We will examine why Apple is doing Rootless and learn what it is and its impacts.
This article is a follow up to my previous post on jailbroken and rooted devices. We have received a number of inquiries about the rumored upcoming rootless capability in Apple iOS 9. Many blogs assert that the rootless capability will make it impossible for hackers to jailbreak iOS devices.
Is this true? If so, how will it affect businesses? Let's define rootless and then walk through these questions.
What is Rootless?
From a high level, rootless is the ability to prevent users from jailbreaking devices and inadvertently allowing malicious apps to gain privileges. Rootless is officially called “System Integrity Protection,” or SIP.
Per Apple’s description from WWDC 2015, System Integrity Protection:
- Applies security policy to every process, including privileged code running unsandboxed.
- Extends additional protections to system components on disk and at runtime.
- Allows only Apple installers and system updates to modify system binaries; they cannot be updated by runtime attachments or code injections.
Think of it this way: the device allows you to become Superman, but like Superman when he’s chained to Kryptonite, SIP prevents you from performing some super-user tasks.
It may surprise you to learn that Apple has made a core part of their OS open source. We dug into changes to the open source code, called XNU, and compared notes from the WWDC 2015 event. This is what we have learned so far.
The aim of XNU is to tighten the security layer in Apple’s Mac OS X desktop operating system. As Apple puts it, without SIP, “Any piece of malware is one password or vulnerability away from taking full control of the device.” With SIP, the OS X security policy is closer to the iOS model. The new policy tightens access to system-level directories and memory. Without this protection, end-users can easily install malicious apps from non-Apple sources. These apps may execute system commands and inject malicious code. With SIP, even after a malicious app is installed, the rest of the system is protected.
Does SIP also benefit iOS?
SIP is shared between Apple’s desktop and mobile OS's. As a result, the new policy also applies to mobile devices. Prior to iOS 9, iOS already had restrictions to make it difficult to become a super user on a device. The new policy does not completely prevent users from jailbreaking devices. But even if the device has been jailbroken, the OS itself has an extra layer of protection.
However, SIP does not block access to user or application data. To an extent, there may still be vulnerabilities if apps are not careful with sensitive data. Therefore, it remains and always will be important that app developers use security measures, including reducing password prompts and using the secure enclave to protect data.
It is interesting to hear Pierre-Olivier Martel from Apple describe a defense-in-depth approach to securing OS X that combines multiple security methods, including Developer ID & Gatekeeper, Sandbox, POSIX, and Keychains. Here at iovation, we use a similar approach to fight fraud. iOS 9 is another step toward protecting end-users and businesses. I am sure the blackhat community is hard at work trying to crack the iOS 9 beta.