Pangu iOS 7.1.1

Pangu was recently subjected to trust issues after a thread made it to Reddit claiming that some users had unauthorized charges from Beijing on their PayPal account after jailbreaking, others had their Facebook account show login attempts from various Asian countries, but mostly from China.

Despite all of the confusion, Pangu has made an official statement, and we have the scoop.

What exactly happened?

Over the weekend, a disgruntled jailbreaker took to Reddit claiming that he had jailbroken one of his devices with the Pangu jailbreak tool for iOS 9.3.3 with a burner Apple ID. After an hour or so later, he claimed he had noticed charges on his PayPal account originating from Beijing with an unknown email address.

The same person also claimed he wasn’t using any piracy stores or repositories, and the Beijing origin certainly seemed incriminating for 25PP, considering that the 25PP jailbreak originally came with a Beijing enterprise developer certificate. Within the following minutes and hours, other users also chimed in, noting they had some of their online accounts hacked as well.

Some people claimed having their debit/credit card accounts hacked after jailbreaking, while some go as far as to say their Facebook accounts were hacked following their jailbreak. For those were finances were involved, charges were as little as $50 and went up from there, with one person claiming 600 individual charges on their credit card.

The post got tons and tons of up-votes, as one of peoples’ main concerns from Chinese jailbreaks are their security and legitimacy. After all, when you can’t read what a jailbreak tool is saying, you never really know what you’re agreeing to or clicking on. The post effectively fed off of everyone’s worst fears and quickly made to the top the /r/jailbreak sub-reddit.

Saurik later hopped onto the same thread to chime in. He had noted that he’s not particularly excited about the way the PP jailbreak tool handles stuff. Nevertheless, he created Cydia Impactor as a safe way to jailbreak your devices because it sends your Apple ID directly to Apple and no one else.

I don’t particularly like the concept of installing the 25PP tool (edit: this sentence used to say “trust”, but I think that was confusing), as Chinese companies tend to have software that is pretty intrusive and even “combative” against competitor’s software, and in general I am concerned about the way people do signature stuff (as it is just so much easier to do the signing on a server…) which is why I worked so hard to make Impactor be able to do all the signing and communication locally. That said, 25PP’s profit model would probably benefit from local signature work, so I can see them having the existing expertise and taking the time to do that “correctly”.

Does that mean 25PP sends your Apple ID information off to third-party sources? Well, that’s a tricky question to answer, and no one really knows. That’s why we recommend avoiding it and using the English version of the jailbreak from Pangu instead.

Despite what seems like a gloomy conversation, Saurik comes back saying that he trusts the Pangu jailbreak team, despite the mystery surrounding the joint 25PP/Pangu jailbreak app and the Chinese Windows tool.

I will also say I trust Pangu a lot… but I don’t know if the Chinese version of their app was only touched by them. I bet the English one was their work only, though you are downloading it from 25PP, which opens some issues: do you trust the employees at 25PP with control over their servers? I would say that it would be dumb to do quickly be trying to attack people rather than racking up more credentials before anyone becomes suspicious. You have to remember that there are millions of people who jailbreak. And Pangu specifically listed this subreddit on their website as a place to talk to people about their issues, so we are going to be seeing tons of people. Do we really have evidence that this is an issue with the jailbreak process as opposed to a string of random attacks that are being noticed here because we are all being extremely suspicious this week?

If anything, I bet there was just some website, maybe it was even one we all use more often than other people (like reddit! ;P) which was hacked in some way, and people were sharing passwords between there and PayPal, and that hack just happens to have happened at about the same time the jailbreak came out.

According to Saurik, there’s just not enough evidence that 25PP was actually the root cause of the unauthorized charges on the user’s PayPal account.

To be completely fair, it may have been a complete coincidence. The person may have even bought something online from a company that originated from the same location, or may have had a virus on his PC when he accessed his PayPal account from it. For all we know, maybe he actually was running pirated software on his device despite what he said.

There are too many unknowns to know for sure. And it’s just not wise to start pointing fingers, especially at those who bring jailbreaks to us free of charge.

To top things off, Pangu on Sunday made the decision to make a public statement on Twitter that defends their position from a lot of the criticism and slander they’ve faced from this ordeal.

In what appears to be a relatively frustrated response with this Reddit post and users’ reactions to it, Pangu clearly notes that they do not take money (nor does 25PP) as it would be “stupid.” They also wish to find out what really happened so the fears originating from confusion can be cleared up.

Pangu also appears to have made an official Reddit account to take a more active role in making postings and answering questions.

This might help foster trust with jailbreakers in the future, especially those who have lots of questions about the security and legitimacy about Chinese jailbreaks.

Is it safe?

Currently, no iDB team members have had any accounts compromised or have seen any unauthorized charges to our financial accounts. Moreover, our devices are running perfectly fine with our favorite jailbreak tweaks.

If you were interested in jailbreaking iOS 9.3.3, we see no reason not to, as the only major hurdles are side-loading the app on a weekly basis or semi-untethered booting your device after every reboot. One might also attempt to install the 1-year enterprise certificate on their jailbroken device to try and circumvent having to side-load their jailbreak app on a weekly basis.

When it comes right down to it, a jailbreak makes your device less secure. It opens your device up to more exploits because Apple’s security measures are no longer in control of your device; you are. I think the well-respected Luca Todesco says it best in this Tweet:

Every jailbreak is a trade-off between security and customization. But that’s not to say that the jailbreak was the cause for all these hacks. There isn’t enough evidence to blame the jailbreak for these people’s compromises, which may have in turn been caused by their own gross negligence.

Wrapping up

Although it seems scary, this kind of thing seems to pop up after every Chinese jailbreak is released. We’re not sure if it’s true or if people are just desperate for attention, but we can certainly say that nothing has happened to our personal accounts yet and we can also say that if Saurik vouches for Pangu, we do too.

One thing we will say is that if you jailbreak iOS 9.3.3 at all, you should use the English tool from Pangu and avoid the Chinese jailbreak tool for Windows that was a joint release between Pangu and 25PP. This will be your safest bet.

Also read:

What’s your opinion on the Pangu jailbreak for iOS 9.3.3? Share in the comments below.