing (or, at worst, neutral), rather than being publicised as a major security hole (like you know they would have had it have been something like Internet Explorer).
Of course, it is a problem that you need to jailbreak an Iphone to enable basic functionality. But if the media has such a problem with that, maybe they could actually focus on that instead of praising Apple all the time, or conflating the issue with security exploits; or maybe give some coverage to the more popular platforms (Symbian, RIM, Android) that don't need to be jailbroken, instead of the overwhelming coverage of Apple all the time.
I wouldn't be jailbreaking my iPhone if there was a way to remove SIM lock. Right now Apple & AT&T has forced me into a situation where AT&T won't provide unlock code (asks to go some unlock shop and pay for the unlock) and Apple doesn't really care. Only option is to jailbreak to get blacksn0w running.
If Steve/government (in many countries in Europe it is mandated that after contract period unlock key is given) would force AT&T to provide unlock codes for everyone out of contract then most of the jailbreaking business would go away.
The problematic part is that iPhone 2G users won't get an update but are still susceptible to this bug, so they're SOL. Additionally, iOS 4 sucks on the iPhone 3G (nearly no new features, but much slower), so many are reluctant to update.
It's amazing that slashdot can spin this as anything other than a good thing. Bottom line – the phone had a serious security vulnerability that allowed people to brick/use the phone for various nefarious tasks. Apple fixed it, spinning this as anything other than an important bug fix is downright irresponsible.
This exploit is the least of their problems ... http://www.sbsfaq.com/?p=2165
Of course, it is a problem that you need to jailbreak an Iphone to enable basic functionality. But if the media has such a problem with that, maybe they could actually focus on that instead of praising Apple all the time
They're afraid of being modded down.
Living With a Nerd
I thought android phones needed to be "rooted". Double standard much?
I can think of a few reasons:
There are probably many other reasons. Personally I do not have any kind of smartphone - they are all too big for me. But I do have an iPod touch, and the software is very slick - though strangely it is not a great MP3 player :)
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
In modern parlance, "bricked" means "mildly inconvenienced for about 30 minutes" rather than "made completely inoperable to the point where the hardware is now about as useful as a standard brick" and "zero day" means "sometime within the next 5 years after the actual software was released in the first place."
Android phones only need to be rooted if you're doing something that requires root access - for everything else running unsigned (i.e. third party, non-market) apps is simply a matter of unchecking a box in the settings, so no, it's not quite the same thing (as you'd know if you had ever tried to send an MP3 via bluetooth from an Android phone to an iPhone, for instance - they both have this ability but only one allows you to do it without rooting the device).
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
It isn't just anti-jailbreak, it's patching a pretty serious security flaw.
iOS 4 sucks on the iPhone 3G (nearly no new features, but much slower), so many are reluctant to update.
iOS4 doesn't suck on the 3G if you do a clean wipe of the OS before moving to 4. This has been a known issue for some time now. Wipe your 3G, then move to iOS4. I know plenty of folks running iOS4 on their 3G who absolutely love it. They have no issues with performance or it suck-ing. If you upgraded and already experience performance issues, backup your phone, restore to factory settings, upgrade to iOS4, then restore from backup. Problem solved.
A rooted Android phone is almost always still decently secure, and usually the rooting process involves something with adb, something a Dalvik VM app will be hard pressed to get unless it asks for permissions.
Say a piece of malware gets downloaded from Google's Marketplace. The su app pops up asking, "hey, the Vomitron Toaster app wants root privs?" Anyone with a clue is going to tick "no" and "remember this decision". In a couple hours after the app gets flagged, Google fires off the kill switch and the app gets zapped from the store and phones.
Rooting gives one more functionality, but it doesn't significantly add functionality to a device like an IOS JB does.
Here is the funny thing. If I want a command line shell to do stuff on a phone, Android is easy -- download a terminal app. The iPhone, I need to do the following:
1: JB the device. /etc/sshd/sshd_config to only allow access via RSA key, and disallow root access.
2: Hunt down "MobileTerminal 426", the Debian package.
3: Get on a wireless network.
4: Enable OpenSSH.
5: ssh into phone, change root and mobile password to something respectable (20+ characters.)
6: scp the Debian package and install it.
7: Install sudo from Cydia and configure it so I don't need to type in the insanely long password when I want root access.
8: Edit
9: Make sure the sshd is turned off in SBSettings unless it is needed. It will turn back on after a reboot.
All this so I can have full command line access to my iPhone and a method of copying files to and from the filesystem without restriction. The reason why I do the gymnastics with sshd as opposed to uninstalling it is so I can sftp in.
To boot, the only command line terminal app [1] that works on the iPhone (the Terminal app in Cydia is not iOS4 compatible and crashes on startup) doesn't seem to have the ability to do control keys other than control-C. Of course, I wonder if I can just use a normal app and ssh to loopback, but so far, that hasn't worked unless the device is on a Wi-Fi network.
Personally, if someone can make a good terminal emulator and put it on Cydia, I'd pay $5-$10 for it. Especially if it has an easy mechanism for doing control and meta keys, so if I feel insane enough to run emacs, I can.
[1]: A true terminal app that uses a shell and such. There are apps for ssh and such, but those don't have access to the whole phone's filesystem, and I doubt they would get approved if they had the ability to do so.
In modern parlance, "bricked" means "mildly inconvenienced for about 30 minutes" rather than "made completely inoperable to the point where the hardware is now about as useful as a standard brick" and "zero day" means "sometime within the next 5 years after the actual software was released in the first place."
Well, hell hath no fury like a geek who's been mildly inconvenienced.
Track your TV Shows with your iPhone - FREE
Shame you posted this anonymously, it's currently sitting at 0, Insightful. Can we stop this iPhone doublethink when it comes to security holes? This is a remote root hole. Someone can gain root on an iPhone just by making the owner visit a malicious web page. Fixing this hole is not a conspiracy to stop people jailbreaking their phones, it's a fix for a serious hole. Criticise Apple all you like for shipping the hole in the first place or for the time taken to provide the fix, but don't criticise them for addressing a serious vulnerability.
I am TheRaven on Soylent News
We paid for the phone, we should be able to use it how we see fit.
Actually, no, you didn't pay for the phone, at least not all of it. You paid $200, and AT&T paid more to Apple as a subsidy.
It's still a sale and not a lease. They fact that the sale price is subsidized via the sale of another product (2 year service contract) does not make it any less of a sale. If you buy a burrito and a bag of chips, the drink is only 25 cents. If you apply for a Macy's credit card, you get additional 40% off your purchase.
I'm sure I'm in the /. minority on this, but I really don't see the big deal about getting an unlocked phone in the US. They're not currently available from Apple, but if they were they'd cost about $600, based on what they sell for in Canada, and you're not entitled to have the iPhone you paid $200 for (subsidized) unlocked, so some questions:
You are confusing subsidized vs unlocked. They are 2 different things. I thought you could already get it unsubsidized, but not unlocked (at least in the U.S.).
Why would I want any "smartphone" without a data plan? What's the point? If that was my goal I'd go back to an iPod and a cheap Nokia
I don't know why you would want it, but that's not the point. One could still use it as a Wifi device with VoIP capabilities, etc. You may want to use it on T-Mobile, or get a plan from Canada, or sell it / give it to someone else from another country.
The only other carrier in the US is T-Mobile, but apparently they use some different frequencies and not everything works right, so I need AT&T anyway.
No you don't - 3G frequencies are different. Voice and 2G are the same.
Since I need a dataplan ($15 or $25 a month from AT&T), why would I pay $400 more for the unlocked phone, which amortized over 24 months is $16.67 a month?
Again, you are confusing subsidized vs unlocked.
The sense of entitlement by a lot of people is becoming increasingly disturbing. You want the iPhone 4 unlocked, but you don't (I assume) want to pay the full price for it, and you want the government to step in and tell AT&T / Apple to unlock a subsidized phone. Whatever. You are not entitled to an unlocked iPhone for $200.
Besides the "entitlement" argument, I agree with your point there - I am not convinced the government should step in.
On the other hand, you can get phones on contract. This involves signing up for a specified number of months, and possibly paying something up front. In this case, you're buying the phone, however you're essentially buying it on credit and paying it off over 12-24 months. In this case (at least over here) the phones generally come unlocked, so you can move to a different network if you wish, but you'll still have to pay your contract's monthly fee, even if you don't use the network.
In the latter case, I feel it's perfectly fair to consider the phone to belong to the customer. They've paid for it, and the service.
The other difference between the US and the UK is this ridiculous notion of crippled phones - over here, they might sometimes be locked to a network to cover the subsidy, but I've never had one which has had features deliberately disabled by the network which is what preventing you rooting the device basically amounts to.