[solarkraft]

Jailbreaking uses vulnerabilitities, but doesn't (by itself, of course it allows the user to) introduce any. It even allows you to patch the vulnerability behind you before Apple does officially (see JailbreakMe, 3.0 IIRC).

[xoa]

>Jailbreaking uses vulnerabilitities, but doesn't (by itself, of course it allows the user to) introduce any.

What? The entire point of jailbreaking is to leverage specific kinds of vulnerabilities, often only exploitable via physical access (a tether and DFU mode is typical), in order to root the system so that afterwards other stuff can be done with it more conveniently. Sometimes this even necessitates further security compromises. To use checkra1n itself as an example, last I checked in order to use it on A11 devices (iPhone 8/8+/X) with iOS 14 you must give up on using any passcode on the device via the "Skip A11 BPR Check" option.

It's certainly worthy to note that none of this should inherently be necessary. Apple could offer power users the option to load their own root certificate alongside Apple's, and then sign and run things with the full iOS technical security model from there. Apple is mixing business desire with security desire. Further, many of the threat vectors introduced by jailbreaking are ultimately the same we deal with on the PC, so they're "new to an iDevice" but something technical users can often mitigate. And it can even offer new security options sometimes to go along with it too!

But none of that means that jailbreaking isn't introducing new threat vectors to the system. It is. It's just that it's often worth it to many of us given the alternatives is all.

[0xCMP]

While it should not be inherently required, in practice it is. When not jailbroken the only people you can assume within reason to break your privacy/security are Apple (due to bugs or bad design) and Nation States. Apps, both private and on the store, do only what is allowed (which for instance, before iOS 14 was far looser re clipboard, microphone, camera, and location).

The option of installing a root cert now requires users to refuse to install root certs at work or for some App required to get cheaper insurance or whatever crazy idea you could think of. Users would need to know what is possible (at that point anything) and also have the power and incentives to refuse.

[saagarjha]

Checkra1n for A11 isn’t really considered to be usable for that reason, so it’s not a very good example.

[Gaelan]

My understanding, though I'm not sure, is that a "traditional" jailbreak (installing Cydia and such) allows all apps to read/write from the full file system.

[saagarjha]

Usually, yes, but there is no need to actually do that. I would be surprised if the jailbreak presented here installs Cydia.

[joemazerino]

Jailbreaking by definition introduces avenues for exploitation against what device security requires. Apple pays millions of dollars for security staff, auditing and security research.

[saagarjha]

It might actually be billions at this point, since they bake in some features into the silicon itself. That being said, Apple’s device security model is has many places where it is not aligned with what most people want. KTRR is a good example of a mitigation that has no effect in practice for preventing most exploits, and it’s just one of the instances where Apple tries to protect their software over you, the user.