IOS jailbreaking


iOS jailbreaking is the use of a privilege escalation and kernel exploit to remove software restrictions imposed by Apple on devices running iOS and iOS-based operating systems. It is typically done through a series of kernel patches. A jailbroken device typically permits root access within the operating system and provides the right to install software unavailable through the App Store. Different devices and versions are exploited with a variety of tools. Apple views jailbreaking as a violation of the end-user license agreement and strongly cautions device owners not to try to achieve root access through the exploitation of vulnerabilities.
While sometimes compared to rooting an Android device, jailbreaking bypasses several types of Apple prohibitions for the end-user. Since it includes modifying the operating system, installing non-officially approved applications via sideloading, and granting the user elevated administration-level privileges, the concepts of iOS jailbreaking are therefore technically different from Android device rooting.

Motivation

Expanding the feature set that Apple and its App Store have restricted is one of the motivations for jailbreaking. Apple checks apps for compliance with its iOS Developer Program License Agreement before accepting them for distribution in the App Store. However, the reasons for Apple to ban apps are not limited to safety and security and may be regarded as arbitrary and capricious. In one case, Apple mistakenly banned an app by a Pulitzer-Winning cartoonist because it violated its developer license agreement, which specifically bans apps that "contain content that ridicules public figures." To access banned apps, users rely on jailbreaking to circumvent Apple's censorship of content and features. Jailbreaking permits the downloading of programs not approved by Apple, such as user interface customization and tweaks.

Device customization

Software programs that are available through APT or Installer.app are not required to adhere to App Store guidelines. Most of them are not typical self-contained apps, but instead are extensions and customizations for iOS or other apps. Users can install these programs for purposes including personalization and customization of the interface using tweaks developed by developers and designers, adding desired features such as access to the root file system and fixing annoyances, and making development work on the device easier by providing access to the file system and command-line tools. Many Chinese iOS device owners also jailbreak their phones to install third-party Chinese character input systems because they are easier to use than Apple's.
In some cases, jailbreak features are adopted by Apple and used as inspiration for features that are incorporated into iOS and iPadOS.

Carrier unlocking

Jailbreaking also opens the possibility for using software to unofficially unlock carrier-locked iPhones so they can be used with other carriers. Software-based unlocks have been available since September 2007, with each tool applying to a specific iPhone model and baseband version. This includes the iPhone 4S, iPhone 4, iPhone 3GS, and iPhone 3G models. An example of unlocking an iPhone through a Jailbreak utility would be Redsn0w. Through this software, iPhone users will be able to create a custom IPSW and unlock their device. Moreover, during the unlocking process, there are options to install the iPad baseband to the iPhone.

Installation of malware

Cybercriminals may jailbreak an iPhone to install malware or target jailbroken iPhones on which malware can be installed more easily. The Italian cybersecurity company Hacking Team, which used to sell hacking software to law enforcement agencies, advised police to jailbreak iPhones to allow tracking software to be installed on them.

Software piracy

On iOS devices, the installation of consumer software is generally restricted to installation through the App Store. Jailbreaking, therefore, allows the installation of pirated applications. It has been suggested that a major motivation for Apple to prevent jailbreaking is to protect the income of its App Store, including third-party developers and allow the buildup of a sustainable market for third-party software. However, the installation of pirated applications is also possible without jailbreaking, taking advantage of enterprise certificates to facilitate the distribution of modified or pirated releases of popular applications.

Package managers

A package manager or package-management system is a collection of software tools that automates the process of installing, upgrading, configuring, and removing computer programs. For jailbreaks, this is essential for the installation of third-party content. There are a few package managers specifically for jailbroken iOS devices, of which the most popular are Cydia, Sileo, Zebra, Installer 5, and the now modern package manager Saily.

Security of the device

Depending on the type of the jailbreak, different security structures may be compromised to various degrees. As jailbreaking grants freedom over running software that isn't confined to a sandbox typical to that of an App Store application, as well as modifications to system files, it ultimately allows for the threat of malware.
Users of a jailbroken device are also often forced to stay on an older iOS version that is no longer supported by Apple, commonly due to the unavailability of jailbreak on the newer versions. While using older versions of iOS is considered safe in most circumstances, the device may be vulnerable to publicly known security flaws.
In June 2021, ESET Research confirmed that malware did exist on one of the piracy repositories in the jailbreak community. The malware actively targeted iSecureOS to try to bypass the detection, but updates to the security app were quickly released and have mitigated the malware.

Comparison to Android rooting

Jailbreaking of iOS devices has sometimes been compared to "rooting" of Android devices. Although both concepts involve privilege escalation, they do differ in scope.
Where Android rooting and jailbreaking are similar is that both are used to grant the owner of the device superuser system-level privileges, which may be transferred to one or more apps. However, unlike iOS phones and tablets, nearly all Android devices already offer an option to allow the user to sideload 3rd-party apps onto the device without having to install from an official source such as the Google Play store, although this is expected to change on September 2026 for Brazil, Indonesia, Singapore, and Thailand; and in 2027 worldwide. Many Android devices also provide owners the capability to modify or even replace the full operating system after unlocking the bootloader, although doing this requires a factory reset.
In contrast, iOS devices are engineered with restrictions including a "locked bootloader" which can not be unlocked by the owner to modify the operating system without violating Apple's end-user license agreement. And on iOS, until 2015, while corporations could install private applications onto corporate phones, sideloading unsanctioned, 3rd-party apps onto iOS devices from sources other than the App Store was prohibited for most individual users without a purchased developer membership. After 2015, the ability to install 3rd-party apps became free for all users; however, doing so requires a basic understanding of Xcode and compiling iOS apps.
Jailbreaking an iOS device to defeat all these security restrictions presents a significant technical challenge. Similar to Android, alternative iOS app stores utilizing enterprise certificates are available, offering modified or pirated releases of popular applications and video games, some of which were either previously released through Cydia or are unavailable on the App Store due to these apps not complying with Apple developer guidelines.

Tools

Types

Many different types of jailbreaks have been developed over the years, differing in how and when the exploit is applied.

Untethered

When a jailbroken device is booting, it loads Apple's own boot software initially. The device is then exploited and the kernel is patched every time it is turned on. An untethered jailbreak is a jailbreak that does not require any assistance when it boots up. The kernel will be patched without the help of a computer or an application.

Tethered

A tethered jailbreak is the opposite of an untethered jailbreak, in the sense that a computer is required to boot the device. Without a computer running the jailbreaking software, the iOS device will not be able to boot at all. While using a tethered jailbreak, the user will still be able to restart/kill the device's SpringBoard process without needing to reboot. Many early jailbreaks were offered initially as tethered jailbreaks. The reason a computer is mandatory for booting is often related to the exploit targeting the device's iBoot process. While untethered jailbreaks find a way to make kernel patches persist in memory across reboots, the tethered exploit only temporarily modifies iBoot's signature verification checks. When the device is powered off, this temporary patch is lost. The unmodified iBoot then fails its integrity check on the modified files, preventing the device from booting until the computer is used to re-run the exploit and bypass the iBoot verification steps.

Semi-tethered

This type of jailbreak allows a user to reboot their phone normally, but upon doing so, the jailbreak and any modified code will be effectively disabled, as it will have an unpatched kernel. Any functionality independent of the jailbreak will still run as normal, such as making a phone call, texting, or using App Store applications. To be able to have a patched kernel and run modified code again, the device must be booted using a computer.