Convincing users not to jailbreak their phones can be a hard sell. This practice (also known as “rooting”) refers to hacking a smartphone in order to gain access to areas of the operating system that are normally off limits.
For some, it’s a matter of principle: “That’s my phone; I can do whatever I want with it.” For others, there’s some tweak or feature that they need which is available only in the world of nonstandard software. While jailbreaking can put an end user on shaky legal ground, the real issue for IT managers is security. Try these suggestions for convincing users not to tamper with their devices.
Whether jail breaking is legal or not, manufacturers take a dim view of it and add anti-jailbreaking features to every software update. This means that jailbreakers put off or completely block updates.
Users may not care about missing functionality changes, but every software update also contains some security fixes. As attackers focus on endpoint vulnerabilities, skipping software updates puts the device at risk, which translates into enterprise risk if the device has access to enterprise email, contacts, virtual private networks or other sensitive data.
Devices that are jailbroken are not inherently less stable than their untampered-with cousins. However, most people jailbreak phones to install something they can’t get from an app store.
No app store has a comprehensive quality assurance program — no single team could assure the quality of all the apps available. But the app stores have paths for feedback, pulling applications, end-user reviews and global updates, all of which add up to a better and more stable experience. Apps that use an undocumented or restricted application programming interface, or that are released by authors who don’t maintain them, can bring instability, shortened battery life and disrupted service to devices.
Break it and brick it, and you’re on your own. Smartphone vendors have stated that they won’t provide support for jailbroken devices. That policy is loosely enforced, but it’s always out there as an incentive to leave the device alone.
If someone jailbreaks and bricks a phone, he or she has likely made a $500 to $1,000 mistake.
Jailbreaking definitely opens up devices to malware. In fact, all documented iOS malware has been aimed at jailbroken devices.
Malware authors have a variety of motivations, but all revolve around taking advantage of jailbroken devices and users who download from unofficial application stores. For example, security researchers have identified malware, targeting both Android and iOS devices, that eavesdrops on private communications. No one knows where the malware originated, but phishing attacks designed to get end users to install the malware have shown up on the smartphones of pro-democracy protesters in Hong Kong. This could be simple social engineering, or it could be an oppressive arm of the Chinese government keeping a close eye on malcontents.
There’s more to worry about than just malicious software. Jailbreaking a device compromises its basic operating system security, which causes cascading vulnerabilities. For example, Apple carefully protects the keychain, which contains user names and passwords (as well as other sensitive information), but these protections are lost when a device is jailbroken. This lets all applications reach into the keychain and read information that should be blocked.
The same is true for per-application sandboxed data: Built-in protections to the operating system are lost when a device is jailbroken.
Many users have gone down the jailbreak path just to use a smartphone with a different carrier, especially when traveling. Although U.S. carriers continue to restrict what can be done with phones that still operate under contract, they have reacted to this problem by writing new rules and new contracts making it easier for end users to change SIMs in a phone.
Sometimes, all users have to do is ask to permanently unlock a phone, while still maintaining software protections from the vendor.