Most mobile security architects and app development are aware of the dangers of running their apps on rooted devices (or Jailbroken in iOS terminology). At Verimatrix we share those concerns – which is why root and jailbreak detection is one of the defensive layers built into our advanced mobile security tools.
This blog looks to examine some the misconceptions that have built up around rooted devices and the security measures required to migrate the risks.
First, what is rooting? A mobile device is rooted when a user or app gains access to the parts of the operating environment it shouldn’t.
Modern operating systems run each app in its own sandbox – this stops an app having uncontrolled access to the phone, data and other apps running on the phone. Rooting the phone is the act of breaking down some or all of these sandboxes – giving more control over the phone and its apps.
An app running on a rooted phone is more vulnerable to malware, a gaming app is more suspectable to cheating, and a video streaming app is more at risk of piracy.
Root detection is binary
A device is either rooted or it isn’t, right? Unfortunately, it’s not that simple. There’s lots of shades of grey.
In a traditional system admin view of the world, the root user is one with full admin rights over the computer. This user can do what they wish to system.
When it comes to mobile, things are not quite as straightforward. The phrase “rooted” has come to be used to describe any privilege escalation a user or app may have gained. This may be full admin rights or it could be a limited set of additional access rights on the phone.
For example, one of the most common reasons for rooting phone is to change the default look-and-feel of the user interface.
That means rather than a single yes/no check, root detection needs to be a collection of lots of micro checks on the system.
Some devices even come out the factory not fully locked down. These devices are in effect rooted.
Detection techniques are well known
A quick Google will find Stackoverflow answers and open-source projects that claim to detail everything that your app needs to do to correctly detect a rooted phone. The solutions proposed by these pages are relatively simplistic – that means lots of false-positive and lots of missed rooted devices as well, the worst of both worlds.
Professionally developed root detection takes a much finer grained approach to its detection. It gently probs the operating system to see what resources and permissions are exposed rather than a sledgehammer approach.
Rooting is always malicious
Verimatrix data shows that 3% of devices globally report as rooted, and in some geographies it raises to 8%.
One of the most common reasons to root a phone, is to remove unwanted preinstalled apps.
Cybersecurity is about balancing business risk and root detection is now different. Is it more costly to block a legitimate user or to miss a user that is running on a rooted device? As users often have benign reasons for rooting, false-negatives are often more damaging than false-positives.
Ultimately, a good root detection solution will minimise both and only report devices that are actually rooted as rooted. Of course, as discussed above, that’s not always a binary yes/no answer. It takes experience to find the right balance.
Root detection only requires to be implemented once
The threat landscape is evolving as fast as the mobile ecosystem. Your root detection needs to evolve with it.
The frameworks used to root devices are constantly updating to circumvent root detection. They call this “root hiding”. This means root detection constantly needs to get more sophisticated.
Equally, minimising false-positives means the root detection needs to understand the devices and operating your app is running on. With major new versions of Android and iOS annually, and a constant stream of smaller updates and new devices, the understanding built into a root detection solution needs to be constantly updated.
Root detection is the only security measure required
Let’s correct this misconception with a well-used cliché: security is applied in layers. While it is a cliché, it is still very true. Root detection is only one layer. It checks that the OS sandbox your app is running in is intake. It doesn’t stop an attacker lifting your app off a phone to reverse engineer it. It doesn’t stop an attacker changing your code or repackaging your app. And, it doesn’t stop your app executing on an emulator or being analysed with the countless tools and techniques used by attackers.
Verimatrix’s Shielding solutions provide a comprehensive enterprise-grade mobile app security.
See how we can help protect your business:
• Mobile applications and APIs
• Video content
• Digital payments