Rooting and jailbreaking - why do we trust the hackers?

[pm]

As a preface, I've been hacking my iPhone since the beginning - when GeoHot took the back off of his iPhone and and scraped away the trace and soldered up wires to open the JTAG port on the baseband CPU of the first iPhone... I was right there with him (virtually speaking) doing it to mine.

That said, the issue that I have with both jailbreaking (I have an iPhone 4) and rooting (I have an Asus Transformer) is that both essentially open up the underlying OS to give the user root control... but they use programs written by a bunch of anonymous people who could easily put some kind of payload in and no one would know... except maybe other hackers.

I've jailbroken my phone, but once I do I never use to access any bank accounts, I don't buy things online with it, I don't use my primary email account on it any more. I don't do anything at all that gives away majorly important information... I simply don't trust the hackers and the rooting guys and all the app guys not on the main app stores not to be watching me... once they have root access, they can do anything they want. I don't think that I actually believe that they really are watching me.. but I assume they could be.

Am I the only one paranoid enough to think like this? So my question to everyone more normal than me who roots/jailbreaks mobile devices... why do you trust these guys?

 

[Bateluer]

As a preface, I've been hacking my iPhone since the beginning - when GeoHot took the back off of his iPhone and and scraped away the trace and soldered up wires to open the JTAG port on the baseband CPU of the first iPhone... I was right there with him (virtually speaking) doing it to mine.

That said, the issue that I have with both jailbreaking (I have an iPhone 4) and rooting (I have an Asus Transformer) is that both essentially open up the underlying OS to give the user root control... but they use programs written by a bunch of anonymous people who could easily put some kind of payload in and no one would know... except maybe other hackers.

I've jailbroken my phone, but once I do I never use to access any bank accounts, I don't buy things online with it, I don't use my primary email account on it any more. I don't do anything at all that gives away majorly important information... I simply don't trust the hackers and the rooting guys and all the app guys not on the main app stores not to be watching me... once they have root access, they can do anything they want. I don't think that I actually believe that they really are watching me.. but I assume they could be.

Am I the only one paranoid enough to think like this? So my question to everyone more normal than me who roots/jailbreaks mobile devices... why do you trust these guys?

I understand your concerns. Just curious though, do you look at the permissions of every app you install?

After following many of the developers on Twitter, and on their respective dev sites, I trust some of them more than I trust m carrier. Developers want people to be able to use their phones to their fullest potential. Carriers want you to use your phone as they want you too, and pay them for every kilobyte while you're doing what they let you do.

 

[poofyhairguy]

Great question. I think for me, the answer to the basic question, "Why do you trust these guys?," is "why do you trust any group?" All the phones are liabilities, all software comes with that huge EULA that you waste your life reading all the way through. Sure maybe Verizon, or Motorola, or Apple or whoever isn't going to spy on me themselves, but through their ignorance they could have left a hole that isn't plugged till its too late. Ask Sony what happens when you trust almost any platform with your data.

At least the hackers will have the decency to respond to my questions in a forum or chatroom, and they seem to have the same motives as me- the fun of hacking. That is why I will happily use my jailbreak iPhone or my Hackintosh (with custom bios)- the odds of one of those hackers going out of their way to steal your info is infinitesimally small compared to the odds of some random person stealing you credit card number after a transaction (aka plain old identify theft).

If it really bugs you, luckily the open option does exist. It doesn't have to be a black box- you can get a android phone and run your own CM7 after coming through the code. But most people don't have those options. We have to have faith.

 

[Dulanic]

As a preface, I've been hacking my iPhone since the beginning - when GeoHot took the back off of his iPhone and and scraped away the trace and soldered up wires to open the JTAG port on the baseband CPU of the first iPhone... I was right there with him (virtually speaking) doing it to mine.

That said, the issue that I have with both jailbreaking (I have an iPhone 4) and rooting (I have an Asus Transformer) is that both essentially open up the underlying OS to give the user root control... but they use programs written by a bunch of anonymous people who could easily put some kind of payload in and no one would know... except maybe other hackers.

I've jailbroken my phone, but once I do I never use to access any bank accounts, I don't buy things online with it, I don't use my primary email account on it any more. I don't do anything at all that gives away majorly important information... I simply don't trust the hackers and the rooting guys and all the app guys not on the main app stores not to be watching me... once they have root access, they can do anything they want. I don't think that I actually believe that they really are watching me.. but I assume they could be.

Am I the only one paranoid enough to think like this? So my question to everyone more normal than me who roots/jailbreaks mobile devices... why do you trust these guys?

For android I trust them because the ROMs code is open source at least on xda they require they post the code.

 

[ponyo]

I have the same concern. But I still flash but not as often as in the past. But your point is very valid.

 

[Anubis]

what method did you use to root the transformer? i need to get around to doing that

 

[akugami]

I'm paranoid to a degree. If my phone is JB'ed, I don't access sensitive web sites or stuff. With iOS 4, it is feature complete enough that I haven't felt the need to JB the phone. So I do access stuff like my credit card account, my insurance account, and even my bank account. And yes, there are apps for that.

It really is a good question though. We're opening ourselves up to attacks by trusting a bunch of anonymous folks with our sensitive data. With that said I do trust the JB's and rooting to a degree. There are a lot of technologically adept folks out there analyzing these devices after they've been JB'ed or rooted. Granted moreso on the Android side of things. If the rooted or jb'ed devices were playing some hanky panky someone somewhere would notice.

 

[pm]

I understand your concerns. Just curious though, do you look at the permissions of every app you install?

Actually, I honestly do look at the permissions of every Android app that I install on my Transformer. On my iPhone, I can't but I do trust the Apple sort of has my back (since anything going wrong would be a PR nightmare for them). But even if I didn't, it's not the same thing. Rooted apps have root access - they can do anything - whereas standard apps run in the standard OS space and have much fewer permissions.

After following many of the developers on Twitter, and on their respective dev sites, I trust some of them more than I trust m carrier. Developers want people to be able to use their phones to their fullest potential. Carriers want you to use your phone as they want you too, and pay them for every kilobyte while you're doing what they let you do.

It's not the developers that I'm worried about... it's the rooted builds and apps that require root to run.

 

[vshah]

if a root app has hundreds of thousands of installs with no complaints or news about it, i'm pretty much going to assume it is safe. also many are open source, so you can see for yourself, and even build it for yourself if you'd like.

 

[pm]

what method did you use to root the transformer? i need to get around to doing that

I actually haven't rooted my Transformer - I mostly threw that in there to give me Android-cred so that I look bipartisan.

Actually of my three devices - I have an iPhone 4, an iPad (1st gen) and a Asus Transformer - the only one that I have jailbroken is the iPad and that was so that I can individually delete photos off of photo cards using the "Camera Connection Kit" (without JB'ing you have to delete all or none). But I am being honest, I won't access anything important with the JB'd iPad - if I need to check my bank balance, I only use the iPhone (which I trust).

 

[pm]

if a root app has hundreds of thousands of installs with no complaints or news about it, i'm pretty much going to assume it is safe. also many are open source, so you can see for yourself, and even build it for yourself if you'd like.

Yeah, that's actually always been my way of thinking about it. That there's enough totally OCD people out there who check this stuff that they are watching out for this stuff and they'd go public if they saw anything.

It is good to know that builds like CM are open source - I trust open source a lot. Although theoretically, you could stick something nasty in the binary and then not in the open source... most people grab the binary. But yeah, if it's open source, I'd trust it too.

 

[akugami]

Oh. I'd like to add that you can't even trust certain apps on the Android marketplace. Google does not keep the close check that Apple does. In this case, Apple's anal insistence on controlling everything actually benefits the user.That doesn't mean that iOS apps are completely safe. We've had more than one case of "undocumented features" being present on iOS apps.

 

[SunnyD]

I was going to quote the relevant part of the op that I thought mattered, but in retrospect, it ALL matters.

Let me ask you a question here: Do you do any personal business on your computer? Such as online banking, etc.?

If your answer is yes, then you've likely already compromised your security. Your PC, regardless of Windows, Linux or Apple-ness, has enough loopholes to make a rooted phone look secure by comparison.

The long and the short of it is no matter how secure you think a given product is, you're wrong. Be it from the manufacturer, or public domain, odds are something has been exploited and your personal information is readily available to the wrong people. Live in a world of cynicism and you'll begin to realize that there's nothing worth worrying about, because your worst fears have already likely come true. These are the benefits of living in a modern communicative connected society.

Disclaimer: I work and am responsible for the security of the entire software line my company puts out. Basically, it is my job to protect our revenue stream. Even upper management understands that security is a reactive practice, and that given the desire, and piece of software is vulnerable.

 

[smitbret]

Because Hackers are infinitely more trustworthy than the corporations that built the phones in the first place.

 

[BenSkywalker]

Rooting and jailbreaking - why do we trust the hackers?

By your own admission you are trusting a man who has put his own daughter at risk of starvation, including committing perjury to sustain said danger, while sitting on hundreds of millions of dollars. On the other side you have guys who not only support hundreds of thousands of people on their own free time, but even let us look at the source code.

Because Hackers are infinitely more trustworthy than the corporations that built the phones in the first place.

Lulz and Anon make that statement clearly misleading. If given a blind choice to trust a 'corporation' or trust a 'hacker' then the decission is fairly easy, the corporation. If the choice is between a person guilty of perjury who conspired to make his own child suffer versus a developer of cellular tools then that changes the discussion entirely.

Trust is a question of ethics, you name any given cellular dev versus the CEO of the company you trust, I'm going with the cellular dev and the overwhelming majority of the time I'm going to pick the person with the better ethics(without knowing anything about them). Anyone can go full blown tinfoil hat if they want to, and I honestly don't think Apple would do anything much different with your information then most other companies, but bringing up morality and ethics of cellular developers while trusting Steve Jobs is rather comical honestly.

 

[corkyg]

Because Hackers are infinitely more trustworthy than the corporations that built the phones in the first place.

That is a very naive and dangerous notion. BenSkywalker has it right.

 

[runawayprisoner]

I think it's worth noting that with regards to Steve Jobs, you know you can gain something by suing him with a valid case.

It might not be so if you were to sue a hacker hiding in his basement.

Edit: Just to clarify: I don't mean to say that all hackers are like that or that my general assessment of them is as said, but it is a possibility from my point of view.