A few hours ago @comex finally released his universal jailbreak tool for iPhone, iPod Touch and iPad called “JailbreakMe”. Unlike many previous jailbreak tools released in the past three years, this time you don’t need a computer to install Cydia on your device: jailbreakers are using the cloud now, and all you have to do is visit a website in Mobile Safari and wait for the exploit to “land” on your home screen.
Of course Apple isn’t happy about jailbreak. They never were. But this time - this time they have a pretty big issue on their hands. JailbreakMe seems to be based on a PDF vulnerability that is activable in Safari and, potentially, could lead to malicious software sent to users via emails and the browser.
Comex knew that Safari automatically downloads PDF files, and he managed to inject the necessary jailbreak code in the PDF decoder, thus allowing you to install Cydia by just visiting a website. For users, it’s magic. But if you think about it, for users and Apple this is a problem. Like I said, I wouldn’t be surprised to see malicious softwares floating around in the future, all based on browser vulnerabilities. This is a common situation for desktop users, and it’s kind of a first on the iPhone. There were some similar hacks in the past, but this is so huge it won’t go unnoticed. So, I’d expect an iOS 4.0.2 update fixing “critical PDF vulnerability” very soon.
Still, who’s to blame? Apple, for leaving this PDF hole out there? Or is Comex a genius for finding out about it? I say both. Vulnerabilities are a problem - especially on the iPhone, or Apple devices in general - but it’s when hackers find out about them and release tools based on them that Apple has to intervene.
As for the jailbreak itself, I’ve just jailbroken a 3GS and it worked good. Cydia is pretty unstable at the moment, but I’m used to it. What bothers me, though, is that jailbreak on the iPhone 4 is pointless right now. Apps aren’t updated for the Retina Display, and tweaks such as SBSettings, LockInfo and Activator are buggy, slow and unsupported. Why release a universal jailbreak when, actually, it is not universal? Just for the sake of it? Couldn’t they seed jailbreak builds to selected developers, like Apple does, in order to assure compatibility when the jailbreak is released publicly?
Furthermore, it looks like it may also break FaceTime and MMS. I did not jailbreak my iPhone 4 - it’s simply not worth it.
A while ago I wrote that jailbreak on iOS 4 still matters. The thing is, it matters if Cydia developers want it to be revelant. Otherwise, I’m out of this game.