July 07, 2011, 4:49 PM — The cat-and-mouse game between Apple and those who would "liberate" its iOS devices is back on after Wednesday's launch of JailbreakMe 3.0, a website that hacks iPhones, iPod Touches, and iPads to allow software unapproved and undistributed by Apple onto the devices.
The site is the first "jailbreak" that includes support for the iPad 2, and offers an "untethered" jailbreak, meaning that devices hacked via the site don't have to be connected to a computer to boot up, unlike other "tethered" jailbreak options.
In response, Apple acknowledged vulnerabilities in iOS and announced that it is working on a fix for those holes, which are present in versions of the mobile operating system up to and including the current iOS version 4.3.3.
More troubling still for iOS users, Germany's Federal Office for Information Security Wednesday posted an alert in which it said iOS has security flaws that can be used with a specially-crafted PDF to steal personal data and even have access to the phone's built-in camera, phone, and GPS functionality. It's exactly this kind of PDF flaw that makes JailbreakMe possible.
Coming just days after security software vendor Symantec released a report calling iOS more secure than Android in theory, businesses can be excused for being confused over security on mobile devices.
Avoiding the PDF Bug
It's important to note that to date, there have been no in-the-wild examples of the PDF flaw being exploited, aside from JailbreakMe. However, until there's an iOS update that deals with the potential nightmare of malicious third parties getting unfettered access to sensitive corporate data on iOS devices, there are some common-sense steps to take.
The bug concerns how fonts in PDF documents are handled in the Safari Web browser on iOS devices. In other words: A PDF document must be opened via Safari on the device for the attack to be executed.
Until there's a fix in from Apple, it would be wise to make sure those using iOS devices in your business are aware of this flaw and how to mitigate the risk. A reasonable policy would be to be wary of opening PDFs on the device--a more severe approach would be to outlaw using iOS devices for PDF files at all until further notice.