Is the iOS Jailbreak scene "dumber" than Android or is the platform just harder?


(NOTE: this answer is based on the idea that you are talking about "exploits", not just "vaguely technical concerns". I think beetling and hizinfiz answer "vaguely technical concerns" quite well with "you didn't look hard enough". However, your specific example goes down the path of exploits, as did some of the replies from you that I saw before started typing this. That is a drastically different situation.)

So, I have had a different experience, particularly with regards to XDA. Yes: you find a lot of people who are interested in talking about low-level details, and there are places to do so, but most of the discussion there is by users who are operating with very little actual technical knowledge (not because they are unintelligent, of course: just because they are still learning, and XDA's discussions are fairly accessible)... the result is massive threads full of people discussing things like "is the reason my device is slow because /dev/random is blocking?" that blow up into massive news stories, when it turns out that if you actually hook all usages of /dev/random (as someone at Google did while trying to figure out "why are these people thinking this is a problem") virtually nothing relies on that source of entropy (and certainly nothing that would block).

It is the same overall problem as the people in our community who sit around trying to talk about the "memory usage" of various things based on the wrong column in top (or worse, attempting to extrapolate it from how much "free memory" the system reports), only somehow without the checks and balances that cause that information to fizzle somewhat before it turns into "the sky is falling" proportions. To be clear: I don't think this is a fundamental problem with the Android community; in fact, I think quite the opposite (there is definitely a bunch of benefit to be had from an open and accessible community: it is one of the reasons why the field of web development is so interesting to so many people, and so fun)... however, I think the reason is much more mundane than you make it out to be, which I will get into below.

In fact, just like in the world of iOS, all of the really great hackers seem to be on IRC, often in private channels. They may visit XDA, and they may even "frequent" there, but it is closer to the way that planetbeing and I kind of pay attention to reddit and the way a lot of the dev team announces things and helps with support on Twitter: it doesn't seem to be where any of the actual "meaty discussions" are taking place, and it isn't where you need to be if you want to either participate in or even just watch happening the processes behind finding and using these exploits.

Regardless, the key problem in your narrative is that you throw out a potential reason (that the platform is "harder") and then, rather than exploring that to see whether it holds and what it would mean for such a community, you throw it away and go off on a massive rant with bold textsand doubled-up question marks that indirectly (and I feel sometimes quite directly) insults a number of the people in the iOS hacking community. :( I mean, think about it for a second: people who do work on Android seriously have access to the source code of almost everything that is running on the device... they can even recompile the stuff that runs on the device and run it in an off-the-shelf emulator... of course this is going to be easier. You might even find a legitimate bug that you can exploit without knowing a lick of assembly, much less how to build return-oriented payloads.

However, it goes much deeper than that: hacking iOS is "harder" on almost every axis. There is a single company that actually considers "security" (in quotes, as I don't consider my apartment very secure if my landlord has a key and I don't) a goal worth throwing a lot of engineering effort at, and is in a position to think about it from an "end-to-end" perspective (from the software on the laptop through all the hardware to the userland code). In comparison, there are tons of hardware manufacturers in the Android ecosystem, all of whom blunder around and make very similar mistakes to each other, and none of whom have done it long enough to get good at it yet. Meanwhile, Google themselves don't seem to bother adding any major platform-wide counter-measures (such as the kinds of improved ASLR you see on iOS).

The attack surface is also drastically different: Google seriously reimplemented the entire system from scratch, including the C standard library and all user-space tools (like mount). I, personally, have run into a bunch of silly buffer-overflows in their codebase. They also give you shell access by default. The result is that most of the exploits you see for Android end up being "simplistic". An example: setuid() is allowed to fail, so you have to check the return value. If it fails, and you don't check the return value, you are going to be left as root. Making it fail is trivial: set a process ulimit and fork-bomb your account. Now, run a setuid program that wants to become your user; if it doesn't check the error code, you win: you've just run code as root. This was one of the more commonly-used exploits for a long time on Android, and you can implement it with minimal knowledge of C.

Now, think about how difficult it is to build that vs. how long the fix window is: it takes hours to implement that, and it will take Google weeks to fix it with their process, and device manufacturers months to get it shipped. I actually implemented one of the exploits people use on Android: a guy found a bug in the Linux kernel he termed mempodipper, and after reading a high-level description it took me about three hours to put together a concrete implementation called mempodroid, that people are still using today as devices out there are still coming with Android 4.0.[123] on them, with the kernel that has this bug. That is seriously insane. Almost all of the Android exploits are like that: one stupid mistake, a few hours of frantic coding.

In comparison, it takes much more than just "one stupid mistake" to jailbreak a device running iOS. It takes a massive sequence of failures, and you have to figure out how to parlay each one to get access to the one following. Just finding all the exploits required can take months, and then building an implementation can take weeks. In comparison, the time-to-fix on this system is days: it takes Apple 6 days to get a new build out the door if you exploit something they consider bothersome enough to prioritize over their normal schedule. At best, you get weeks (if they happen to be busy doing other things, and your exploit isn't considered critical).

As one would expect, this drastically changes the way the ecosystem works: it means there are fewer people sitting around finding exploits, it means there are fewer people capable of understanding the implementations of those exploits, and it means that you are going to find fewer people discussing what they are doing until after it is already done. If you want a comparison now back to Android, to show that this isn't just due to the personalities: the Google TV rooting processes were very similar, with a bunch of work done in private IRC channels (ones I had the honor of being able to participate in occasionally) with only finished explanations and exploits coming back over the wall. To do anything else would be to make it impossible to do anything at all, as you'd talk about step 1, and by the time you figured out step 2 the patch for step 1 would have already shipped.

As another concrete demonstration, I took at look at your XDA forum link (thank you for that link, by the way: I've been meaning to look into how that exynos vulnerability worked). That is a textbook example of "one stupid mistake"... the fact that that explanation even could fit in that tiny forum post is key demonstration. In comparison, I have done presentations at the University I am affiliated with on how Absinthe/Corona worked (the iOS 5.0 jailbreak and untether that I helped a little with). This presentation takes about two hours (after which point most people are sadly still "impressed, but overall confused"), and involves discussing: a mistake in the backup mechanism, a format string vulnerability in a configuration file parser, a mistake in the permissions of the debugging system, a hole in the sandbox for a random process, an unrelated oversight in the sandbox for the first process, an information leak in the crash report system, a weird "why did you let us also do this" in the process manager, a buffer overflow in the file system driver, and the lack of protection of the kernel memory system (this is relevant as Apple has been attempting to address this in recent versions of iOS). I almost certainly missed a few mistakes in there.

These are complex exploits; often the vulnerability is something others have looked at and deemed "not-exploitable", but someone like pod2g finds a way to use. The result is that there are many fewer people who can sit around helping you understand them; that XDA bug reference, in comparison, is fundamentally different. The result is that there aren't going to be as many people who only sort of know what they are doing able to help the people who have no clue: to approach the meat of these exploits requires being near the top of the knowledge pyramid.

That said, if you can demonstrate that you are pretty high up there, my experience has been that the people who develop these exploits actually love talking about them (note: you won't find them on Twitter, but you will find them on IRC; I'm not certain why you mention they are on Twitter: you can't have a technical conversation there anyway... it is even worse than a forum ;P). I know planetbeing spent an immense amount of time helping people use his open-source suite of iOS exploitation helper tools, "xpwn", both in random conversations and on #iphonelinux in particular. However, the barrier to entry keeps rising, and the amount of people interested in bothering with these kinds of hacks keeps dwindling. It makes sense that it will be harder to find people who can help you answer questions.

This also wasn't always the case (that it is difficult to find people talking about exploits), and I think this lends some more credence that it is the challenge and not the people: with iOS 1.x, there were tons of trivial mistakes; as an example, the 74-step jailbreak that someone was linking earlier today on this subreddit (which is a misnomer, as tons of those steps were "how to install and connect to openssh, explain it like I'm five") comes down to something insanely trivial: iTunes had direct file-system access to the entire device, so you just needed to write a program (which was really easy thanks to the high-level interfaces provided by iTunesMobileDevice.dll) that made whatever changes you wanted. Of course, that would be entirely too obvious, so here comes the "one stupid mistake": you couldn't write to the root partition and you couldn't run code on the user partition, but the raw flash memory device entry was, for some reason, writable by the backup/restore user. You thereby could just dump the entire root partition, edit it however you wanted (in this case, to remove "noexec" from /etc/fstab for the user-writable partition), and then write it back.

So, on iOS 1.x: one stupid mistake, a few hours of coding, and you have an exploit that lets you run arbitrary code. At that time, I remember there being tons of people who were then involved in random technical conversations. There were many more IRC channels where people discussed iOS hacking, many more people who did it, and many more forums where people posted home-grown instructions, like that 74-step guide to jailbreaking your device. This also meant there were many more tools developed by people to help you do it, and a community that was much more "involved" in the way that you see currently on XDA. Again, though: its just because it was easier, so more people could be involved in the discussion at every level in the pyramid, helping people at the bottom work their way up.

The situation is drastically different today, not because the pyramid got lower, not because the people at the top sequestered themselves away, but because the pyramid is now floating above the ground somewhere, the bottom levels being totally useless and uninteresting. In essence, the bottom levels are the people who ask questions on this subreddit like "why don't we just reinstall the entire operating system" or "why don't we forge Apple's SHSH signatures". I took the time to answer those questions when they were asked to explain why those ideas were too simple and couldn't work (so there: technical conversation, just of the useless variety ;P), however the result is just going to be some people leaving somewhat sad that their cool idea wasn't going to work; but... in the world of Android... it is still the case (although less now than before, and it is going to keep decreasing over time) that those kinds of questions might actually lead somewhere ;P.

The situation is actually sufficiently different that I often recommend that people who are interested in one day being able to hack something like iOS go spend some time cutting their teeth on simpler systems, such as Android ;P. I'm going to leave you with one more hilarious example: the way that the G1 was originally rooted was due to this "one stupid mistake": while the high-level UI and input manager was reading input events from the keyboard, the keyboard happened to also still be attached to a standard Linux console that was attached to a standard Unix shell that... ran as root. This was discovered by end users who noticed that typing "<enter>reboot<enter>" absolutely anywhere in the interface caused the device to reboot. This is already way more than enough power to root the system (I mean, you already have root... you just can't see what you are typing). Only, Google also happened to leave a copy of telnetd on the system, so when another fairly-end-user thought "huh, I wonder what happens if I type "<enter>telnetd</enter>" <- they just jailbroke the device.

You are simply hard-pressed to find things easier to discover and exploit than this, and while Android has gotten harder over the years, it is only at around the difficulty level of iOS 2.x (maybe 3.x now): one would expect the community would have more people participating in it who are able to discuss and help with this kind of technical hacking-style work.