Checkm8 jailbreak and AltStore put cracks in Apple’s walled garden

Jailbreaking iPhones has become a lot harder with each new version of the hardware, but this weekend saw two new announcements that enable people to install apps on their phones. One of them is a traditional jailbreak, while the other is an alternative app store that uses a loophole in Apple’s code-signing process.

Jailbreaking is a form of privilege escalation. Hackers figure out ways to change the operating system kernel, unlocking features that Apple had locked down. One of its most common uses is to install apps that Apple doesn’t allow into its app store because they fall outside the company’s strict developer review policy.

On Twitter last Friday, iOS security researcher @axi0mX released a jailbreak bug that affected devices from Apple’s iPhone X all the back to the iPhone 4S running Apple’s A5 chip, which the company released in 2011. It doesn’t hit the iPhone 11 family announced this month, powered by the company’s new A13 chip.

EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of mil… twitter.com/i/web/status/1…

—
  (@axi0mX) September 27, 2019

The code, released on GitHub for free, relies on a race condition in Apple’s bootrom. This is the first piece of hardware that the iPhone loads code from when it is turned on, and it’s a read-only part of the hardware that Apple can’t patch.

To prove the point, @axi0mX also tweeted a video of an iPhone booting in verbose mode, using the latest iOS 13.1.1 version. They labelled the jailbreak checkm8, and said that it is a “permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.”

There are some limitations. It isn’t a persistent jailbreak, because it only works in memory. That means you must run it each time the phone boots up. Neither does it work remotely. You must execute it by booting the phone into Device Firmware Update (DFU) mode and tethering it to another computer. Finally, it doesn’t break Touch ID or Apple’s Secure Enclave (the encrypted chip inside the iPhone which holds its most valuable secrets). All this means that it isn’t that useful for companies wanting to steal data from iPhones.

Nevertheless, the code will help researchers to develop their own jailbreaks, the hacker said. It will also make it easier for developers to find bugs in various versions of iOS because they will be able to probe more deeply into phones without obtaining special developer versions distributed by Apple on a limited basis.

Company launches alternative app store

Another developer, USC student Riley Testut, took a different tack to get around Apple’s tightly controlled phone rules by publishing AltStore, an alternative app store for non-jailbroken devices.

Apple only allows people to install apps approved by its own app store, with the exception of companies granted enterprise certificates, which allow their own employees to install their custom apps.

Testut’s system relies on an Apple policy that allows users to install their own apps using their own Apple ID.

Users first install a program called AltServer on their computer, which then controls the iPhone via the iTunes wireless sync capability. It uses the owner’s Apple ID to register first the AltStore app on the phone, and then other unapproved apps that the user wants to install. Testut explained:

…since there’s no single enterprise certificate to revoke (because technically every user now has their own developer certificate using this process), Apple can’t simply shut it down with the press of a button like they have with some 3rd party app stores

The app has to perform some workarounds. Apple only allows apps installed with a user’s Apple ID to work for seven days before renewing them, so AltServer renews the apps on your behalf (which means you have to sync with AltServer at least once per week).

Apple also only lets three apps signed by the iPhone’s owner on the phone at any time, and it does this by checking for files called provisioning profiles when you install a new app. AltServer gets around this by removing all the other unapproved apps’ provisioning profiles when you want to add a new app, and then putting the other profiles back. Because Apple only checks for these profiles when installing an app, AltServer can use this technique to install as many apps as it likes.

It seems as though Testut has found a viable way to get apps onto the phone without jailbreaking them, although Apple could limit his system’s abilities by changing the way it checks for provisioning profiles. @axi0mX’s discovery promises to be a lot more concerning for the phone manufacturer. As Shahar Tal, VP of research in the security research labs at Cellebrite (which unlocks iPhones for law enforcement ) put it:

For those still grasping to understand today’s significance: with his release of a *forever-day*, @axi0mX overturne… twitter.com/i/web/status/1…

—
Shahar Tal (@jifa) September 27, 2019