In the Hitchhiker's Guide to the Galaxy, cool and well-informed space travellers (hoopy froods, in the vernacular) always know where their towels are.
Now, owners of Samsung Galaxy phones, notably the S5, can take frood-like control over their devices, thanks to a hoopy new tool called Towelroot.
In the Apple ecosystem, breaking free of the strictures of iOS is called jailbreaking, by analogy with liberating your device from its Apple-imposed prison sentence.
On Androids, getting around vendor-imposed system lockdown is known as rooting, because it involves granting root access (superuser or administrator privileges) in a way that is unapproved by the supplier of the phone.
“But wait a minute,” you’re probably thinking, “Android is an open source operating system with an open ecosystem, so why can’t you just get root by asking nicely?”
On some devices, you can.
Google’s Nexus 7 devices, for example, are popular with researchers, testers and developers for just that reason.
For security reasons, you can’t get root access by default, but if you have physical access to the phone, you can:
- Unlock the bootloader, which allows you to replace the vendor-supplied operating system.
- Use the Android Debug Bridge (ADB) via USB to install software to grant you root access.
Risks of rooting
There are risks with an unlocked device, of course.
It is possible to install firmware that is so buggy that your device will go into a tailspin from which it cannot be recovered; this is known colloquially as bricking the device. (In the olden days, mobile devices were heavier and more brick-like, so broken devices became known as bricks.)
You may be able to recover the device by doing a complete-and-utter vendor firmware reset, as you can on the Nexus 7, for example, but you will lose absolutely everything.
But many device vendors aren’t so liberal.
They wrap the open source Android core in a layer of proprietary software that deliberately, and often extensively, limits your access to the device.
There are good security reasons for doing this, as it happens, notably that it’s much harder for you to shoot yourself in the foot.
In particular, a well-implemented anti-root lockdown means that even if you infect yourself with malware though injudicious software choice, the malware should not be able to do any more damage than a regular app.
Of course, even regular apps (with suitable permissions) can do plenty of damage anyway, by reading your contact lists, listening in on phone calls, using the webcam, intercepting SMSes, posting to social media sites, dialling premium rate phone numbers, and much more.
So an anti-root lockdown alone doesn’t prevent malware from doing extensive digital harm to you, your reputation, or your bank balance.
But it does make it much harder for the malware to take over your entire device, or to resist removal using Safe Mode, or to bury itself into the code or the data of other apps.
This usefully limits the maximum damage the malware can do.
Why root at all?
By now, you may be wondering, “Even if rooting is allowed by choice on my device, why would I want to exercise that right?”
There are many answers to that question, including simply, “Because it’s there.”
There are also many concrete reasons why rooting can be useful, such as:
- To help you escape from non-security-related lockdowns, such as restrictions on network access imposed by the vendor. (Google’s stock Nexus 7 firmware, for example, doesn’t allow you to set up your device as a Wi-Fi access point.)
- To give you access to back up otherwise-inaccessible files on the device, such as the APKs (application packages) of software you have bought and installed.
- To remove unwanted apps (what is often called bloatware) added by the vendor for its own commercial reasons.
- To apply security updates if your vendor is tardy in providing them.
The irony of the last point is important: security lockdowns that are often pitched as an overarching justification for vendor-imposed controls may end up making you less secure, because they also prevent you from applying your own security fixes.
To root or not to root
This brings us to the nexus (sorry!) of the issue: to root or not to root?
We’ve listed numerous benefits of rooting above, and many of the Naked Security writers have purposefully rooted their personal Android devices.
Nevertheless, we are going to stick to our long-standing conservatism in our advice to system administrators in the workplace.
We suggest you adopt a policy that company-owned devices should not be rooted, and if you have a BYOD (bring your own device) programme, we advise that you take steps to prevent your users from connecting rooted devices to your business network.
We’re not trying to be killjoys or wowsers here, just adopting a pragmatic approach.
A rooted device in the hands of a well-informed user can be made safer, faster and more useful.
But a rooted device may end up increasing danger, both to its owner and to any corporate data or network accessible from it, because ill-configured rooting can easily leave the phone more vulnerable to hackers, malware and other data security risks.
What about Towelroot?
The problem, if there is one, with Towelroot is that it makes use of a “no-reboot-required” exploit. (For this reason, Sophos Anti-Virus detects it as Andr/TowRoot-A.)
Rooting any phone that isn’t supposed to be unlocked obviously requires some sort of Elevation of Privilege (EoP) exploit, simply because the rooting isn’t supposed to be possible.
Some rooting procedures require physical access to the device and a reboot, meaning that you have to follow a deliberate and methodical path to the result.
That makes it as good as impossible for you to get rooted by mistake, or covertly by malware.
Towelroot isn’t covert, but it is convenient and quick, reminding us that the security hole it relies upon could be used covertly for EoP purposes by an attacker.
According to George Hotz, the author of Towelroot, the vulnerability he used exists in Android kernels dated before 03 June 2014.
So, if you have Android 4.4.2 or earlier, you are either in luck or at risk, depending on your viewpoint.
Of course, if your vendor doesn’t look like giving you an Android update any time soon, the only way to protect yourself from exploits like Towelroot may well be to use Towelroot itself…
…but that is a security contradiction you need to take up with your vendor.
For further information
Here is a list of additional articles and tips (plus some free software!) you may find useful:
- The Sophos Mobile Security Threat Report
- Are you safe against mobile threats? Check out our tips for keeping the crooks away…
- First Aid for Android: How to unlock your ransomed phone
- 10 years of mobile malware
- Using Sophos Mobile Control to maintain security on a BYOD network
- Sophos Free Anti-Virus and Security for Android
- Techknow podcast: Understanding vulnerabilities and exploits