For some advanced mobile users, having more options and abilities can be quite beneficial. This is especially true of those who use Android devices, as there is a process called “rooting,” which provides users with privileged access to their devices. This allows them to overcome limitations placed on them by manufacturers, so they can customize their devices or remove unwanted applications that come preinstalled on devices.
While rooting is popular amongst some advanced users, there are significant risks of rooting devices, especially in corporate environments. Beyond the fact that a device’s warranty will be voided or that the device may be “bricked,” meaning it no longer functions, there are also notable security risks involved.
Rooted Devices Are a Significant Security Risk
Whether an individual is rooting for the purposes of removing bloatware, or just customizing their phone, malware can be introduced onto the device during the process. This is exacerbated by not having an Android-specific mobile anti-malware tool installed. Such malware can put data at risk, including gaining access to personal information such as contact lists, emails and other data, or collecting data like credentials and passwords. This becomes arguably more serious with corporate resources. In this case, a hacker can gain entry to corporate resources when the phone logs into the secure network or through corporate applications on the device.
This is a problem that many see occurring, even in the public sector. According to a 2015 survey completed jointly between Market Cube and Lookout, 7 percent of those surveyed rooted their device. While the number seems small, many individuals failed to ensure that their work was secure. A total of 85 percent of federal employees used their mobile devices for risky activity such as sending work documents to personal accounts or storing work data on personal file sharing apps. Another 49 percent don’t have security controls installed. All of this activity puts sensitive data at risk of compromise.
According to a 2014 announcement from Gartner, the problem may be more serious than even that survey would suggest. The technology research and advisory company predicted that 75 percent of mobile security incidents will be due to mobile application misconfigurations. The biggest threat to companies would be from altered devices at an administrative level, such as by rooting them. This is due to the user being elevated to an administrator, which allows malware to inflict a maximum amount of harm.
Some mobile device management (MDM) products include a feature for blocking devices that are rooted, automatically exiling devices that were tampered with. However, MDM products must detect a rooted device before it can be blocked, and there are ways of circumventing those detection mechanisms.
Hardware-Level Security for Mitigating the Risks of Rooting
Requiring the use of software-based security controls alone, including MDM, anti-malware and anti-theft apps, is not sufficient, especially where rooted devices are concerned. Administrators can utilize Samsung KNOX, which provides mobile security and data protection by applying security controls throughout the device, from the hardware to the application layer.
For those organizations operating in highly regulated industries or that handle extremely sensitive information, KNOX Workspace is designed with the need of high-security government and military needs in mind. At the hardware layer, rooting of devices is prevented in the boot layer and the kernel layer. The boot layer verifies and authorizes what software can run on a device and the kernel protection layer provides a trusted environment and continuously monitors the integrity of the Linux kernel. Features built on top include mandatory access controls, an MDM client, data encryption and a VPN. This provides a secure, trusted ecosystem for a device and renders it tamper-proof.
Many believe that all users should be able to root their devices to get more out of them and doing so is certainly not illegal. But while that may be fine for devices used for purely personal purposes, rooting of devices used for work purposes should be strictly prohibited. At the very least, the prohibition of rooted devices should be laid out in policy — although it should be remembered that users may circumvent policies that they find too restrictive. To ensure sensitive data is safeguarded, a far better option is to require the use of mobile devices with security embedded, right down to the hardware level, and to prohibit or severely restrict access for all others.