[dunham]

Additionally, JIT would need a special entitlement to be able to change a page of memory from writable to executable. This is a little dangerous from a security perspective, and even Apple only grants it to apps the specifically need it.

[m4rtink]

Thats all nice and good, but completely removing the posibility of running any non-vendor JIT application is totally stupid and unacceptable. And iOS being a total walled garden only adds insult to injury, as users simply can't install such applications even if they want to.

[stingraycharles]

Aha so that is what it’s all about. That makes so much more sense now, and a very reasonable explanation.

Does this also apply to jailbroken iOS devices? I can imagine that it’s fairly difficult to disable a security feature such as this in the kernel?

[dunham]

I don't know the exact details of how jailbreaking tweaks code-signing.

But as I understand it apps are signed and have an entitlements file bundled inside. That file determines whether the kernel will allow stuff like changing pages to executable, running in the background, notifications, etc. Safari happens to have this extra entitlement in its embedded entitlements.plist. The signature checks out, so the the kernel allows the functionality.

For example, there is an entitlement to allow a debugger to attach, which dev builds of apps typically have, but Apple won't allow for apps in the store. I would think that if jailbreak short circuited the signature stuff, you could put whatever entitlements you want in there. But there may be some additional constraints.

Now that I'm thinking of it, I wonder if dev builds of apps can have the entitlement to do the JIT magic. I don't know if they place any constraints on the dev signing keys.