What exactly happened ?
Over the weekend, a disgruntled jailbreaker took to Reddit claiming that he had jailbroken one of his devices with the Pangu jailbreak tool for iOS 9.3.3 with a burner Apple ID. After an hour or so later, he claimed he had noticed charges on his PayPal account originating from Beijing with an unknown email address.
Saurik later hopped onto the same thread to chime in. He had noted that he’s not particularly excited about the way the PP jailbreak tool handles stuff. Nevertheless, he created Cydia Impactor as a safe way to jailbreak your devices because it sends your Apple ID directly to Apple and no one else.
I don’t particularly like the concept of installing the 25PP tool (edit: this sentence used to say “trustâ€, but I think that was confusing), as Chinese companies tend to have software that is pretty intrusive and even “combative†against competitor’s software, and in general I am concerned about the way people do signature stuff (as it is just so much easier to do the signing on a server…) which is why I worked so hard to make Impactor be able to do all the signing and communication locally. That said, 25PP’s profit model would probably benefit from local signature work, so I can see them having the existing expertise and taking the time to do that “correctlyâ€.
Despite what seems like a gloomy conversation, Saurik comes back saying that he trusts the Pangu jailbreak team, despite the mystery surrounding the joint 25PP/Pangu jailbreak app and the Chinese Windows tool.
I will also say I trust Pangu a lot… but I don’t know if the Chinese version of their app was only touched by them. I bet the English one was their work only, though you are downloading it from 25PP, which opens some issues: do you trust the employees at 25PP with control over their servers? I would say that it would be dumb to do quickly be trying to attack people rather than racking up more credentials before anyone becomes suspicious. You have to remember that there are millions of people who jailbreak. And Pangu specifically listed this subreddit on their website as a place to talk to people about their issues, so we are going to be seeing tons of people. Do we really have evidence that this is an issue with the jailbreak process as opposed to a string of random attacks that are being noticed here because we are all being extremely suspicious this week?
If anything, I bet there was just some website, maybe it was even one we all use more often than other people (like reddit! ;P) which was hacked in some way, and people were sharing passwords between there and PayPal, and that hack just happens to have happened at about the same time the jailbreak came out.
Here’s Pangu team tweets on Twitter:
Neither we nor 25pp would be so stupid to make money by hacking users paypal account via jailbreak tool. We hope to find out the truth asap.— PanguTeam (@PanguTeam) July 31, 2016
We register reddit official account at https://t.co/1OsjCHZ5Z1— PanguTeam (@PanguTeam) July 31, 2016
Every jailbreak is a trade-off between security and customization. But that’s not to say that the jailbreak was the cause for all these hacks. There isn’t enough evidence to blame the jailbreak for these people’s compromises, which may have in turn been caused by their own gross negligence.