The story around installing third-party applications on the iPhone changes every few days, so we at TidBITS have avoided trying to stick a pin in the process, as it were. But a few days ago, one set of the clever folks working in loosely organized teams produced AppSnapp, a successor to AppTapp (from a different group), which can “jailbreak” the iPhone 1.1.1 software, enabling third-party programs to be installed.
AppSnapp has an even simpler installation process: Just visit the Web site with an iPhone, select the installation options from the Web page, and the software is installed. You can then use the Installer application to choose other packages to install, including the Connect program for automated Wi-Fi hotspot connections that we talked about a few months ago (see “Connect More Easily to Wi-Fi Hotspots with the iPhone,” 2007-09-17). I tried the process and it was fast and seamless.
Now a word to the wary: AppSnapp makes use of an exploit in the TIFF image format rendering library. A buffer overflow allows a properly crafted TIFF image to install software, essentially. (AppSnapp also patches the exploit, which is rather nice of its developers.)
This exploit and installer provides unrestricted access to the operating system, which means you should take care in choosing the sources from which you install additional iPhone software.
Apple is certainly going to fix this flaw in their TIFF interpretation – it’s a significant one which could be exploited by any malicious Web site – which will then prevent releases of iPhone software after 1.1.1 from using this vector to install. Early reports from the UK, where Apple starts selling the iPhone via O2 on November 9th at 6 p.m. (actually 6:02 or “six O2”), indicate that a patched 1.1.2 release is installed on those phones.
Given the near-term arrival of an iPhone SDK, the motivation to jailbreak an iPhone will wane, unless the SDK turns out to be so lame as to push developers once again into unsupported pathways (see “iPhone Software Development Kit Set for February 2008,” 2007-10-17).