Jailbreak iPod touch 6g

As you guys know, there was a pretty significant iCloud account attack reported recently, in which nearly a quarter of a million iCloud accounts were exposed to potential compromise. The number of accounts that were actually hacked is up for debate, but it was less than half of the reported 220,000~ or so iCloud accounts exposed.

Of course, many took this attack as an opportunity to lecture about the reasons why we shouldn’t jailbreak. While such a lecture isn’t necessarily ill-intentioned, I think that most people who jailbreak understand that there are some inherited risks associated with doing so.

It’s not like accidentally downloading an infected app on your computer, or an ill-advised clicking on a shady email link. Those who jailbreak generally know that there are some security risks involved, at least partially. The problem is, many don’t understand that there are effective ways to protect one’s self.

How do you go about ensuring that you’re as safe as possible while maintaining a jailbroken iPhone? The following steps will show you how.

Let’s Talk Jailbreak

On episode 123 of our jailbreak podcast, we talk about jailbreak security and steps that you can take to protect yourself. Listen in…

Turn on Two-Factor Authentication

Of all of the items on this list, this is by far the most important. Whether you’re jailbroken or not, you need to have 2FA enabled for your Apple ID. If you don’t have 2FA enabled, then stop reading this post and do so now.

Two-Factor Authentication makes it so that, in addition to your strong password, you’ll need another form of identification to successfully access your account. Think of it as someone asking for ID after you try to use your debit card. Your iPhone can act as a 2FA agent, which means that when someone logs in using your Apple ID, they’re required to have your phone in their possession in order to complete the log in. That’s two factors of authentication—your password, and your key—which is, in this instance, you’re iPhone.

2FA makes it so that even if your account does get compromised, and someone figures out your password, they still can’t login without the key—your iPhone—in their possession. Like I stated, even if you’re not jailbroken, you should definitely have 2FA enabled.

iCloud Breach

Don’t install shady repos

Once jailbroken, there are some simple steps that you can take to reduce the risk of being compromised. The first step is to simply stay away from 3rd-party repos. Only use the repos that come bundled with Cydia, like ModMyi and BigBoss. If a repo sounds shady, or looks shady, there’s no need to assume the risk.

Off the top of my head, I can think of three malicious attacks that occurred when users downloaded shady tweaks from questionable repos. They are as follows:

From time to time, we here at iDB do endorse 3rd-party repos. This is usually few and far between, but there are some repos, such as Ryan Petrich’s beta repo—that are deemed trustworthy.

Don’t install shady tweaks

…but you don’t necessarily need a bad repo to infect your device with a malicious tweak. You can install tweak packages directly via iFile, or via the command line. Cydia also has the ability to navigate directly to a package’s page, even if the repo isn’t currently on you iPhone.

Be very selective about the types of tweaks and apps that you install on your device. If it sounds too good to be true, it probably is.

Stay away from piracy

There are a couple of reasons why you should stay away from pirate apps and tweaks…

a). It’s wrong.

b). You’re assuming needless risk by doing so.

Where do you think the creators of pirate repos and cracked apps get their motivation? Out of the goodness of their heart? If you want to be gullible and believe that, then carry on, but in most cases, the persons behind such an operation have ulterior motives.

They either…

a). get paid off of the ads from the traffic that their piracy generates

b). steal your credentials and sell them to the highest bidder

c). infect your machine with ad-hijacking trojans

d). all of the above

While I won’t say that every pirate repo or piracy source if guilty of this, many of them are. People are usually motivated to do things for a reason, and money is one of them. This isn’t the place to give a lecture on piracy and the ethics of such, but just know that by pirating tweaks and apps, you’re assuming a significant risk by doing so.

Be skeptical

That’s not to say that you should put on your tin foil hat, but you should be discerning and at least a little bit skeptical. Even tweaks on the Cydia Store’s default repos, as we’ve seen in the past, can contain malicious pieces of code. Heck, App Store apps have in the past as well.

The point is—think about what you install before you install it. If it’s from Cydia’s default repos, then there’s a 99% chance it’s safe to use. Still, be aware of what you’re doing, be a bit skeptical, and know exactly what you’re installing and why you’re doing so.

OpenSSH and your Root Password

Another good thing to do is avoid installing OpenSSH unless you absolutely need it. There are some instances where you may need to connect to your iPhone via SSH, but the average jailbreaker won’t need to do this.

Also, be sure to change your root password if you’re jailbroken. Again, the likelihood that you’ll be compromised is extremely low, especially if you’ve followed all of the steps above, but it’s still a good idea to change your root password if you can. You can learn how to change your root password via this post.

Stay safe out there

While nothing, even a stock iPhone, is 100% fool proof, it must be acknowledged that jailbreaking your iPhone does increase the likelihood of a system compromise. That likelihood, in actuality, is still very unlikely if you follow the steps outlined above, but I don’t want to sugarcoat a reality.

Even with the added risk, if you follow these easy-to-abide-by rules, then you greatly reduce the risk of any sort of compromise of your iPhone and its data. The most important thing that you can do, as stated, is enable Two-Factor Authentication. By simply taking that step, you lock down access to one of your most valuable digital assets.

Use common sense, and have fun! Jailbreaking is still very awesome, and this won’t steer me away in the slightest. I’ll just be that much more careful. Also, be sure to keep up with the posts here on iDB. We were the very first blog to report on the latest iCloud hack, and we’ll be sure to keep you informed on any additional ongoings related to security in the future.

What do you resolve to do?

  • osm70

    How do I login to my 2FA protected account if I lose my iPhone?

    • You have a backup key.

      • Hung Vuong

        How to backup 2FA key

      • Kyle

        Print it twice.

      • theapple99

        Awe Jeff i already made my tin foil hat and you said not to put it on. 🙁 LOL

  • Jonathan

    Excellent post. Very informative. Even I learned a couple things!

  • Zencowboy007

    Yep, well written and well organized, plus good tips, Thanks;-)

  • stevefe84

    I did not know 2FA exists for Apple. Good news.
    Also, this is a very good article. I’ll make sure to share it with people, I know are jailbreaking too.

  • Bowser Koopa

    jeff how do I know a repo is shady? It doesnt have any pirated stuff on it, should i be ok? Should I change my apple id password just incase?

    • – If a repo contains pirated tweaks or tweaks that aim to allow the user to pirate content from legitimate apps
      – If a repo is filled with ads that behave abnormally (eg. ones that pretend to be download links, ones that force-redirect you elsewhere, or ones that say you have to install an “update” or something else in order to complete your download)
      – If a repo is filled with repeats of tweaks that are already freely available in the default Cydia sources
      – If a repo asks you to install lots of “prerequisites” in order to complete your download

  • iPleiades

    b). steal your credentials and sell them to the highest bidder

    c). infect your machine with ad-hijacking trojans

    Please provide proof of this.

    • Niclas

      Unflod

  • n0ahcruz3

    Thats why when u jailbreak, jailbreak an old iphone the one without any credit card info, etc. i will only jailbreak an ipod touch or an ipod.

  • HamptonWalley

    I guess the best solution is just do not install Jailbrake!

    • Keith S.

      Sigh. TL;DR, eh? *smh*

    • Niclas

      Not the best, but the safest.

  • Nayk McNulty

    if anyone knows why the Croatian not working i cannt turn on two-factor autentification??

  • (JailbreakQA) King Shoot

    Typo in the article: *your phone

  • Nothing I didn’t already know but good advice all around.

  • mrk

    if my phone is jailbroken, but do not have openssh installed. is changing the root pw still recommended?

  • Ex mea sententia

    Jeff do you know that MobileTerminal on Cydia supports up through iOS 7 and doesn’t run on 8? So the link above on how to change your mobile password is obsolete. Is there a safe place to get it anymore?

    • laurnzo

      You need to do some research before spewing your guts out on here. There is a mobile terminal for ios 7/8 by Lamerz on cydia. You are very welcome!

  • Vacak Veronika

    Anybody still doesnt understand how to unlock AT&T devices PERMANENTLY??? I know an excellent website! Move look up att–iphoneunlocking, only get people 6 days to unlock!