Just last week, the Library of Congress granted a three-year exemption to the Digital Millennium Copyright Act (DMCA) for mobile phones, temporarily allowing jailbreaking or rooting of smartphones without creating what would otherwise be considered a copyright violation. However, the exemption was NOT extended to tablets. Therefore, jailbreaking an iPad®, for example, is not an exempted copyright violation. To clarify, jailbreaking a mobile device consists of defeating the device’s security and effectively gaining super-user privileges over the device and all of its installed software.
This ruling impacts the enterprise as companies continue to focus on mobile app development and testing for both smartphones and tablets. It means that companies using mobile app testing processes that require jailbroken tablets face increased risk if they continue their current testing practices. In a nutshell, jailbreaking represents a statutory risk, a security risk, a business risk, and a contractual risk. Apple® set out its objections to jailbreaking in a brief filed with the Library of Congress prior to the grant of the first DMCA exemption in 2008 (Ref. 1, Page 1).
The first and most obvious problem with jailbreaking is that technologies that rely upon it must create a potential violation of the DMCA. Avoiding a DMCA violation is only possible, however, when jailbreaking mobile phones and not tablets. Apple argued in its briefs to the Library of Congress that jailbreaking creates an infringing use of their copyrighted bootloader and the iOS operating system itself (Ref 1, Pg. 12). In the ruling of October 26, 2012, the Librarian said it granted the exemption for jailbreaking on mobile phones but noted the exemption “does not apply to tablets […] because the record does not support it (Ref 2, Pg. 65623). So, jailbreaking a tablet may be a statutory violation.
Apple’s arguments against jailbreaking center on what it calls the software-based “technological protection measures (TPMs)” in its devices. The measures are designed to protect the boot loader and the OS from modification. Jailbreaking, Apple argues, destroys this protection, “resulting in copyright infringement, potential damage to the device, and other potential harmful physical effects, adverse effects to the functioning of the device, and breach of contract (R1, 2),” specifically the iPhone® software license agreement. Apple says it received millions of incidents of software crashes on jailbroken phones even though the software works properly on unmodified iPhones. Apple cited an example of an app for which they received 1.6 million crash reports from 10,000 jailbroken iPhones (R1, 16). They cite the possibility that malicious code, freed from restrictions by the jailbreaking process, could damage the phone by ignoring thermal, safety, or battery warnings or could cause interference with the cellular network (R1, 8-9). Apple further argues that the TPMs “protect the iPhone itself and the telephone network [… to] help prevent viruses and other forms of malware […and to prevent opening] security holes (R1, 8).”
This last contention should cause concern for jailbreaking as a security risk. The two primary ingredients for mischief are present in the device’s soup: the TPMs have been bypassed, and the actual jailbreaking code may be sourced from poorly-identified and contractually unaccountable sources. The code to jailbreak iPhones often is delivered by an active hacker community; without implying that this community has any nefarious intent, using the code they provide may put a business in the position of running security-bypass software that employees of the business have never reviewed at the source-code level. Bypassing the phone’s security protections with unexamined code opens the possibility of undetected exploits.
Apple’s concern is that bypassing the TPMs could enable “malware to accomplish malicious things […] such as stealing information [or giving] unauthorized access [to the phone-network processor] (R1, 8-9). “Apple explicitly outlined the dangers with respect to telephony when it explained its obligation to establish a “relationship of trust,” with carriers such as AT&T, that guarantees Apple’s products will not damage the carrier’s network (R4, 12). In particular, Apple cites increased risk of “malicious users, or even well-intentioned users to wreak havoc on the network [due to]” actions such as changing an ECID, avoiding charges for sending data, denial of service attacks against the network, and the danger that an attacker could penetrate the corporate firewall (R4, 12). In all, Apple cataloged for the Librarian the risks as follows: crashes, instability, malfunctioning, safety concerns, invasion of privacy, viruses, malware, cellular network impacts, and instability of apps (R4, 14).
As of November 1, the jailbreaking community is still waiting for an untethered jailbreak for the iPhone 5 (Ref 3). An “untethered” jailbreak is one that does not require a USB connection when the device is initialized. Any technology dependent upon an untethered jailbreak for iPhone 5 is thus effectively out of commission until the hacker community delivers. For those companies that require a jailbroken device to test mobile applications, this means waiting on the hacker community to deliver a jailbreak before testing apps on the iPhone 5 and all iOS 6 devices. Moreover, there is a risk for both vendors and customers that Apple, who actively opposes jailbreaking for the reasons previously mentioned here, will eventually evolve its technology to completely prevent jailbreaking, possibly rendering useless any investment in reliant tools or technologies.
The Library of Congress did not say that Apple is constrained from preventing jailbreaking – only that jailbreak on the iPhone is (temporarily) exempt from being considered a violation of Apple’s copyrights. Apple has no obligation to craft its technology in such a way that jailbreaking must be possible. In effect, current jailbreaking techniques depend upon exploits and circumventions of Apple’s TPMs. The TPMs, however, were created explicitly to prevent modifications like jailbreak. It is reasonable to assume that Apple will hold to its objective and if it ultimately does not succeed in preventing jailbreaking, Apple will most likely succeed in making jailbreaks more difficult and time-consuming. No matter where one stands on the issue of jailbreaking, Apple has made its position manifestly clear.
The Library of Congress’ exemption aside, Apple prohibits modifications to the boot loader and the operating system in the iPhone and iPad software license agreements (R4, 1). Moreover, Apple says that while it does not flatly refuse warranty service to a jailbroken device, it will refuse warranty service if the problem with the device results from jailbreaking (R4, 13). Apple said in its brief, “the modifications to the boot loader and the OS that the user makes in the course of jailbreaking – which should be referred to by the more accurate label of ‘hacking’ therefore constitute a breach of the license agreement (R4, 2).”
The risks of jailbreaking iOS devices are very real and should be taken under serious consideration by the enterprise. In an increasingly mobile-centric world, enterprise applications must be tested for reliability, quality and performance. Continuing to rely on jailbreaking to enable testing of mobile devices and especially tablets is a risk many companies should carefully evaluate.
Prior to the most recent DMCA exemption, Mobile Labs built a new release of its mobile app test automation solution, Mobile Labs Trust™, which can test apps on all iOS devices, including iPads, without compromising the devices in any way. In fact, this functionality was made available the same day Apple announced availability of the new operating system and phone. Mobile Labs’ judgment, informed by prospects and customers, is that jailbreaking Apple devices, the exemption to the DMCA notwithstanding, represents too great a statutory, security, business, and contractual risk for our company and our customers.
Reference 1: “U.S. Copyright Office, Library of Congress. Docket RM 2008-8. Responsive Comment of Apple Inc. In Opposition to Proposed Exemption 5A and 11A (Class #1).”
Reference 2: “Federal Register, Vol. 77, No. 208, Friday, October 26, 2012, Rules and Regulations.”
Reference 3: (http://www.product-reviews.net/2012/11/01/ios-6-untethered-jailbreak-controversy-for-iphone-5/) .
Reference 4: “Docket No. RM 2008-8 Response of Apple Inc. to Questions Submitted by the Copyright Office Concerning Exemptions 5A and 11A (Class #1) of June 23, 2009.”[social-bio]
By: Michael Ryan