Jack and I have been hearing about this “Free The Sandbox” initiative on Twitter (often stylized as #FreeTheSandbox). So, I decided to look into it—always interesting to see the different conversations going on in the security community, big or small.
What is #FreeTheSandbox?
Some in the security community are more publicly calling for security researchers and users to have better access to iOS and Android devices to properly analyze them for vulnerabilities. #FreeTheSandbox specifically calls for Apple and OEM vendors to allow users to have read-only access to the entire filesystem and memory. Right now, researchers are limited to being able to identify vulnerabilities, with some ways including reviewing logs and DNS, but they can’t always use legitimate methods to extract the malware or exploit due to sandbox restrictions.
#FreetheSandbox doesn’t want persistent access, just enough so that it would allow researchers and forensic analysts to be able to properly inspect devices. With this access, they wouldn’t need to hack iPhones and Android devices, which some researchers do through 0-day exploits in order to more fully analyze these devices. Interestingly, security vendor ZecOps sponsors a bug bounty program focused on local privilege escalation vulnerabilities, which are used to better enable digital forensics on iOS and Android devices.
#FreeTheSandbox is led by Zuk Avraham, founder of ZecOps and Zimperium, other supporters lending their names to this includes Will Strafach, founder and CEO of GuardianApp, and security researcher Katie Moussouri, founder and CEO of Luta Security.
Some context: Why is this coming to the forefront?
Apple, most famously, and other OEM vendors, have made it very difficult for security researchers to dive deep enough into devices. Apple and others would argue that their devices are more secure by restricting what anyone can access.
I think we can all agree that the closed nature of iOS and Android have made the devices much safer than Windows; as a result, many of the biggest issues in mobile devices being phishing attacks and stolen passwords. Essentially, users are often the weak point when it comes to keeping iPhones and similar devices safe. For example, the hacking of Jeff Bezos’ phone appears to have needed him to click on what he thought was a video sent through the WhatsApp messenger; basically, the hack only worked because he was tricked. Bezos is an attractive target for specialized attackers, which isn’t something the average iPhone user really has to worry about.
Still, the constant harping on iOS being locked down might have gotten to Apple as they’ve started showing signs of loosening up. At Black Hat 2019, they announced that they would start providing selected researchers with a limited unlocked iPhone. While not completely open, the device would come with SSH, root shell, and advanced debug capabilities. Unfortunately, it appears that Apple has not yet sent out any of these research devices to those who applied for one.
Android is in a different situation than iOS but has its own share of issues that frustrate security researchers. Android is much more open for researchers to analyze, with Google providing tools like Android Debug Channel and developer mode, plus researchers can go look at Android Open Source Project themselves. Google has also been more open to working alongside security researchers. That said, Android has a unique issue that iOS does not: fragmentation. Different chips and security measures added by all the different OEMs on top of Android can make forensic analysis more difficult.
Not everyone agrees with #FreeTheSandbox
Naturally, not everyone is on board with opening up either mobile OS, worried that attackers could turn it to their advantage.
One security researcher who comes down on the other side of this conversation is Chris Rolf, a security engineer at Square. In a twitter thread responding to the news of the launch of #FreeTheSandbox, he said that he sees enabling greater user access to iOS or Android devices could weaken the security model: “The security architecture on Android/iOS absolutely cuts down on end point security visibility, but that tradeoff results in a lot less malware and attacks.”
Chris wasn’t the only one to worry about what opening up access to iOS and Android could lead to. Others that responded similarly to Chris in his thread include security researchers Charlie Miller and Matthew Solnik, who mentioned that, “in order for any forensic tool to work well it would need full access to all memory/kernel space.” He did suggest a hardware tool could work as a compromise.
While it remains to be seen whether anything comes from this, the one little snag #FreetTheSandbox seems to have hit is over the name. Some see it as confusing, enough that Zuk has had to comment a few times on this, assuring people that it’s about opening up access to the device and not abandoning sandboxing. “#FreeTheSandbox is not about removing sandbox policy from apps. FreetheSandbox is about providing device owners the capabilities, should they need/want it, to analyze their own devices without hacking into it first. The access can be revoked after a reboot.”
I’ll be following #FreetheSandbox to see where it goes.