Android Rooting:
 Methods, Detection, and Evasion

rooting_methodsUser root their Android (or jailbreak their iPhone) smartphones. They do so in order to run useful apps that require root privileges, to remove restrictions by carriers and hardware manufacturers, and to alter or remove system apps. Rooted devices are prevalent. According to a recent Android security report, Google Verify Apps detected rooting apps installed on approximately 2.5M devices.

While useful, rooting weakens the security of Android devices and opens the door for malware to obtain privileged access easily. Without rooting, malware must exploit a system or kernel vulnerability present in the system in order to gain root access, which could be technically challenging. However, on a rooted device, any app could simply ask the user for root access with one-line of code (e.g., Runtime.exec(“su”)). The security of a rooted device relies solely on the device user regulating root access properly. Yet, the research shows that many users ignore security warnings due to habituation or lack of contextual information or just lack of motivation to do due diligence. Once root access is inadvertently granted, malware could gain unauthorized access to any sensitive data stored on the device, intercept user inputs, tamper with runtime code (e.g., circumvent security controls, intercept file IO and network communication), and manipulate inter-app communications. Several rooting prevention mechanisms have been introduced by vendors, and sensitive or high-value mobile apps perform rooting detection to mitigate potential security exposures on rooted devices. There is a lack of understanding of how various rooting methods work and what rooting detection methods could be difficult to evade.

I’ve presented at CCS-colocated SPSM Workshop a study led by LERSSE’s Dr. San-Tsai Sun and Andrea Cuadros which investigated methods for rooting, detecting rooting, and invading the detection on Android devices. Our study resulted in (a) a taxonomy of rooting methods and traits of rooted devices, (b) an inventory of techniques for detecting if device is rooted, (c) a tool for detection analysis, and (d) empirical analysis of rooting detection by real-world apps.

Based on our findings, we outline new directions for research in this area: reliably detecting rooting, reducing need for rooting, reducing risks of rooting (specifically, via social engineering attacks on the users of rooted devices).

For more details, read the paper.

Comments are closed.