[Owasp-mobile] How we manage BlackBerry jailbreak issues

Jeffrey Walton noloader at gmail.com
Thu Mar 29 01:00:03 UTC 2012


I’m Adrian Stone, and I am the Director of the BlackBerry Security
Incident Response Team (BBSIRT) here at Research In Motion. The BBSIRT
is responsible for responding to potential security issues and
investigating vulnerability claims that may impact RIM’s products.
Security is a priority for our customers, and that’s why I’ll be
contributing regularly to this blog. For my first post, I want to
provide some insight into how we investigate and respond to
jailbreak-related reports.

“Jailbreaking”, or gaining root access to a device, has become common
place in both the mobile and gaming industries. Essentially, gaining
this deeper level of access to the core functions of the device allows
the user to do things not originally intended by a manufacturer, such
as install software outside of “official” channels. Unfortunately,
gaining this level of root access may increase the security risk. For
this reason, most device manufacturers, including RIM, strongly
discourage jailbreaking while understanding that whole communities
exist for just that purpose. At RIM, we take these issues very
seriously. Let’s walk through how we assess and respond to
jailbreaking reports.

>From a user perspective, there are two primary ways to jailbreak a
device. First, there is the method where the user voluntarily makes
changes that require: a) the device to be tethered to a computer; b)
access to an authorized user account on the device; and c) may even
require the user to make changes to the device’s default settings by
putting it into developer mode (which can also compromise security).
This method cannot be used by remote attackers to compromise user data
or the integrity of the device as it requires both possession of the
device and valid user credentials for the device. The second method
involves less interaction on the user’s part. For example, a software
bug may be exploited from a web page to gain root access to any mobile
device and not require any interaction from the user except visiting
the page.

More information about the Owasp-mobile mailing list