Security of CaptureCells and CapturePacket

[philippelatulippe]

The CellGuard website has some warnings about jailbroken devices and security. Is there a specific risk when running CellGuard on a jailbroken device? Or is the guide just warning of the general risk of using a jailbroken device?

I noticed that the two daemons use TCP to communicate with CellGuard, is that connection authenticated in some way or can any executable running on the device access the data that's being gathered?

[lukbukkit]

Hi Philippe, both of your assumptions are correct. 

We put a general warning on the website to inform users that a jailbroken iPhone is great for research but should not be considered secure and used as a primary device. 

On jailbroken devices, CellGuard automatically queries connected cells and baseband packets collected by the two tweaks (CaptureCells & CapturePacket) you installed from our repository. Both tweaks hook into the CommCenter process to collect the relevant data, cache it, provide it via their TCP socket, and clean the cache afterward. Only local processes can connect to the TCP sockets. However, we have not yet implemented further authentication measures.

We also discussed this issue internally some while ago with different attacker models in mind: 

• An app or tweak installed via the package manager has the same privileges as our tweaks and can directly read the data without having to connect to the socket.
• An app installed via the TrollStore could exploit the same vulnerabilities as used by the jailbreak to gain systemwide access and read the data without having to connect to the socket.
• An app installed via the App Store could exploit vulnerabilities similar to those of a TrollStore app, but Apple usually checks it before distribution.

Based on these assumptions, we assigned a low priority to this feature, but I agree that an authentication mechanism will be helpful in making it a bit harder for malicious apps to access the data collected by the tweaks (but not impossible). Some new ideas for a simple and user-friendly approach came to my mind while thinking again about this issue. I'll try to implement them in the coming weeks. Our general reasoning behind the warning on the website will stay similar as you won't be able to achieve a security level comparable to an up-to-date iPhone on a jailbroken device.