Interview: BigBoss repo maintainer talks security and user responsibility

Cydia BigBoss repo

By jailbreaking their devices, most users usually know what they expose themselves to. When breaking the walls Apple has constructed to protect their security and privacy, jailbreakers put their fate in the hands of a handful of people. If done with basic principles in mind, jailbreaking can be very safe. I, for example, have been jailbreaking every iOS device I have owned since 2008, and I have yet to encounter any issue whatsoever.

Being cautious starts by being aware of what you install on your jailbroken device. Limiting yourself to the default repositories is good practice, as these repos do an outstanding job at analyzing jailbreak apps and tweaks before making them available for download, ensuring that the final user is as safe as possible.

But there is always that slight chance that a malicious tweak might have gone through the cracks and made its way into Cydia for millions of potential users to download. Nothing is 100% safe, but safety measures can be put in place to ensure the highest level of security. This is the job of repo maintainers.

We have talked to representatives of the two largest default repositories on Cydia to ask how they ensure the safety of their users. In a two-part series, we will publish their answers, starting today with Optimo, repo maintainer for BigBoss. Tomorrow, we will publish answers from Kyle Matthews of ModMyi.

BigBoss repo maintainer Optimo answers a few questions

How many tweaks are submitted each week or month on average? Out of these, how many are accepted?

I don’t keep data to refer to. Considering everything including tweaks, addons and apps, I would guess hundreds of submissions are processed, while dozens of those are new items each month. At our busiest times we can be rejecting nearly as much as we accept. Sorting through a lot of substandard items. Some rejected items are made acceptable and then reconsidered.

Can you please describe the process between the moment a tweak is submitted to BigBoss to be added to the repo and the moment this tweak is live on the repo and ready to be downloaded?

Most submissions of the free variety are processed within a day of submission and added to the repo each day. A new package is created based on the submitted content. The submitted item contents are examined and details organized so they fit into our packaging guidelines. Submitters tend to forget or leave out some details, so we will follow up by contacting them. The item’s depictions is tailored and then the new package information is synchronized to our servers. Paid items follow a similar process.

We regularly engage with the tweak makers. Many first-time submissions by new developers are missing details or contain a technical nuance that requires clarification. Part of the job I do is working with the submitters towards maintaining a standard of quality across our published items – to make sure we’re all on the same page. Hopefully our newcomer developers can receive guidance and learn something they can use to become better at their craft. A fun and engaging developer community is supported by shared values like respect for peers and their works, and from developers working to become responsible members of their community.

What are the safeguards in place during that process? A clear explanation of the security scans would help.

The significant process at work is a review of the submitted materials by an experienced repo maintainer. Care is taken in processing the variety of kinds of software that might be submitted. One downside of a semiautomatic scanner is that it can mean turning that responsibility over in part to the scanner. I prefer the more effective hands-on approach. We may employ a variety of developer tools to perform inspection on material if necessary.

There is careful oversight by the repo maintainer or processor, but users should keep in mind that nothing is perfect, not even the App Store review process. Our efforts are always working towards keeping a level of quality of the published software; that it works as described and does not do something odd or unexpected and respects users’ interests.

Contrary to what some may presume, the repos do not promise that our oversight provides 100% fool-proof protection against 3rd parties. We can make no such assurances. We aim to have packages that are reasonable to install. If something is not quite right, we will examine it more closely, contact the authors personally to open the discussion, and seek feedback from saurik and other knowledgeable developers.

If a submission looks odd or does something weird, it’s going to be held for questioning until we have satisfactory answers about it’s peculiarities. It is good to get to know the parties that are submitting when possible. As individuals, we all ought to take responsibility for our own security when using 3rd party software. In any case, the community repo maintainers do try to review items thoroughly, but we will not extend any guarantees about the security standing of the items we accept and publish.

Are select developers whitelisted by default and allowed for a faster approval process? Or are all developers on the same level when it comes to review process?

Items reaching us via our submission system are all treated the same and fairly. Free items naturally reach the public sooner than paid items, which require registration with Cydia Store before it can be published. I’m not sure how this question is related to the security subject, but new submissions are all roughly examined to the same degree.

How often do you catch malicious packages? Is there some sort of trend or has it been relatively stable over the years?

We are all lucky in some respects. Our community has not been frequently a target of wrong-doers, even after all these years. There are a few notable exceptions in the past years and very recently. Some times we catch submitted items that appear suspicious or have red flags, and wind up being held or rejected perpetually. Often those items do not make it onto the repo.

The repo maintainers have done their job well over the years, no doubt catching some things that are questionable and even objectively a danger to a user’s device, though that more often happens by innocent mistake by the developer than by malicious intent. This could trend further negatively, as platforms become more popular, that trend is more likely. Of course, any time is a good time to be sure you know what options are available to you for keeping yourself and your device secure.

The recent exceptions that have reached the public were supposedly targeted at the Chinese portion of the jailbreak base in order to repurpose the user’s personal/device details. That was caught by the public. Though it should not be taken lightly, the origins of that particular malware were not the default community repos but through other 3rd party sources. Packages that are malicous by intent are a rare thing to see submitted to the repos.

Back in July, a tweak called Lock Saver Free containing a trojan was added to the ModMyi repo. Have you ever had a similar situation happen to you? If so, how did that happen? How long did it take you to figure it out and take action? What preventive steps did you put in place to make sure this doesn’t happen again?

One earlier incident in our community involved several items submitted to the two biggest repos, by the same maker. The software was designed to serve a utility, but it also was programmed to generate revenue for the maker by injecting advertisements onto the user’s Home screen. Regrettably, several of the tweaks contained these methods, and over several months went almost unnoticed. User reports were taken into account and investigated and the items were removed. You can read more about these ad injecting softwares here.

We considered whether new policy needed to be made about packages with weird ad-related content. The advertisements being injected onto the Home screen was not a disclosed feature of the tweak submission and was missed in our reviews. Once reports were substantiated and details confirmed, the repos acted to remove the offending items and reprimand the submitter. The widespread confusion and attention it caused outweighed its appeal and usefulness, making it an unwelcome commodity.

These tweaks could have been called a trojan, but it’s important to make the distinction that they weren’t intended to steal or repurpose users’ personal data. Displaying advertisements is a common way that some software makers earn revenue, and we generally support it, but not to that extent. It crossed a line. It did shine a light on the maker’s techniques, and much of the community blacklistsed it immediately. I like that at times our community developers take it personally when a bad peer acts out, and they share their opinions with the public. It can reinforce the good qualities of our developer community — acceptance by one’s peers is a powerful motivator. It’s more than what could be accomplished by a reprimanding from a repo manager.

What steps are taken when a malicious tweak is detected?

Whether we find something in our review or we receive a report of a package with questionable contents or behavior, and depending on the nature of the complaint or symptoms, we will send out a notice to the author/submitter and remove the item from the repo as soon as possible. We will also notify saurik and Britta, and notify community members including the other default repos so they can be aware of the offending software or submitter so it is not mistakenly accepted elsewhere.

What are some of the worst malwares you’ve seen in tweaks submitted to BigBoss?

The tweaks that injected ads may be the worst ‘malware’. Malware implies intention to do bad things. Stealing ad revenue, while not stealing from the user, is still a bad thing. One can argue that these examples did not pose a threat to users or their data like other kinds of malware, but they were not welcome all the same. You can read more about these ad injecting softwares here.

More often seen are honest mistakes by newcomer developers. They may not yet have read or learned about an important subject, or absorbed a moral principle that the community deems valuable, and it is reflected in their submission. With that in mind, packages that do things not in the best interest of the users, or that violate a packaging guideline, or ‘do the wrong thing’ to some degree, we will make efforts to sort that out before it’s accepted. That often means contacting the submitter to let them know about our objections and see if we can work with them to improve the offering before accepting it.

Check out this page for a list of known malware that have targeted both jailbroken and non-jailbroken iOS devices.

Your repo went down for a certain period of time last month. The next day, ModMyi repo went down too, which is something I can’t recall happening in the past. Was this just a terrible coincidence, or is there more to it than just bad luck?

On that day when both of the repos were unreachable, it most likely a denial-of-service incident upon our server(s). That is just a normal part of the business of operating a web server. That might happen on occasion but we’ve been relatively spared in that regard over the recent years. The day our repo was unavailable for some hours, I recall we had some unscheduled maintenance that unfortunately made for some real down time. That was just poor luck.

As iOS grows in popularity and is gaining ground in places like China, do you feel this makes the platform a bigger target for hackers? How do you feel about the general security of jailbreak tweaks developed for iOS going forward?

I don’t like the running narrative that many Chinese jailbreak users are more susceptible to hacks, but that seems to have just happened recently. Maybe it’s because of the software they used not being carefully checked before it was published. It might have lacked oversight. Perhaps the spread of iOS into China does mean the platform becomes a bigger target by volume.

Malware would not be specific to one nationality. The affected users might have been misled or they put trust into a software distribution system which failed at its oversight. Growth of iPhone in general means a larger jailbreak audience, which I suppose can mean more niches for hobbyists that like to dabble in bad software instead of good. Repo maintainers will need to adapt as the community grows. If you find something suspicious, please let the repo hosts know.

I feel that users need to take some personal responsibility to assure their own device security. Repos fill a role and do their best to make our community safe and organized, but it’s not a perfect system. If one blindly accepts that all the items published by the repo are free from risks, that may be letting your guard down. 3rd party software can carry risks, although historically the incidents are very low amongst the default community repos. By being diligent about the subject and researching the topics of device security, risks can be minimized in your day to day uses. You can start learning more here.

Anything else you’d like to say or clarify?

As maintainer for the largest tweak hosting repo, I keep closely in contact with our developer community on purpose to have a strong working relationship. I try to meet our developers where they like to hang out: Twitter, reddit, IRC. This cooperation is often established even well ahead of their submissions to the repo. This relationship is invaluable in my opinion. Often we find that we’re helping guide them down the right path, and make healthy decisions about the liberties they have as a 3rd party piece of software. Education about these subjects has benefitted all parties involved, from developer to users. The repos will work quickly to rectify a bad situation that is uncovered.

There’s been a public concern recently over reports of ‘malware’. The subject of malware is broad and sometimes intimidating. And some of the subject is rather new to mobile platforms. Our community has been relatively free of the concern of this subject until recently. What the future holds in this regard is unknown, but the default repos will continue to work for the community. Knowledge is power, and educating one’s self can make you safer. Quality information can help dispel myths and fears — upon hearing something vague about reports of malware affecting jailbreakers, for example. We need not jump to conclusions on this subject, but sharing with your peers something odd you experience, and posting the subject on forums can help us all learn quickly and adapt.

If your device is jailbreakable it also might not be secure without some additional configuration. The nature of jailbreaking means that your device is potentially less secure once the software ‘hole’ is exploited and known to the public at large. Over time security researchers find more holes in iOS security, and Apple makes updates to to fix the security. Their iOS updates often mean losing your jailbreak, however. So keeping your jailbreak may be a compromise of security. If you are generally concerned about security and wish to keep your jailbreak, you may want to research and get to know the options available to you for making your device and data as secure as you need it to be. It can be helpful to secure your personal device from software threats and from physical access. You can read more here.