The One Device
Page 27
Over time, the jailbreaking community grew in size and stature. The Dev Team reverse-engineered the phone’s operating system to allow it to run third-party apps. Hacker-developers made games, voice apps, and tools to change the look of the phone’s interface. On Apple’s phone, you could customize very little—the original iPhone didn’t even have an option for wallpaper; the apps just hovered on a black background. And the fonts, layout, and animations were all set in stone. It was the hackers who were pushing the device to become more like the creativity augmenter, the knowledge manipulator that Steve Jobs’s idol Alan Kay originally imagined mobile computing could be.
One of the Dev Team members, Jay Freeman, or saurik, built Cydia—basically, a predecessor of the App Store accessible only on a jailbroken iPhone—and in February 2008 he released it. Cydia allowed users to do a lot more than the current App Store does; they could download apps, games, and programs, sure. But they could also download tweaks and more drastic overhauls; you could, for instance, redesign the layout of your home screen, download ad-blockers, and apps to make non-AT&T calls, and exert more control over data storage.
The popularity of jailbreaking and Cydia provided a public demonstration of a palpable demand for, at the very least, a way to get new apps, and, at the most, a way to have more control over the device. Before long, Apple declared jailbreaking unlawful, though it never actually sued any of the jailbreakers. The internet freedom advocacy group Electronic Frontier Foundation lobbied to have the practice listed as an exemption in the Digital Millennium Copyright Act, a request that a federal appeals court granted, thus closing the issue. Tim Wu, a law professor at Columbia University, famously said that “jailbreaking Apple’s superphone is legal, ethical, and just plain fun.”
“It’s an interesting gray area, the sort we rarely see anymore—it turns out that this kind of hacking was entirely legal,” Guido says. “Anyone could jailbreak their phone.”
Freeman saw it as more of an ideological imperative, however. “The whole point is to fight against the corporate overlord,” he told the Washington Post in 2011. “This is a grass-roots movement, and that’s what makes Cydia so interesting. Apple is this ivory tower, a controlled experience, and the thing that really brought people into jailbreaking is that it makes the experience theirs.” As of 2011, he said, his platform had 4.5 million weekly users and was generating $250,000 in revenue a year, most of which was pumped back into supporting the electronic ecosystem.
Money was an issue for the jailbreakers like iPhone Dev Team, who relied on PayPal donations and outside jobs to fund their efforts, Wang says. Over time, as the App Store drained some of the interest in jailbreaking and as Apple became increasingly aggressive in its efforts to prevent and discourage breaks, the original team began to drift off.
And it turned out that, as with any good underground-rebels-versus-authority story, there was a twist: One of the core iPhone Dev Team members was an Apple employee. None of the Dev Team had any clue that the hacker who went by the name bushing and who was known for his skills with reverse-engineering was working for the company whose phones they were hacking.
Who was bushing? Ben Byer, who had signed on as a senior embedded security engineer with Apple in 2006. At least, that’s what a web of his online trail suggests. A LinkedIn profile for Ben B. lists that job title as well as a work history that includes a stint with Libsecondlife—an effort to create an open-source version of the once-popular Second Life game, where bushing was a frequent poster.
“We didn’t know it at the time,” Wang says today. “We didn’t realize until later… he kind of came out to us later on.” Bushing would go on to be a formidable force in the hacking community. Tragically, he passed away in 2016 at the age of thirty-six due to what his friends and peers describe as natural causes.
While jailbreaking is not as sensational a practice as it once was—like any worthy tech endeavor, it’s been declared dead by the pundits multiple times—the legacy of the jailbreakers remains.
“The most obvious example of Apple copying the jailbreak community is the introduction of Notification Center,” Alex Heath, who now reports for Business Insider, wrote in 2011. He was referring to Apple’s newly released notification system, which let users view a compendium of updates and messages in a single screen. “A new method of notifications has been something that iOS has needed desperately for years, and the jailbreak community has been offering alternative systems for a long time.” He noted that Apple actually hired the developer of a Cydia notifications app to help build it, and visually, the systems do look similar.
Perhaps more than anything, though, the jailbreakers demonstrated living, coded proof that there was immense demand for an App Store and that people would be able to do great things with it. Through their illicit innovation, they showed that the iPhone could become a vibrant, diverse ecosystem for doing more than making calls, surfing the web, and increasing productivity. And they showed that developers would be willing to go to great lengths to participate on the platform; and they didn’t just talk, they built a working model.
Thus, the hacker iPhone Dev Team should get a share of at least some of the credit in Jobs’s decision to let the real iPhone Dev Team open the device to developers in 2008.
“I don’t want to have too much hubris in our role. We didn’t know how much Apple had planned before us,” Wang says, or how much it mattered that they relentlessly hacked the iPhone until it opened up. “I want to say it does.”
Another legacy of the jailbreaking movement was that it drove Apple to focus on security with renewed vigor.
“Consumers shouldn’t have to think about security,” Dan Guido tells me. “Apple’s done extremely well at what I call ‘security paternalism,’” he says. “Being the dad and telling kids they can’t do things, but, for their own benefit.” That’s a good way to describe Apple’s approach.
“They went through a really aggressive, top-down hardening campaign for the entire iOS platform over the last few years,” Guido says, “and instead of thinking about it from a tactical perspective, of, like, ‘Let’s just fix all the bugs,’ they came at it from a really architectural perspective and thought about the attacks they were gonna face and kind of predicted where some of them were going.” They stopped playing cat-and-mouse with hackers and started rewriting the rules, setting out mousetraps long before the mice had a chance to sneak into the house.
Per Apple’s longstanding MO, how exactly it has protected user privacy and how exactly the Secure Enclave works has been shrouded in secrecy. “An effect of this security paternalism is that if you want to investigate how secure the platform is, you can’t,” Guido says. Nobody outside Apple knows for sure how the device works, just that it seems to. Really well. And it’s a good thing that Apple started upping its security game. “You’ve got heads of state walking around with iPhones,” he says. “And you’ve got a billion sold, so you’ve got to assume that people are screwing around. And we have seen attacks on iPhones that don’t abuse jailbreaks. They’re rare.”
The iPhone has been helped on this front, somewhat ironically, by the rise of Android phones. The iPhone may be the single most popular and profitable device on the planet, but it’s the only phone running the iOS operating system. Samsung, LG, Huawei, and other handset manufacturers all run Android. That gives Android around 80 percent of the mobile OS market share worldwide. And malicious hackers tend to try to maximize their time and effort; for them, it’s a numbers game.
“Don’t try to hack the iPhone, it’s too hard, you won’t get anything out of it,” Guido says. That’s the attitude of most black-hat hackers. “Apple can smack you down really quickly. They issue patches that people actually apply.” You know when Apple asks you to update your iOS? And you just Sure, whatever, click? Well, that patches up the most recent bugs that were exposing your phone to outside hackers and nullifies the malignant software hackers might have been trying to use to get access to your phone. And iPhone user
s update their phones in much larger proportions than Android users do.
Apple’s more stringent app-approval process helps too. “If you do Android apps, they’re so malicious,” Guido says. “But on iPhone, the rigor that goes into the approval process prevents a lot of that. And Apple can disinfect remotely every phone that’s infected.
As a result, the security on iPhones today is, for the most part, really good.
The iOS devices are the single most secure consumer devices available, according to Guido. “They are built like a tank from a security perspective,” Guido says. “It is light-years ahead of every other trusted device that exists on the market. It has really been designed well by people who know what’s going on, to keep and hold your secrets in a way that even the most well-resourced adversary can’t get access.”
But it’s still not perfect; iPhones have nonetheless been subject to a number of high-profile hacks. Charlie Miller famously managed to get the App Store to approve a malware app that allowed him to break Apple’s stranglehold on the device. For five hundred dollars, University of Michigan professor Anil Jain was able to build a device that fooled the iPhone’s fingerprint sensors.
In 2015, the security firm Zerodium paid a bounty of one million dollars for a chain of zero-day exploits (vulnerabilities that the vendor isn’t aware of) on the iPhone, though no one knows who won the money. And no one, save Zerodium, knows what became of the zero days. And in 2016, Toronto’s Citizen Lab revealed that a very sophisticated form of malware, called Trident, had been used to try to infect a civil rights activist’s phone in the UAE. The hack was revealed to have been the work of an Israeli company, which was believed to have sold its spyware for as much as $500,000—likely to authoritarian regimes like the UAE government.
The majority of those hacks are unlikely to affect most users. “You’ve got to look at the bigger picture: More and more people are using non-general-purpose computing devices, they’re using Kindles, iPads, ChromeBooks, iPhones, Apple TV, whatever, all these locked-down devices that serve one single purpose,” Guido says. “And it’s significantly harder to get malware on those because they’re not general purpose. I think the world is shifting. Not just Apple. General-purpose computers are taking less of a primary role in our lives, and it’s going to pay off tremendously well for security.”
Even the best-secured devices aren’t perfect, and locked-down, single-purpose devices are definitely vulnerable to attacks, especially since they are all increasingly connecting to the internet. I can tell you from experience. Yep, the same hack that snared my iPhone.
“Wi-Fi attacks have strangely not gone away,” Guido says. “They’re one of these unsexy problems that people just don’t seem interested in solving. If someone really wants to exploit that if they put you on a Wi-Fi network and want to gain access to your phone, there are certain low-resource attacks they can do—they can try to redirect you to another website when you open up Safari and try to convince you to put your password in somewhere. But that’s a little intrusive—you get caught that way.”
Basically, these rules apply whenever you use public Wi-Fi—don’t enter any sensitive data over public networks and log in to only those networks that you trust. Update your phone when prompted.
The landscape is changing—as Guido noted, there are more persons of interest with iPhones and more of an imperative to hack into those phones. It’s less likely to be done by loose-knit hackers out for the lulz or to earn a few bucks; it’s more likely to come from a government agency or a well-paid firm that does business with government agencies. Security pros are skeptical when the FBI says it needs back doors to combat ISIS and track encrypted recruitment and terrorist-plotting efforts, because its inability to prevent such attacks is so evident. But there are other situations—such as when photos that Apple helped law enforcement unlock sent two people who had sexually abused a sixteen-month-old child to prison—that help make a case for Apple’s cooperation. (Which, it should be added, the company has provided in the past: Apple has reportedly opened over seventy iPhones at the behest of law enforcement, though many of those were before the Secure Enclave necessitated a novel software hack from Apple.) There may need to be a mechanism for law enforcement to access this stuff, but how we do that in the age of the Secure Enclave is an open question.
For Apple, security is a question of product too. As it moves to promote Apple Pay, internet-of-things apps, and HealthKit, consumers must be confident their data can be kept safe. From a consumer’s perspective, Apple’s decision is win-win; it may be unpopular, but the message is clear: You won’t find a more secure phone anywhere. We’ll go to bat against the feds to make sure your phone is secure. Even if you’re a terrorist, your data is safe.
Looking for a little more clarity, after Apple’s security guru was done with his talk, I walked over behind the stage, where a small crowd was gathering. I asked him how he felt the cybersecurity scene was changing with the dominance of smartphones.
“Well, one part of the landscape that is changing is—”
“So the PR guy is going to jump in,” the Apple PR guy said, actually jumping in, thrusting a card into my hand, and shepherding Krsti´c away.
Of course, Apple was going to keep its Secure Enclave secret.
CHAPTER 12
Designed in California, Made in China
The cost of assembling the planet’s most profitable product
All gray dormitories and weather-beaten warehouses, the sprawling factory compound blends seamlessly into the outskirts of the Shenzhen megalopolis. Foxconn’s enormous Longhua plant is a major manufacturer of Apple products; it might be the best-known factory in the world. It might also might be among the most secretive and sealed-off. Security guards man each of the entry points. Employees can’t get in without swiping an ID card; drivers entering with delivery trucks are subject to fingerprint scanners. A Reuters journalist was once dragged out of a car and beaten for taking photos from outside the factory walls. The warning signs outside—THIS FACTORY AREA IS LEGALLY ESTABLISHED WITH STATE APPROVAL. TRESPASSING IS PROHIBITED. OFFENDERS WILL BE SENT TO POLICE FOR PROSECUTION!—are more aggressive than those outside many Chinese military compounds.
But it turns out that there’s a secret way into the heart of the infamous operation: Use the bathroom. I couldn’t believe it. Thanks to a simple twist of fate and some clever perseverance by my fixer, I’d found myself deep inside so-called Foxconn City.
It’s printed on the back of every iPhone: DESIGNED IN CALIFORNIA BY APPLE, ASSEMBLED IN CHINA. U.S. law dictates that products manufactured in China must be labeled as such, and Apple’s inclusion of the designed by phrase renders the statement uniquely illustrative of one of the planet’s starkest economic divides. The cutting edge is conceived and designed in Silicon Valley, but it is assembled by hand in China.
The vast majority of plants that produce the iPhone’s component parts and carry out the device’s final assembly are based here, in the People’s Republic, where low labor costs and a massive, highly skilled workforce have made the nation the ideal place to manufacture iPhones (and just about every other gadget). The country’s vast, unprecedented production capabilities—the U.S. Bureau of Labor Statistics estimated that as of 2009 there were ninety-nine million factory workers in China—has helped the nation become the world’s largest economy. And since the first iPhone shipped, the company doing the lion’s share of the manufacturing is the Taiwanese Hon Hai Precision Industry Company, Ltd., better known by its trade name, Foxconn.
Foxconn is the single largest employer on mainland China; there are 1.3 million people on its payroll. Worldwide, among corporations, only Walmart and McDonald’s employ more. As of 2016, that was more than twice as many people working for the five most valuable tech companies in the United States—Apple (66,000), Alphabet (née Google, 70,000), Amazon (270,000), Microsoft (64,000), and Facebook (16,000)—combined. More people work for Foxconn than live in Estonia.
Today, t
he iPhone is made at a number of different factories around China, but for years, as it became the bestselling product in the world, it was largely assembled at Foxconn’s 1.4-square-mile flagship plant here, just outside of the manufacturing megalopolis of Shenzhen. The sprawling factory was once home to an estimated 450,000 workers. Today, that number is believed to be smaller, but it remains one of the biggest such operations in the world.
If you know of Foxconn, there’s a good chance it’s because you’ve heard of the suicides. In 2010, Longhua assembly-line workers began committing suicide en masse. Worker after worker threw him- or herself off the towering dorm buildings, sometimes in broad daylight, in tragic displays of desperation—and in protest of the work conditions inside. There were eighteen reported suicide attempts that year alone, and fourteen confirmed deaths. Twenty more workers were talked down by Foxconn officials.
The epidemic caused a media sensation—suicides and sweatshop conditions in the House of iPhone. Suicide notes and survivors told of immense stress, long workdays, and harsh managers who were prone to humiliate workers for mistakes; of unfair fines and unkept promises of benefits.
The corporate response spurred further unease: Foxconn CEO Terry Gou had large nets installed outside many of the buildings to catch falling bodies. The company hired counselors, and workers were made to sign pledges stating they would not attempt suicide. Commentators suggested that a lot of the suicides were migrant workers who had trouble adjusting to the rapid-fire pace of urban environs. Steve Jobs, for his part, declared, “We’re all over that” when asked about the spate of deaths, and he pointed out that the rate of suicides at Foxconn was within the national average and lower than at many U.S. universities. Critics pounced on the comments as callous, though he wasn’t technically wrong. Foxconn Longhua was so massive that it could be its own nation-state, and the suicide rate was comparable to its host country’s. The difference is that Foxconn City is a nation-state governed entirely by a corporation, and one that happened to be producing one of the most profitable products on the planet.