So the Pangu jailbreak for iOS is in full swing, now has an English version, and for a bit there, it seemed that many in the jailbreaking community over on /r/jailbreak were suddenly getting compromised. We had lots of anecdotal reports of money being siphoned from PayPal accounts, Apple accounts, suspect phone calls, that kind of thing. It seems to have settled down now, but there was initially quite a furor over this, to the point that the Pangu team actually had to defend their jailbreak.
Honestly, it was ridiculous. How many people's credentials are compromised today? Honestly, everybody's. Just about anyone who uses a computer has lost some credentials or private information via various data leaks over the last few years. The majority of us have had data leaked in multiple leaks, in fact. Don't believe me? Look for yourself.
So, were some folks victimized? Yes, absolutely. How many? Well, pretty much the same number of people that are compromised on any other day. Did this have anything to do with the jailbreak? probably not.
So for a bit of background, the guys that released this jailbreak are affiliated with Alibaba. If you haven't heard about Alibaba, you can think of them as the Google of China. They're a large, technically sophisticated, global company with a strong technical reputation. They're not going to push something out the door to compromise jailbreaker credentials, I don't believe. I think they have too much to lose.
Furthermore, we have no evidence at all that anything malicious was in the released jailbreak. It does communicate with a couple of remote servers, but that's for a later article. I've been doing some forensics around the jailbreak, which I will continue to do. Others have too. Nobody has found any evidence of malicious intent on the part of the Pangu team.
So, is it possible that the folks over at Pangu included malware in their jailbreak? sure. It's also possible that others injected malware into a given jailbreak IPA. Tweaks that you install can exfiltrate data from your device too.
The bottom line is, if you're jailbreaking a phone, you're deliberately disabling the security features that make iPhones the most secure mobile device on the market today, and this is risky. I never, personally, jailbreak my primary personal phone. I only jailbreak test systems, and when I do, I use a secondary Apple ID registered with a very low-limit credit card. I never do anything sensitive with those devices, I only use them for research.
If you want to jailbreak your phone to tweak it? I'm fine with that - it's your phone, after all. But know the risks.