BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Of Ma And Malware: Inside China's iPhone Jailbreaking Industrial Complex

Following
This article is more than 8 years old.

In late March a handful of the western world's best-known iPhone hackers were flown business class to Beijing. They were put up in the five-star Park Hyatt and given a tour of the sites; the Great Wall, the Forbidden City. “They kept referring to us as ‘great gods’. I’m guessing it just translates to ‘famous person’, but we couldn't contain our giggles every time the translators said it,” says Joshua Hill, a 30-year-old from Atlanta who was one of the chosen few.

It was a bizarre trip hosted by an equally bizarre and secretive entity called TaiG (pronounced “tie-gee”), which flew the hackers to China to share techniques and tricks to slice through the defences of Apple's mobile operating system in front of an eager conference-hall crowd. Why such interest and why such aggrandisement of iOS researchers? In the last two years, jailbreaking an iPhone - the act of removing iOS' restrictions against installing unauthorized apps, app stores and other features by exploiting Apple security - has become serious business in China. From Alibaba to Baidu, China's biggest companies are supporting and even funding the practice, unfazed at the prospect of peeving Apple, which has sought to stamp out jailbreaking ever since it became a craze in the late 2000s.

Any hacker who can provide the full code for an untethered jailbreak, where the hack continues to work after the phone reboots, can expect a big pay check for their efforts. “Many experts agree the price for an untethered jailbreak is around $1 million,” says Nikias Bassen, aka Pimskeks, a lanky 33-year-old iOS hacker who is part of the evad3rs hacker collective. More often, sellers of iOS zero-day vulnerabilities - the previously-unknown and unpatched flaws required for jailbreaks - make thousands if not hundreds of thousands of dollars from Chinese firms, private buyers or governments, in particular three-letter agencies from the US.

Such big sums are on offer due to the explosion of the third-party app store industry in China. There are at least 362 million monthly active mobile app users in China, according to data provided by iResearch. Whilst smartphone owners in Western nations are content within the walled gardens of Apple and Google app stores for their games, media and work tools, the Chinese are fanatical about apps and want the broadest possible choice from non-Apple app stores. Jailbreaks, which do away with Apple's chains and allow other markets on the device, are thus vital to meeting that demand.

China's app market industry came to life with Baidu’s 2013 $1.9 billion acquisition of 91 Wireless, which distributes iOS and Android apps, and at the time had shipped 10 billion apps. Its 91.com website openly advertises jailbreak tutorials. Since then, countless app stores have sprouted up, whilst others have been snapped up for a fair price. In June 2014, Alibaba acquired the PP Assistant marketplace, also known as 25pp, via the purchase of browser maker UCWeb. It didn't divulge the terms of that deal, but claimed the agreement valued UCWeb higher than 91 Wireless and in late 2013 25pp overtook Baidu's beast to become the number one third-party app store for iOS, with as many as 40 million users and 8 million daily downloads at the time, according to one report. In October, Tongbu, provider of another jailbreak iOS store was reportedly sold for 1.07 Chinese Yuan ($172m) to Taiwanese game company XPEC Entertainment.

The app store rush kicked off just as Apple started investing heavily in China. According to Creative Strategies, that effort launched the iPhone in the stratosphere of the market, achieving the strongest sales of any manufacturer in the first quarter of this year. From three per cent of total mobile sales in China in the first quarter of 2013, the iPhone hit 17 per cent in the same period in 2015. That was around four per cent higher than the closest competitor, China's own Xiaomi. Apple's own results from April showed iPhone sales had jumped 72 per cent in its fiscal second quarter.

Apple's eastern expansion explains the drop in jailbroken phones in 2013, when the proportion of jailbroken iPhones slumped from 35 per cent in January to 12 per cent at the end of the year, according to data from Alibaba-owned app analytics firm Umeng. Benedict Evans, a partner at Andreessen Horowitz, believes Apple's distribution expansion, through the likes of China Mobile, has eroded the grey market, which made importers jailbreak phones. But since the end of 2013, jailbreaks have remained steady at between 10 and 15 per cent. And it picked up again in 2014, rising from 12.2 per cent in July to 13.6 per cent in September. That leaves millions on millions of iPhones open to third party stores (FORBES couldn't find data for this year). It's little surprise China's biggest internet firms want a piece of the app store pie.

And to get the biggest slice, the industry's biggest players are undermining one another with aggressive tactics. To get one up on the competition, some are offering big money to hackers who can bundle stores with jailbreaks, so that when a user goes through the steps of unlocking their iPhone, they're encouraged to download the sponsor's app market, commonly known as "assistants" in China.

The biggest Chinese firms, including one of the largest corporate entities on the planet in the form of Alibaba, are doing this, effectively funding iPhone exploits for commercial gain, albeit discreetly. In a previously undisclosed association, FORBES discovered that Alibaba, through 25pp, sponsored the Team Pangu jailbreak crew, which includes a number of Chinese researchers employed by US organisations, such as FireEye’s Xiaobo Chen and Tielei Wang, a research scientist at the Georgia Institute of Technology. Neither Alibaba nor Pangu would comment on the value of their deal but shortly after FORBES started making inquiries, Jack Ma’s firm said in an email statement it had terminated the funding. “The Pangu sponsorship occurred prior to Alibaba’s acquisition of UCWeb, and was subsequently terminated.” Wang says the deal was only supposed to last for the two most recent jailbreak releases from the group and only covered the costs of the devices, software testing and hacking tools.

But it took Alibaba almost a year to pull that sponsorship deal; the acquisition of 25pp took place in June 2014. Just as billionaire Ma is courting American business, it seems his company is trying to distance itself from supporting hacks of US intellectual property. Others who have turned west for expansion have done the same, actively ditching their own jailbreak projects. David Ting, North America general manager at mobile games creator NetEase, tells FORBES it didn’t want to associate with the jailbreak world as it broadens its horizons in California. When FORBES notes that one of its former workers, according to their LinkedIn page, was employed by NetEase to research jailbreaking and iOS security before he moved over to Alibaba in August 2014, Ting says the firm has actively tried to “run away” from those distribution channels, to the point that it stopped using jailbroken devices even at the beta stage of game testing - a common practice amongst developers who don't want to waste time trudging through Apple bureaucracy. “Since I joined we really took an effort to crack down on that and use official channels,” adds Ting, a former Yahoo and IBM employee, and a Stanford alumnus.

Qihoo 360, whose VP Xiaosheng Tan was at the TaiG event and classes the company's CEO as a close friend, says it has no interest in using jailbreaks to build on its huge 360 app platform, which is currently Android-only, but noted it was developing an online iOS application vulnerability scanner. Xiaosheng Tan says the Chinese app store and anti-virus giant, run by billionaire chairman Zhou Hongyi, didn't have much of an interest in iOS beyond creating such tools.

And yet Alibaba's 25pp marketplace doesn't need the phone to be unlocked to install on iOS. It flouts Apple security rules in other ways. FORBES has learned the store breaks Apple policy by using an Enterprise Certificate to install itself on users' phones. These certificates are supposed to be used by businesses to disseminate bespoke apps within the confines of the corporate network and are strictly not for commercial use. Apple could simply revoke the certificate, but it would be easy for Alibaba's subsidiary to obtain a new one and start breaking the rules all over again.

Apple and Alibaba's inertia is more surprising when one considers what's on 25pp, namely a lot of pirated software that rip off American creations. In an analysis of 100 apps on the marketplace for FORBES, US security firm Zscaler said most were clones of legitimate tools found on the App Store. These included copies of Amazon and Flipboard apps, which are free on the App Store, whilst normally paid-for tools like Retrica Pro ($2.99 USD) and Qrafter Pro ($1.99 USD) were on offer for no cost on 25pp. (A separate Zscaler analysis of the 25pp store for Android, looking at 254 apps, uncovered 58 spyware samples and four malware).

Neither Apple nor Alibaba commented on the use of enterprise licences or the level of piracy on the store.

China's third-party marketplaces have become synonymous with iOS malware and piracy, however. In 2014, the Maiyadi App Store was responsible for delivering the Wirelurker malware via 467 apps masquerading as knock-offs of big-name games, including Sims 3, Pro Evolution Soccer 2014 and Angry Birds. As many as 356,000 were infected by the malware, which sought to identify individuals downloading the apps, leading to the suggestion that Wirelurker was the work of a government body trying to uncover pirates. Again, illicit use of Enterprise Certificates helped spread the unapproved software.

The insane jailbreaking game

Even if the iOS cracking market shrinks as Chinese corporations expand and crack down on piracy-linked activity, the jailbreaking game is expected to remain a profitable one. Indeed, as the money has poured into jailbreaking the scene has gotten stranger, with stories of infighting, accusations of racism and claims of million dollar deals.

Much of the controversy has spiralled around TaiG, even if it hasn't been directly involved in the manifold fracas between jailbreakers. The head of TaiG is Xie Lei (pictured below), though he also has an anglicised name, Ray Xie. He keeps a decidedly low profile, though he was on friendly terms with his guests. He occasionally responded to emails sent by FORBES, but declined to be interviewed for this article. It’s unclear exactly how much money TaiG earns (certainly enough to fly young gentlemen around the world) but it’s understood it also earns its keep by packaging third-party app stores with jailbreak downloads.

Its chief jailbreaker is another mysterious character XN, for Xiao Nan (pictured below). But Ray can only get by with a little help from his friends. In 2013, TaiG signed a deal with a group of jailbreakers called evad3rs to package a TaiG curated app store with the release of an iOS 7 hack. The terms of that deal have been the subject of much speculation, and FORBES understands from sources close to the agreement that it was worth more than $1 million and was part of a planned long-term relationship. The marriage was cut short, however, a divorce caused by mass user complaints that the app store contained a large number of pirated applications, and possibly malware, something Occidental users openly abhorred due to legal and security concerns.

In an email, Xie Lei said he had now ditched his own third-party iOS app store Kuaiyong, which had also been called out for shipping pirated apps and breaks Apple policy by using an Enterprise Certificate, to focus purely on TaiG. Its current backer is the 3K Assistant store, bundled with the latest TaiG jailbreak for iOS 8.3. Again, western users have shown their disdain for the market offering, producing guides on how to avoid or remove it. Many would rather use Cydia, seen as the de facto app store for rooted iPhones. Given the scrutiny from Western media and jailbreak enthusiasts over his previous enterprises, and his apparent willingness to collaborate with American and European hackers, it would be no surprise if Ray was also hoping to rub out any remaining associations to piracy.

But he remains enigmatic. Despite accepting Ray’s munificence, the jailbreak “celebrities” who went to Beijing in March know next to nothing about his TaiG operation. Bassen, who presented at the spring gathering, tells FORBES that despite the collapse of their old partnership, he remains on good terms with Ray, yet he has little idea of how TaiG functions. Chronic, also known as Will Strafach, whose lightning white hair and bulky physique give him the appearance of a videogame boss, says he has little idea what TaiG does, but went on the trip intrigued to find out more. He didn’t learn much. Hill, who was flown over to talk in his nervous, raspy manner about Open Jailbreak - a community initiative designed to open iPhone hacking up to the masses - also has no insight into TaiG’s work. The other western attendee, Comex, real name Nicholas Allegra and a former Apple employee, who gave his talk in cargo shorts and sandals, could not be reached for this article. Qihoo 360's Xiaosheng Tan declined to comment on TaiG’s practices. A Qihoo spokesperson said it had no business relationship with the company.

Apart from Bassen, none of the attendees admit to selling jailbreak services to a Chinese company. But some jailbreakers FORBES spoke with say they have been approached with six and seven-figure offers over the last two years from different sources. Hill, whose organisation is all about opening up jailbreaks without corporate interest, says he was offered $1 million a year to help work on jailbreaking, to which he claims he responded: “Go fuck yourself.” He isn't certain where that offer came from, though he shows FORBES an email from April 2014 he says was sent from someone claiming to represent “the first iOS jailbreak team of China” and that they'd met following one of Hill's iPhone hacking training sessions at the 2013 Blackhat conference. He suspects the team was TaiG. iH8sn0w, real name Steven De Franco, says he was offered $100,000 for just a single part of a jailbreak, but did not respond to requests for evidence. Indeed, getting hard proof of any jailbreak deal is like chasing shadows, only adding to the shadiness of the market.

The lack of transparency is one reason selling iOS zero days to Chinese companies is frowned upon by some in the scene, as indicated by Hill’s own antipathy. The market’s fiercest critic, though, is another of the world’s top iOS security experts, German researcher Stefan Esser, also known as i0n1c. In recent months he has made his distaste for other jailbreakers clear, telling FORBES he doesn't trust the likes of Bassen and his co-evad3rs hacker Cyril Cattiaux, alluding to their work with TaiG. Of the commercial backers, Esser notes the stores “do nothing against software piracy and are said to flourish just because of it”.

He also accused Team Pangu of stealing his exploit code during a training session he gave in May 2014. Pangu denies this, though admits they borrowed some code for which there was no non-disclosure agreement. Esser also accused Pangu of using stolen and leaked Apple Enterprise Certificates. “The fact is that some jailbreak fans denoted their own expired Enterprise Certificate to us, neither ‘stolen’ nor ‘leaked’,” Wang says, slamming the “insane rumors and vilification” being spread about Pangu.

Esser’s ire has attracted claims of racism, not just from Pangu, but from Strafach and other westerners too. Jay Freeman, another noted jailbreak researcher and creator of the Cydia app store, believes there is widespread misunderstanding in the US of China's love of unlocked devices and believes this has led to a degree of xenophobia.

Just this week, another brouhaha erupted when it appeared 25pp had taken TaiG's iOS 8.3 jailbreak and was offering it on its own website, but bundling its store rather than 3K Assistant. A Reddit post indicated the TaiG team were unimpressed.

Some within China, whilst not on Esser's side, don't agree with the commercialisation of jailbreaking either. Keen Team, considered one of most successful hacker crews on the planet having won major competitions cracking just about every operating system going, says it isn't interested in sponsorship. Though it may partner with Pangu if and when it releases a jailbreak for iOS 9, the latest iPhone operating system, it won't be accepting money. Team member Liang Chen says he's only interested in the technical aspects and offering freedom of choice to users.

The open aggression between the different factions has concerned some. Money, it seems, has turned jailbreaking from a hobbyist affair concerned with free and open software, into a hostile game where vast sums are up for grabs. As former NSA staffer and head of research at Synack Patrick Wardle tells FORBES, he has more trust in the older jailbreaks built by passionate hackers operating without financial incentive than ones sponsored by app stores replete with pirated gear.

All this will do little to slow the race to crack open iPhones, though. The popularity of jailbreaks across the world remains apparent. And as Apple seeks to lock out hackers with each iOS release, vulnerabilities and exploits will only become rarer and more valuable. And there are plenty of willing buyers. “There are tonnes of different avenues,” adds Strafach. “It’s definitely more than a hobbyist thing.”

Enjoy this in-depth story? Take a look at this exclusive feature on the Ex-Israeli Surveillance Agents Who Hijack Your Browser To Profit From Ads...