So, today, I’m going to rescind Monday’s entry. I read a bit more about the actual technology behind jailbreak.me, which can be done on your iPhone via Safari, and brother, it is scary. This should never have been labeled as “freely-available jailbreaking,” but rather “a code exploit free in the wild.”
To explain: this code exploits a vulnerability in iOS’ PDF implementation. When you load a PDF, the system has to additionally load the typeface files associated with that PDF, and that can cause a stack overflow. Once that happens, your iPhone ignores its typical security processes and loads the code for the jailbreak instead.
Apple will probably (read: definitely) fix the vulnerability in its next release of iOS, bit for now, it’s a thoughtful illustration of the true nature of hacking into software: neither “good” nor “bad”, merely an execution of code. It’s interesting to see this very public example of those principles in action and under definition, then revision.While initially presented as “good,” it is actually very clear that it could be used for “bad” results, and Apple will more than likely portray it as “evil” or “wrong.” I’m going to call this one a PR win for Apple as folks quickly re-secure their phones with a fresh install of iOS4, once they decide they’re not comfortable with jailbreaking considering what it entails.